matthewgONCU
Enthusiast
Enthusiast

Instant Clones trust relationship between this workstation the primary domain failed.

We switched our desktops from linked clones to instant clones once Horizon 8 was released. It was working fine for a while, but we are randomly getting the following error:

The logon request failed because the trust relationship between this workstation the primary domain failed.

I tried a few things. One was disabling the machine account password change with the registry: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-machine-accoun... but that didn't work. I also set the pool setting to reuse the computer name and that also didn't work.

We opened a ticket with VMware and they said to rejoin the PC to the domain, which I did an that didn't help. We also tried taking a snap with the machine off the domain, and that didn't help either. They are now pointing it back to our domain issue. We never had this issue with linked clones or any of or workstations on the domain. 

I understand that this might be a domain issue but I'm not sure how to handle it with cloneprep or what steps I need to do with the base image or AD objects for the clones. And the fact that it's not affecting all machines is odd to me. If it was an issue with the SID or machine password I would think all machines would be impacted. Any help would be apricated. Thanks.

2 Replies
nburton935
Hot Shot
Hot Shot

Are your desktops and Connection Servers in the same AD site? We have a ticket open with VMware for this same issue. We tried Solution #3 in the article below. Trying to determine if it’s helped or not.

https://kb.vmware.com/s/article/2147129

The theory is that the Connection Server puts the desktop in the available state before the desktop’s DC has the machine account change replicated. This can occur if the desktops and Connection Servers are in different AD sites. When the user tries to login, the machine account is still invalid on the DC and they get the error.

-Nick

matthewgONCU
Enthusiast
Enthusiast

The desktops and connection servers subnets were not in AD Sites and Services so I've added them. I also found that two of our DCs were in the incorrect site so I've adjusted that. Thanks for posting. I hope this fixes it and I'm hopeful as this would explain why this only happens sometimes.