Forum Discussion
Health state unavailable DomainTrustCheck failed
H, we are building an AVD environment (not for the first time) and sporadically VM's will show Health state in Host pool as unavailable, iv you click on the effected VM it will say DomainTruestCheck failed however if you log on the VM (via RDP as MTSC wont connect to it when in this state) and run domain join checks they all come back as no issue. If you shut the vm down to deallocated and turn on sometimes the same VM will come back as green available but then if you restart it, it will come back as unavailable for domain checks.
We have built 4 different host pools using the store win11 multi session 23h2 some using "create Session Host Configuration" enabled (Preview) some disabled as the norm, they all do the same, we have tried removing from CA policies and sanity check on domain controller its the credentials work however if we look in sign in checks on Entra it says its failing Windows Sign in incorrect credentials, but the same credentials are being used to sign into azure sign into the VM sign into Domain controller and it never fails to log in at that point, also if the credentials were wrong surely it would fail health check every time not some of the time.
Anyone any ideas, logged with Microsoft but they are on holiday for Christmas period
5 Replies
StevenRDid you ever get an answer to this? I am running into the same issue, only my systems are not coming back from the failure and all my tests have also been good.
Hi Kat
I did however i Cant say for sure which it was but one thing was i could see some authentication issues and after some heavy googling it appeared there was remnants of an old SBS
so there was an old SPN account that needed removing Domain controller level which is part of MSQLSVC, this was visible in the logs as a recurring authentication error, I cant give you more detail as i was just stumbling through one thing after another through Christmas trying to get to the bottom of it, but once i located the error then i googled how to delete an SPN
Just found a message I wrote to a colleague, basically you cant have duplicate/multiple SPN's or they can cause authentication issues so you locate the existing SPN's and delete the old one in my case one was labelled customerSBS.domain.local. I cant find the command i used to pull the list or delete them but im sure with this info if you google that you will find it.
Hope that helps
Try on below:
- Check Event Logs: Look at the event logs on both the VM and the domain controller for any errors related to domain trust or authentication. Sometimes, specific error codes can give more insight into what's going wrong.
- Update Domain Controllers: Ensure that your domain controllers are fully updated and that there are no known issues with the latest updates. Sometimes, updates can introduce bugs that affect domain trust.
- Verify Synchronization: Make sure that your Azure AD and on-premises AD are properly synchronized. You can use the nltest /sc_verify:<domain_name> command to verify the trust relationship.
- Registry Settings: There might be a known issue with registry settings on the domain controllers. You can try setting the ApplyDefaultDomainPolicy registry key to 0 as a workaround.
Hi thanks for your reply, ive checked all of that and find no issues, ive looked on the event logs of one of the AVD's and in remote desktop services i get an error "CheckSessionHostTrustToDomainAsync - SessionHost unhealthy: SessionHost lost trust relationship with the domain mydomain" however if i run domain checks it comes back as no issue, then follows straight up with a warning "Op='DomainTrustHealthCheck' already set. Ignoring resultType=Success" which reads like its saying its ignoring the fact it came back with success but i could be misinterpreting that. theres a fairly useless log in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RDInfraAgent\HealthCheckReport which keeps returning failed if i do checks clear log then restart rdagent.
Potentially this was either a duff DC or a duplicate SPN, due to the intermittent effect its hard to know which it was but after some 30+ reboots/start shutdown/start's they all come back online as healthy/available every time.
Other DC's all server 2019, removed one was 2025, all the checks came back as healthy but i had noticed DNS was not replicating and network location needed alot of work to be domain, so as it was a New VM i decided to get rid before it became more important rather than spend many more hours trying to resolve the DC issue. will likely use 2022 instead
