Fix – Trust relationship between workstation and primary domain has failed
Today I thought I would do a quick write up about something that has been annoying me for ages and a few months ago I finally found the fix!
Setting the scene
Imagine you have some virtualised machines that you want to regularly want to revert back to their original state when you have finished using them, without having to go through the pain of re-imaging the machine, etc.
The solution to this would be to use snapshots or non-persistent disks (in VMware) or similar functionality in Hyper-V or whatever other virtualisation platform you are using.
Can you imagine a use case for this? If not, think about something like a packaging reference machine, or even a test machine to test new packages. When you finished, you don’t really want to re-image, etc, etc. What a waste of time when you can use the tools built into your virtualisation platform to take care of this in a few minutes.
So what is the problem?
If you haven’t used this kind of set-up before then you maybe wondering….what is the problem you can have with this config? It sounds perfect 🙂
Well the ONLY problem with this configuration is that if you consistently revert back to your snapshot, eventually after a period of time the next time you go to use the machine you will not be able to log-on as a domain account because
the trust relationship between the workstation and the primary domain has failed.
Why does the trust relationship fail?
The reason why this happens is because because believe it or not machine accounts on a domain have their passwords changed regularly. If you are like me, you would be thinking… I didn’t even know machine accounts had passwords!
Well, they do and they change… every 30 days actually.
So you can start to see the problem now… if you snapshot (or non-persistent disk) has been configured more than 30 days ago, then when you revert to it, next time you use the machine, you will get the trust relationship failed error because the password on the domain and the password on the workstations are different.
The simple solution is… disable automatic machine account password changes.
To do this you need to complete the following:
- Navigate to
- Modify the
DisablePasswordChangeentry in the right hand pane
- Change the value of the entry from
- Click OK to save changes
- Sit back and enjoy your handy work
If you want more info on this then check out this Microsoft knowledge base article >> How to disable automatic machine account password changes