A while ago, in preparation for enterprise rollout of Windows 7, I was tasked with migrating a number of existing Windows XP applications to Windows 7. I was provided a new machine loaded with the standard corporate rollout image of Windows 7 Enterprise. Since I knew I would be making numerous additions/deletions/changes I copied the physical hard drive to a VHD and modified the boot menu to allow selecting between the pristine physical drive and the VHD which I intended to use as a sandbox. Things went well and I was able to boot back and forth between my development sandbox and my production box without issues. Important note: > This machine is part of a domain < My migration and validation testing went well and the machine was kept booted to the physical drive (production mode). Some time passed and I was tasked with checking out some new applications. I attempted to boot to the VHD (development mode) for testing only to be greeted with 'The trust relationship between this workstation and the primary domain failed.' I called the network admin to add the machine back to the domain and he informed me that the machine already existed in the domain. Hmmm... After removing the machine from the domain and re-adding it, I was able to log into the VHD again. After my testing was completed, I booted to the physical drive and was again greeted with 'The trust relationship between this workstation and the primary domain failed.' Another round of adding/removing the machine from the domain to get things going again. I'm guessing that the machines credentials expired for the VHD and when the network admin added the VHD booted machine it invalidated the credentials for the physical drive booted machine. My question: What do I need to synchronize between the physical drive and the VHD so that I don't have to go through the domain remove/add process every time I switch between boot options? I'm guessing that it is just a file or reg key or something simple. Can anyone help me out?

Hi, Thank you for your question. I am trying to involve someone familiar with this topic to further look at this issue. Regards, Leo Huang TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Leo Huang TechNet Community Support

Hi, Thank you for your question. I am trying to involve someone familiar with this topic to further look at this issue. Regards, Leo Huang TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Leo Huang TechNet Community Support

Hi, The error message you got displays because the secure channel is broken between the machine and domain due to inconsistent computer password. For this type of the issue, the solution is to disjoin and then rejoin the problematic machine to domain. Each Windows-based computer maintains a machine account password history. In order for a Windows system to log on to a domain, it must establish a secure channel with a domain controller for the purpose of authentication. The netlogon service uses the computer account and an associated password to establish the secure channel. If the computer account's password and the LSA secret are not synchronized, your machine will not be able to connect to the domain and you may notice various Netlogon errors. This is usually due to an inconsistent or corrupted machine account password. For Windows 2000/XP/2003/Vista/Win7, the default computer account password change is 30 days. To avoid the same issue in the future, you can disable the machine password change on the machine: 1. Login to the machine as administrator, run "gpedit.msc" in command prompt. 2. Expand to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. 3. Find the setting "Domain Member: Disable machine account password changes" and then set it to Enabled. 4. Run "gpupdate /force"(without quotes) to refresh local group policy. Note: You also need to follow the steps above on VHD. After that, the problematic machine always maintains the current machine account password but never changes. Since we cannot view or change machine account password manually, the action does not have impact on security. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, The error message you got displays because the secure channel is broken between the machine and domain due to inconsistent computer password. For this type of the issue, the solution is to disjoin and then rejoin the problematic machine to domain. Each Windows-based computer maintains a machine account password history. In order for a Windows system to log on to a domain, it must establish a secure channel with a domain controller for the purpose of authentication. The netlogon service uses the computer account and an associated password to establish the secure channel. If the computer account's password and the LSA secret are not synchronized, your machine will not be able to connect to the domain and you may notice various Netlogon errors. This is usually due to an inconsistent or corrupted machine account password. For Windows 2000/XP/2003/Vista/Win7, the default computer account password change is 30 days. To avoid the same issue in the future, you can disable the machine password change on the machine: 1. Login to the machine as administrator, run "gpedit.msc" in command prompt. 2. Expand to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. 3. Find the setting "Domain Member: Disable machine account password changes" and then set it to Enabled. 4. Run "gpupdate /force"(without quotes) to refresh local group policy. Note: You also need to follow the steps above on VHD. After that, the problematic machine always maintains the current machine account password but never changes. Since we cannot view or change machine account password manually, the action does not have impact on security. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Make sure that your system time is correct. Anything that's more off than 5 min will create problems with authentications. I have feeling that you have named both with the same name physical and vhd machine. (if that's the case change the name one of them)

Make sure that your system time is correct. Anything that's more off than 5 min will create problems with authentications. I have feeling that you have named both with the same name physical and vhd machine. (if that's the case change the name one of them)

Thanks for your responses. @Diana - Your description is consistent with my observations. Unfortunately, the policy changes you mention would have needed to been made before the disk was initially cloned. Additionally, corporate IT has disabled policy changes for Security Options. Not unexpected. I was hoping that I could copy a sam/system/security file from the working drive to the non-working clone. @Brano - Since the hardware is not changing, I expect that the system time is the same regardless of which drive is booted. You are correct that the machine name is the same no matter which drive I boot from. This is intentional.

Thanks for your responses. @Diana - Your description is consistent with my observations. Unfortunately, the policy changes you mention would have needed to been made before the disk was initially cloned. Additionally, corporate IT has disabled policy changes for Security Options. Not unexpected. I was hoping that I could copy a sam/system/security file from the working drive to the non-working clone. @Brano - Since the hardware is not changing, I expect that the system time is the same regardless of which drive is booted. You are correct that the machine name is the same no matter which drive I boot from. This is intentional.

Hi, Currently, there are two options to address your problem: Option 1: Open local group policy(by running gpedit.msc) on your machine, change the setting "Domain Member: Disable machine account password changes" under [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options] to Enabled. Then re-clone the disk and recreate VHD. Note: If you do not have privilege to open local group policy, you can directly edit registry and set registry DisablePasswordChange to 1, the registry entry is under HKLM\SYSTEM\CurrentContolSet\Services\Netlogon\Parameters. Refer the KB article http://support.microsoft.com/kb/154501 for more information. Option 2: Rename either physical machine or VHD so that they are different computer name. Regards, Diana Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Currently, there are two options to address your problem: Option 1: Open local group policy(by running gpedit.msc) on your machine, change the setting "Domain Member: Disable machine account password changes" under [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options] to Enabled. Then re-clone the disk and recreate VHD. Note: If you do not have privilege to open local group policy, you can directly edit registry and set registry DisablePasswordChange to 1, the registry entry is under HKLM\SYSTEM\CurrentContolSet\Services\Netlogon\Parameters. Refer the KB article http://support.microsoft.com/kb/154501 for more information. Option 2: Rename either physical machine or VHD so that they are different computer name. Regards, Diana Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.