Losing trust relationship with domain
I have about 30 C90LE7's deployed in my environment joined to the domain. Citrix Desktop Lock is installed so when a domain user logs in, they are presented with a Citrix XenApp Desktop, and not the WES7 desktop.
If a thin client is rebooted or off the network for 30 days, the next time a user attemps to log in they are presented with a domain trust relationship error. What is happening is the WES7 thin client is requesting a machine account password change with the domain controller and the thin client does not retain the password after a reboot. From everything I've read in the Wyse Knowledge Base and else where, the RegFilter in WES7 should automatically retain the password. I'm using C90LE7 image BCB0_0827_4096.
Anyone else experience this problem?
This is concerning. I read the same technote and i also did some digging in the registry under the regfiler section. It does have a section for the mac account allowed through the regfilter.
Did you have to modify the reg filter to overcome this?
Originally Posted by mpsliva
I have experienced something similar to this after a power outage. The trust relationship on several Z90 w/ WES7 is broken and I have to rejoin them to the domain. A huge pain. If anyone has any suggestions, I would also like to know.
I’m also seeing the same thing on Z90D7’s after a power outage, glad it's not just me. 2 out of 30 had it happen last time, don’t know what the rhyme or reason for it is. I may open a support case, but I’ve been pretty disappointed in support lately. Anything somewhat complicated seems to become an unsolved mystery that no one ever contacts me back on.
We had a similar issue when first rolling out 60 C90LE7 thin clients. After 30 to 45 days of use in the domain, the trust relationship would break. Found an alternate method of having users login, but still interested in an actual resolution.
Don't suppose anyone has gotten anywhere with this? I still have z90's that randomly lose their trust. Sometimes after a power failure, sometimes not. Very frustrating and tech support so far hasn't been any help.
here is a Microsoft article on how to disable the automatic machine account password change.http://support.microsoft.com/.../154501
Did anyone ever find out why this was occuring?
bump! any updates?
Originally Posted by DSHUE
Ultimately, I created a GPO that disabled the machine password change. RegFiltering did not work for me. I haven't had to rejoin a C90LE7 to the domain since I created the GPO.
Hi there, did you create a GPO targeting certain OU of all your thinclients? We applied the password registry manually on a few of them but still seeing the trust relationship error.
Yes, that's correct. I have an OU with only thin clients in it. The GPO assigned to the OU has 1 setting, which is this:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies/Security Options > Domain MemberDomain member: Disable machine account password changes - Enabled
Is anyone who is having this issue running a mix of 2003 and 2008 DC's? Ran across a few references at MS to potential issues with that, but those were about Win7 in general. None of my Win7 PC's are having this problem, only my WES7 thin clients. So I don't think that's it but I was curious if anyone else has that same environment.
Originally Posted by schrempp
We have 2003, 2008, and 2008 R2 DCs. The problem is only exhibited with the WES7 thin clients. Our XP, Vista, and 7 PCs and laptops do not have this problem.
I want to share my experience with this issue. One of our clients had been experiencing numerous D70s losing trust and it was a requirement due to their 802.1x authentication mechanism:
The registry filter protects registry keys on the computer when the write filter is enabled to ensure that if changes are made to specific registry values they are not lost upon reboot. Even if the File Base Write Filter service is disabled, the registry filter will still write protected registry values to a Regfdata volume when they are changed. When the system is cleanly shut down these changes are committed to disk upon boot. When the machine is not cleanly shut down the data on the Regfdata volume is lost and restored to the last known state. This means any registry changes protected by this mechanism would be lost if the machine lost power or was not cleanly shut down.
The domain machine password is protected by the registry filter. What is happening is if the machine is not cleanly shut down after the machine password is updated, which happens every 30 days by default in Win7, the old value on the Regfdata volume will overwrite the recently changed machine password registry key when the machine is powered back on and therefore will use an old machine password to authenticate to the domain. This causes the lost trust.
In our particular case the file based write filter was not a requirement and we were able to remove the machine password registry key from the "protection" of the registry filter. But if the write filter is enabled it's important to protect this key in the case of a power failure. The reason the machines were not cleanly shut down was due to overheating...if anybody was interested.
The following links/blog provides insight into the regfdata volume and regfilter monitored keys:
HiThis is caused by the FBWF not being fully disabled even when turned off, to fix this issue we disabled the two services associated with it"file based write filter" and "EDM write filter service" this fixed the issue