How to troubleshoot PVS target device domain trust issue
Article ID: CTX493699
Updated On:
Description
Since both Citrix and Microsoft and 3rd party software can initiate changing password, sometimes the TD may lose domain trust.
Reset machine password from PVS console can solve the issue, but sometimes we need to find out the root cause if too many TDs lose domain trust.
This article aims to give some guidelines on troubleshooting such issues.
Instructions
The Logic for TD to change password1.PVS server will generate new password and timestamp
2.PVS server will update the database successfully
3.PVS server will tell Target device the new password, and TD will use the new password together with its old password to change current client password by using Microsoft API ADsOpenObject to Change machine password in AD
4.Target device tells PVS server that password change is successfully
5.Target device will update the machine account password in local registry
Any of above process fail will revert the changes in database back
Since passwords are encrypted and it's hard to compare old and new passwords, manually use the timestamp to confirm if the password matches between PVS database,TD and AD
Method to check the timestamp in PVS server
- Right click dbo.device and select first 1000 rows and add where in SQL query, check the adtimestamp field
- Copy the value and paste it in https://www.unixtimestamp.com/ to transfer the time to local time
Method to check the timestamp in TD
- Change permission for HKEY_LOCAL_MACHINE/Security by adding read permission for current administrator
- Check registry key HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\Cupdtime
- Run below Powershell command with administrator to convert the local password change time
For example, cupetime is fea4c6e77695d701
Split it into two parts: fea4c6e7 7695d701
convert the first part: fea4c6e7>>>>>e7|c6|a4|fe
convert the second part :7695d701>>>>>01|d7|95|76
Finally, we get e7c6a4fe 01d79576
Run command
nltest /time: e7c6a4fe 01d79576
Split it into two parts: fea4c6e7 7695d701
convert the first part: fea4c6e7>>>>>e7|c6|a4|fe
convert the second part :7695d701>>>>>01|d7|95|76
Finally, we get e7c6a4fe 01d79576
Run command
nltest /time: e7c6a4fe 01d79576
Method to check the timestamp in AD
- Get AD timestamp:
- Active directory users and computers -> View-> Check advanced
- Search for computer-> properties->Attribute editor-> PWDLastSet
- Reset password in PVS console device collections with VM in shutdown status
- Disable Microsoft password change via policy
- Computer configuration->Windows settings->Local policies->Security options->Domain member: Disable machine account password changes -> Set to enabled to troubleshoot the root cause we need to reproduce the issue to find out what cause the password change that result in password mismatch on PVS database TD and AD.
Was this article helpful?
Yes
No
Powered by
