6 Replies Latest reply on Jun 22, 2016 2:22 AM by phoffmann

    Windows 10 - Domain Trust Fails

    Rick.Smith1 Specialist

      One of the problems I keep running into with Windows 10 provisioning is that after joining the domain, I get domain trust fail issues.

      If I take an identical provisioning template and apply it to windows 7, I am not seeing this issue.

       

      Anyone else seeing something like this?

       

      Right now I am using an image built from the Nov b1511 release.

        • 1. Re: Windows 10 - Domain Trust Fails
          Tanner Lindsay SupportEmployee

          Domain trust failures can often happen when the computer account password (one that you never really deal with) get's out of date/sync. This can happen when restoring snapshots in a VM, or in imaging, I think it can happen if it wasn't sysprep'ed or something went wrong there, as sysprep should clear the identifiers that the DC/Domain would use.

          1 of 1 people found this helpful
          • 2. Re: Windows 10 - Domain Trust Fails
            phoffmann SupportEmployee

            It's one of the things that I touch upon during a Momentum Webinar scheduled later today around Provisioning.

             

            Here's 3 different articles with different solutions to the problem.

            - http://implbits.com/active-directory/2012/04/13/dont-rejoin-to-fix.html

            - https://redmondmag.com/articles/2014/04/21/domain-trust-issues.aspx

            - https://blog.blksthl.com/2013/03/18/fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/

             

            The cause is essentially always "you captured a device while it was part of a domain" ... the upshot being "don't take an image of a device that's in a domain, even though Windows 7/8/10 should be fine" ... it's not always 100% fine .

             

            Hope this helps.

            • 3. Re: Windows 10 - Domain Trust Fails
              Rick.Smith1 Specialist

              Paul,

               

              Thanks for the info. I'll check it out. I thought I was signed up for your webinar, but I don't see It on my calendar, so I'll go track it down.

               

              Oddly I do not have the issue following the same processes with Windows 7. Windows 10 Sysprep seems iffy and there are a lot of complaints online about it.

              Running sysprep (from what I understand) is supposed to remove the device from the domain and clean it up. I never saw any issues with this on 7. Win 10 has constantly given me domain trust issues.

              The only reason I had it join to the domain at all, was to automate the gold image build process. Now I am just mapping drives to server location shares to get past the authentication failures without joining the domain.

               

              So far that seems to be stable. The LDMS Join Domain provisioning step would always flag green, so I also wasn't sure if maybe it was just an issue with the way that action item was calling the join.

               

              I appreciate the help.

               

              Rick

              • 4. Re: Windows 10 - Domain Trust Fails
                phoffmann SupportEmployee

                Hope you were able to attend the Webinar. In case you weren't able to ...

                 

                ... yeah ... SYSPREP / domain trust is still "iffy" (mildly put). It "shouldn't happen" / "shouldn't be a problem" based on what I've read up from Microsoft from Windows 7 onwards ... but it still does.

                 

                So I personally encourage people to create SYSPREP images outside of domains (it's a one-off pain I hope) to reduce that particular pain. The "failing" AD authentication I could usually live with (since my distrust of DNS not working usually suggests using local rather than AD accounts to access shares), but the one chief point to fall flat on your provisioning face as it were, is always the "join domain" action ... if the domain feels ever so slightly grumpy ... it's a lot of clean-up.

                 

                So ... I try to front-load my provisioning with as much distrust of domain & DNS as I can ... it usually works for me .

                 

                YMMV of course ... .

                • 5. Re: Windows 10 - Domain Trust Fails
                  Rick.Smith1 Specialist

                  Thanks again Paul. I was only able to jump on the last bit of it.

                   

                  The only other issue I am really seeing now is a bit different. When re-imaging a device that had already joined the domain, I am seeing the 'Join Domain' action item flag successful, but in reality it fails to join the domain. In some cases, using my service account to re-join the domain will also fail and I have to delete the object out of AD using my DA account. This only occurs with Windows 10 images. Windows 7 doesn't seem to cause this issue for me. It seems pretty sporadic, so I have not narrowed it down just yet. Will keep pushing through.

                   

                  Rick

                  • 6. Re: Windows 10 - Domain Trust Fails
                    phoffmann SupportEmployee

                    The Webinar has been recorded & you can view it here (as well as download the presentation & so on):

                    - [Tech Brief On-Demand Webinar 2016] Provisioning with LANDESK Management Suite

                     

                    As for troubleshooting that stuff - well - enable the relevant (Windows) Auditing on the DC that those boxes will talk to & see what Windows has to say for itself. From personal experience, you have to takes Microsofts' error messages with a pinch of salt (as usual) as it may be more indicative of what's ACTUALLY wrong rather than being "the whole truth and nothing but the truth".

                     

                    As an aside, I've had a good bunch of success of running that PowerShell script 1 liner which resets the machine account, rather than rejoining the domain, A habit I would recommend, as yanking servers out & back into a domain can have very bad effects on the app-stack on them . Less of an issue for workstations (usually) but I prefer to be safe than sorry.

                     

                    Good luck with the Windows 10 stuff ... and hopefully you'll get more useful error messages than I've had to try & make sense of / psycho-analyse in the past .