cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Trust relationship failed - Cannot logon to Azure VM with domain or local user

Björn Stahlberg
Copper Contributor

‎Feb 10 2018 09:26 AM

‎Feb 10 2018 09:26 AM

Trust relationship failed - Cannot logon to Azure VM with domain or local user

Hi,

 

so we've got 3 VMs. A domain controller and 2 ADFS servers in Azure. For unknown reasons, the trust relationship failed between the two ADFS servers and the domain. I therefore cannot logon to both using a domain user. Also, if I try to login using a local account, I get the "requires network level authentication (nlm), but domain controller cannot be contacted" error. Network seems to be fine I can ping, remote desktop and whatever protocol between all 3 servers. They are in the same subnet. So.. what happened here and how can gain back access to the machines?

 

Regards

Björn

Labels:
9,577 Views
0 Likes
5 Replies
Reply
5 Replies
Kent Gaardmand

‎Feb 10 2018 10:55 AM

‎Feb 10 2018 10:55 AM

Re: Trust relationship failed - Cannot logon to Azure VM with domain or local user

as to the failed trust relationship i can only speculate, but i would like to confirm you current configuration. On the Vnet did you specify the DC as the Name server, or set it on the Nic of each VM? Also is this DC the first DC in a new Forest or have you extended your Domain to Azure? and finaly what NSG rules are you using between the VM's ?
0 Likes
Reply
Björn Stahlberg

‎Feb 10 2018 01:34 PM

‎Feb 10 2018 01:34 PM

Re: Trust relationship failed - Cannot logon to Azure VM with domain or local user

Hi Kent,

 

Yes, the DC is the primary name server for the Vnet and therefore the primary server for both of the failed VMs. We extended our domain to Azure so the DC is an additional DC to a single domain in a single forest. The configuration has been working fine so far for months. NSG rules are standard as far as I can tell. All traffic is permitted within the Vnet and there is an additional rule to allow inbound traffic from our Web Application Proxies. I attached a screenshot for reference. The DC does not have a NSG set.

Preview file
27 KB
0 Likes
Reply
best response confirmed by Björn Stahlberg (Copper Contributor)
Kent Gaardmand

‎Feb 10 2018 03:54 PM

‎Feb 10 2018 03:54 PM

Solution

Re: Trust relationship failed - Cannot logon to Azure VM with domain or local user

well the only thing i can think to mention is that you could consider 2 DC's in an availability set. Perhaps you single DC experienced a crash, have you created a new site topology for Azure in your ADDS configuration ? if you need to recover the VM's i would suggest using nested virtualization in another vm.

Azure recommends the following Create a separate virtual data disk for storing the database, logs, and SYSVOL for Active Directory. Do not store these items on the same disk as the operating system. Note that by default, data disks that are attached to a VM use write-through caching. However, this form of caching can conflict with the requirements of AD DS. For this reason, set the Host Cache Preference setting on the data disk to None. For more information, see Placement of the Windows Server AD DS database and SYSVOL.
Deploy at least two VMs running AD DS as domain controllers and add them to an availability set.
0 Likes
Reply
Björn Stahlberg

‎Feb 12 2018 06:11 AM

‎Feb 12 2018 06:11 AM

Re: Trust relationship failed - Cannot logon to Azure VM with domain or local user

We double checked all the settings and services and weren't able to identify any issues. However, after restarting the domain controller in Azure and then restarting both ADFS machines, we were able to login via RDP and a local admin account.  To me it seems like some service on the domain controller did not work as intended. Unfortunately we were not able to track this down any further.

0 Likes
Reply
Kent Gaardmand

‎Feb 12 2018 06:18 AM

‎Feb 12 2018 06:18 AM

Re: Trust relationship failed - Cannot logon to Azure VM with domain or local user

One thing you may want to consider, it happens to me often. Windows has the "network awareness service" it determines the Firewall profile. if the DC or the ADFS server are unable to contact a valid ADDS DNS server the profil may go to public. I like to delay the start up of this service on my ADDS servers, for unknown reasons sometimes it failes to validate its location if i dont.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Björn Stahlberg (Copper Contributor)
Kent Gaardmand

‎Feb 10 2018 03:54 PM

‎Feb 10 2018 03:54 PM

Solution

Re: Trust relationship failed - Cannot logon to Azure VM with domain or local user

well the only thing i can think to mention is that you could consider 2 DC's in an availability set. Perhaps you single DC experienced a crash, have you created a new site topology for Azure in your ADDS configuration ? if you need to recover the VM's i would suggest using nested virtualization in another vm.

Azure recommends the following Create a separate virtual data disk for storing the database, logs, and SYSVOL for Active Directory. Do not store these items on the same disk as the operating system. Note that by default, data disks that are attached to a VM use write-through caching. However, this form of caching can conflict with the requirements of AD DS. For this reason, set the Host Cache Preference setting on the data disk to None. For more information, see Placement of the Windows Server AD DS database and SYSVOL.
Deploy at least two VMs running AD DS as domain controllers and add them to an availability set.

View solution in original post

0 Likes
Reply