This article discusses an issue in which you experience security channel issues on a virtual machines (VM) that is based on a pooled managed VDI collection that has rollback enabled.
In a VM-based desktop deployment, you can use two types of VDI collections:
- Pooled managed: You have a pool of virtual machines available. When a user connects to the farm, an available virtual machine in the pool is assigned to that user.
- Personal managed: One specific virtual machine is assigned to each user. Users are assigned the same VM every time that they connect to the farm.
When you use pooled managed VDI collections, you can choose whether to enable the virtual desktop to roll back to its previous state when it's necessary. For example, every time that a user logs off, the following actions occur:
- A checkpoint (snapshot) is applied.
- The virtual machine reverts to the state of the checkpoint.
- All changes that were made after the checkpoint are discarded.
In this situation, the computer account password that's stored locally on the VM is also rolled back. This causes a security channel issue and breaks the virtual machine's connection to the domain.
When this issue occurs, you may experience the following scenario:
- In the Pooled Managed VDI Collection creation wizard, you enable the Automatically roll back virtual desktop when the user logs off option.
- VMs are created from the template, and the checkpoint (snapshot) RDV_ROLLBACK is created.
Note This checkpoint is applied to revert the VM every time that the user logs off. - After several days or even months, users receive a "The trust relationship between this workstation and the primary domain failed" error message when they log on to virtual machines from the VDI environment.
For more information about how computer password changes are controlled by the Netlogon service, see Machine Account Password Process.