+ Reply to Thread
Results 1 to 5 of 5

Thread: The trust relationship between this workstation and the primary domain failed

  1. #1

    The trust relationship between this workstation and the primary domain failed

    first, I am brand new to WSM, but I work with Citrix and WTS so I got some overview of this technology.

    This one has however been puzzling me for a while now. The strange thing is that it only appears on one out of my two test machines, which both are the same make and model. The image I've captured is set to Volatile Cache.

    The error only appears when I try to log in with new users. Users who have been logged on before the image was set to Volatile Cache, are not affected, I believe because their credentials are cached on the image for a period of time.

    I tried to delete the device from WSM and Active Directory, and rejoin it under a different name. But the problem persists. I've checked that the hostname of the steaming client corresponds with the object tied to its mac-address in WSM.

    I logged on to the streamed os as a cached user to check the event log, and I can see W32TIME error 120. going something like this: The time provider NtpClient failed to establish a trust relationship between this computer and the petrilabs.local domain in order to securely synchronize time. NtpClient will try again in 15 minutes. The error was: The trust relationship between this workstation and the primary domain failed. (0x800706FD)

    I check the clock on the computer, and it was incorrect, I fixed it in the BIOS, tried to start up the image again but the same error. Time shows correctly if I log in with a cached user to check.

    I wondering if this could have something to do with capuring an image of a computer that is not in the domain, and if I did that only to join it to the domain before I made it volatile. I am currently making a new image just to check that. But in case that is not the case, have any of you encountered this?

    EDIT: The new image was just caught and published, same problem with this one. Working fine on the client it was working on earlier, not at all on the one that had the same troubles earlier. So basically the same problem with the new image, no change.
    Last edited by kel@nds.no; 09-15-2011 at 09:17 AM.

  2. #2

  3. #3

    Wink thanks

    I looked over the information in the installation guide again, under that subject. I had added an account named WSMSYS to the Domain Admins group on my domain, which I am using in WSM under System - Active Directory Domain details. Since the WSM streaming server is domain joined, that account automatically becomes a local admin on the WSM server, because domain admins is automatically added to the local admin group upon joining the server to the domain.

    However, I had not changed the authentication credentials on the service you speak of, this one was running with local system, and that account does not fit with what the installation guide requires:

    Tip
    If you plan to integrate Active Directory with WSM without SSL, you must ensure that the WSM OS Authentication Service is running with the credentials of an Active Directory user with privileges to create and manage computer accounts (for example, a member of the Account Operator group). For more information about integrating Active Directory with WSM without SSL, refer to the Administrators Guide: Wyse WSMTM.


    So I changed the logon account for this service to my WSMSYS-account, and restarted the auth service. Attempted to boot with the problem image on the problem machine, and many thanks to you my friend, it worked!

  4. #4
    Remember that if you set this account to be member of Account Operators, and not Domain Admins on the Domain Controller, it will not automatically become a member of the local administrators group on the WSM server. Youll have to add it manually or you will get this error.
    Ketil Lidahl
    Systems Consultant
    Norsk Data Senter

  5. #5
    Correct Ketil - this is a common pitfall and hence explained in the Sizing and Planning Guide ;-)
    Thanks for pointing this out here one more time - the documentation indeed does not tell the user must be part of the local admin group as it is not mandatory. The user just needs the rights to "Log on as a service" and I think "Act as part of the OS", and these permissions could be granted via GPOs too. But as it is much easier to make it local admin, majority of people solve it this way.

+ Reply to Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts