TFS Lab Management VMs: “The trust relationship between this workstation and the primary domain failed.”

January 31, 2012

Have you seen this error before on you Team Foundation Server Lab Management virtual machines?  “The trust relationship between this workstation and the primary domain failed.”  You’ll probably see it on VMs that 1) are joined to a domain, 2) you don’t use very often, and 3) use Hyper-V snapshots (aka SCVMM “checkpoints”).

In reality, this error has nothing to do with TFS Lab Management or Hyper-V and everything to do with Active Directory and how computer account are managed and updated for domain members.

Huge thanks to Jérôme Laban’s blog post describing the fix. (Jérôme, you rock!)

What’s going wrong?

Here’s my understanding of how to cause the error:

1. You create your VM and join it to the domain. 
2. You work with the VM for a while, shut it down, and then take a snapshot of the machine in Hyper-V.
3. After taking the snapshot, you work with the VM for a while.
4. You don’t start the machine for a while (weeks or months), you revert to the snapshot, start the VM, and then try to log in.

BOOM!  “The trust relationship between this workstation and the primary domain failed.”

Ever machine in your Active Directory domain has a computer account that has a password.  This password is automatically changed on a schedule without you having to worry about it.  Well, *usually* you don’t have to worry about it but somewhere during step #3, that password got changed.  Then you go to step 4 and roll back the VM to the snapshot.  At this point the domain controller has the *new* password and the snapshotted VM has the *old* password.  That’s the cause of the “trust relationship between this workstation and the primary domain failed” error message.

The Fix for the “Trust Relationship” Error

You can either remove the computer from the domain and then rejoin the domain (aka. “the hard way”) or you can run “netdom resetpwd” (aka. "the easy way”).

netdom resetpwd /server:MYDC /userd:MYDOMAIN\myuser /passwordD:* /securepasswordprompt

Reboot the server and now everything’s working again.

The Permanent Fix

If your servers are not considered to be “high risk” and “high security” servers, you probably want to disable the computer account password reset.  Here’s how you’d do it:  http://technet.microsoft.com/en-us/library/cc962289.aspx and here’s the registry script (*.reg) file that you can run if you don’t feel like using RegEdit.exe.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
"DisablePasswordChange"=dword:00000001

Once again, thanks a ton to Jérôme Laban for the information on this!

-Ben

-- Looking for help with Team Foundation Server Lab Management?  Want to talk about incorporating Microsoft Test Manager and Coded UI tests into your software development process?  We can help.  Drop us a line at info@benday.com.