Users cannot log on to a VM that's based on a pooled managed VDI collection with rollback enabled in Windows Server

Applies to: Windows Server 2016

Symptoms


This article discusses an issue in which you experience security channel issues on a virtual machines (VM) that is based on a pooled managed VDI collection that has rollback enabled.

In a VM-based desktop deployment, you can use two types of VDI collections:

  • Pooled managed: You have a pool of virtual machines available. When a user connects to the farm, an available virtual machine in the pool is assigned to that user.
  • Personal managed: One specific virtual machine is assigned to each user. Users are assigned the same VM every time that they connect to the farm.

When you use pooled managed VDI collections, you can choose whether to enable the virtual desktop to roll back to its previous state when it's necessary. For example, every time that a user logs off, the following actions occur:

  • A checkpoint (snapshot) is applied.
  • The virtual machine reverts to the state of the checkpoint.
  • All changes that were made after the checkpoint are discarded.

In this situation, the computer account password that's stored locally on the VM is also rolled back. This causes a security channel issue and breaks the virtual machine's connection to the domain.

When this issue occurs, you may experience the following scenario:

  • In the Pooled Managed VDI Collection creation wizard, you enable the Automatically roll back virtual desktop when the user logs off option.
  • VMs are created from the template, and the checkpoint (snapshot) RDV_ROLLBACK is created.

    Note This checkpoint is applied to revert the VM every time that the user logs off.
  • After several days or even months, users receive a "The trust relationship between this workstation and the primary domain failed" error message when they log on to virtual machines from the VDI environment.

For more information about how computer password changes are controlled by the Netlogon service, see Machine Account Password Process.

Cause


This issue occurs because the Netlogon service for the operating system of the virtual machine changes the computer account password after the MaximumPasswordAge period. This password is stored in both the operating system registry and the computer object in Active Directory.

After a user logs off, the RDV_ROLLBACK checkpoint is applied and reverts the virtual machine to its previous state. The computer password that's stored in the registry is also rolled back to its previous state. This creates a mismatch between the stored passwords.

Resolution


To avoid this issue, use one of the following methods.

Method 1

If the virtual machines in the VDI collection are created from a template, we strongly recommend that you regularly apply operating system security updates to the template, and then re-create all VMs so that they are fully patched.

By default, the computer account password change interval is 120 days for a VM in a pooled managed VDI collection that has rollback enabled and that's created through Server Manager. 

For collections that are created through Windows PowerShell by using the New-RDVirtualDesktopCollection cmdlet together with the -VirtualDesktopPasswordAge parameter, the administrator defines a custom interval.

To avoid security channel issues in this situation, make sure that the template is patched, and that VMs are re-created before the computer account password change interval expires. The number of days remaining before the expiration date depends on whether the collection was created through Server Manager or PowerShell.
 

Method 2

Disable computer account password changes for virtual machines by using the Domain member: Disable computer account password change policy.


Note Be aware that when all virtual machines are re-created in the collection by using the Recreate All Virtual Desktops option, a new computer account password is assigned to each of them.

More Information


The default interval for computer password changes is defined by the Domain member: Maximum computer account password age policy. The default value is 30 days. This means that every 30 days, the Netlogon service for the client operating system invokes a computer password change.

The following scenarios apply, depending on the VM creation process.

  • If the VM is based on a pooled managed VDI collection that's created through Server Manager and has the Automatically roll back virtual desktop when the user logs off option enabled:
     

    During the first startup after the VM is created, the Remote Desktop Virtualization Host Agent (VMHostAgent) service on the Hyper-V host forces the Domain member: Maximum computer account password age policy to 120 days. It does this by setting a value of 120 for the following registry entry on the VM's guest operating system:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge

  • If the VM is in a pooled managed VDI collection that is created through PowerShell by using the New-RDVirtualDestkopCollection cmdlet together with the -VirtualDesktopPasswordAge parameter:
     

    During the first startup after the VM is created, the Remote Desktop Virtualization Host Agent (VMHostAgent) service on the Hyper-V host forces the Domain member: Maximum computer account password age policy to the number of days that is specified on the VM's guest operating system. It does this by setting the specified value for the following registry entry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge

    On the Hyper-V host, this custom value is specified on the -VirtualDesktopPasswordAge parameter that's stored in the following registry entry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VmHostAgent\Parameters\<CollectionName>\VirtualDesktopPasswordAge

    Note This also applies to collections that are updated by using the Update-RDVirtualDesktopCollection PowerShell cmdlet.