1

Given the following lab setup:

HOST1 on Windows Server 2012 R2 (host running Hyper-V, joined test.local domain, static IP)
DC1 on Windows Server 2012 (VM under Hyper-V on HOST1, AD and DNS roles, all defaults with test.local domain)
DC2 on Windows Server 2012 (VM under Hyper-V on HOST1, secondary AD)
DHCP1 on Windows Server 2012 (VM under Hyper-V on HOST1, DHCP role)
HOST2 on Windows Server 2012 R2 (host running Hyper-V, joined test.local domain, static IP)
DC3 on Windows Server 2012 (VM under Hyper-V on HOST2, secondary AD)
DHCP2 on Windows Server 2012 (VM under Hyper-V on HOST2, DHCP role)

Both hosts on the same subnet and home router, all firewalls off. First installed the physical hosts, then the VMs. Installed roles, created new domain, joined all VMs, joined the hosts, restarted a few times, all good.

Problem: When trying to RDP to HOST1 yesterday from my Windows 8.1 box, as usual with the Domain Admin user (test\Administrator), no joy. The connection is accepted but i get to accept the certificate, the RDP connection opens, and a message in the remote machine saying: "Other user The trust relationship between this workstation and the primary domain failed." and disconnects in 30 seconds or so.

If I go with the local administrator account (HOST1\Administrator) I can login just fine. Also, logging on HOST2 with the same Domain Admin user (test\Administrator) is allowed.

Able to fix it (sometimes!) by rebooting both hosts a couple of times. So it looks like the computers and accounts are still allright within the AD (no need to rejoin or reset passwords).

Why does this happen ? Where to start with the troubleshooting ? Trying to get to understand the root cause, rather than just a quick fix.

Razvan Zoitanu
  • 655
  • 1
  • 11
  • 26

1 Answers1

2

Check the simple things first. Make sure the times match on all the computers (They should since it is Hyper-V, but it's a quick thing to check). Kerberos authentication can fail if they don't, and a failed login by the computer could be sending the trust message when trust isn't really the issue. Also, make sure the DNS servers specified in the host IP settings that you statically configured are the DCs, for the same reason.

After that, try launching your RDP session connecting by IP address instead of host name. If this works, then you have either a problem with certificates, or negotiating the security protocol that is used in the connection.

You said you have to accept the certificate before connecting. Can you supply the reason you are getting prompted to accept it? If the certificate is issued by the domain, it should already be trusted.

Zach Bolinger
  • 304
  • 1
  • 6
  • For the time: all machines VMs were configured to sync (by default) with some EU NTP servers that drifted anywhere from 30s to 3mins in the last hour! Changed to a more stable pool. The VMs were also polling the host. So quite a lot of conflicts there. Disabled the time sync Integration Service from Hyper-V for all DC machines. The PDC now gets the time from the NTP pool on the internet, and all other DCs (and the Hyper-V hosts and machines joined to the domain) now use the PDC as a source. Time is good on all machines now, no drift. Need a few days to see if the problem comes back. tx ! – Razvan Zoitanu Apr 30 '15 at 13:22
  • The question on certificates: error message "The certificate is not from a trusted certifying authority." I've followed the advice in the General tab when prompted with the certificate, and installed it in the Trusted Root Certification Authorities store on my 8.1 box. Actually installed the certificates from all the machines in the lab. Still get the prompts, but it's always been like this, don't think this has anything to do with the main problem. Maybe I should ask a new question on this, but need to read some more on certificates. – Razvan Zoitanu Apr 30 '15 at 13:23
  • I assume your 8.1 box is not joined to the domain. If you connect from a sever in the domain do you still get the message? It's normal to get that message from outside the domain since the default certificate for RDP is a self-cert. – Zach Bolinger Apr 30 '15 at 13:41
  • Correct Zach. I've logged in to DC4 from HOST1 and didn't get the certificate prompt (same domain). Cheers, learned a few things today! – Razvan Zoitanu Apr 30 '15 at 13:57