Loading...
Loading...
End-Users fail to log into a virtual desktop or log in remotely using a domain account and see this error: "The security database on the server does not have a computer account for this workstation trust relationship." Instant Clone Provisioning fails with a Log Line entry similar to the below in a Connection Server debug file: Location of Horizon (VDM) log files (1027744) Error during Provisioning Cloning of VM test123 has failed: Fault type is AD_FAULT_FATAL - com.vmware.daas.cloneprep.ldap.LdapException: resetComputerAccount: Fail to reset computer account test123 from CN=test123,OOU=testpool,OU=Win10,OU=VDI,OU=VMs,OU=Sites,DC=test,DC=com to null. - unable to modify entry CN=test123,OOU=testpool,OU=Win10,OU=VDI,OU=VMs,OU=Sites,DC=test,DC=com, resultCode=53 (unwilling to perform), errorMessage=0000001F: SvcErr: DSID-031A125F, problem 5003 (WILL_NOT_PERFORM), data 0 This behaviour is typically observed under the following conditions:The DC locator identifies the best match DC based on multiple factors( DNS, subnet, closet-site, priority and weightage and etc). Ensure to configure a server at optimal proximity to the agent subnet IP range. The DNS record name is shared by multiple instances of a service (netlogon A,AAAA,SRV records on each dc)Each additional writable replica of the AD naming context increases the chance of collision.If Replica DC's are distributed on multiple sites, each site hop on average, adds a 15-minute replication delay.If inter-site replication remains at the default of 3 hours.It is also a possible scenario with a migration or move to a disjoint namespace from contiguous, please see Planning a namespace transition for an overview on this if applicable to your scenario.
To highlight a common provisioning failure or login failure scenario resulting from a less-than-complete domain join.Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites.
A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.Horizon pre-creates computer accounts in a random domain controller in the defined site and initiates domain join via the horizon agent on the same domain controller.Domain Join causes some SPN’s to be set on the specified domain controller, but Microsoft’s Terminal Services service sets SPN’s on a different Domain ControllerWhen Microsoft’s directory service merges updates to SPN’s from different domain controllers, it overwrites one of the SPN’s causing that to be the missing SPN and then blocks user login.
Long term, we are coding improvements within the horizon product to help mitigate this scenario.
You can verify the SPN values on an individual machine using Powershell and validate against a machine that has successfully provisioned. With PowerShell or an administrative command prompt, on a machine with access to MS LDAP, you can run a setspn command which will enumerate SPN's setspn -L test123 If some SPN values are missing, you can run the following command to reset the SPN setspn -R MACHINE1 Get--ADCOMPUTER is a PowerShell Alternative which can achieve the same outcome as the above commands.Reference:SetspnGet-ADComputer (ActiveDirectory)
This is a child article of AD_FAULT_FATAL: An Index of Instant Clone Creation Errors returned by Active Directory (91065)Microsoft Reference Article: Problems occur with DCs in AD integrated DNS zones - Windows Server | Microsoft Learn
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.