Domain Trust broken on new versions of a domain-joined layer because the computer name has changed

The problem here is complicated. If you need to use Caching, because it’s a significant performance boost when layering, then the machine name will change every time you use a new OS layer version. If you turn off Caching, then the machine names will stabilize. You may need to decide which is more important.

The way Caching works in a connector is, the first time you edit any layer, a generic boot disk with that specific version of the OS layer is uploaded. The Computer Name set in that generic boot disk is the package ID of the layer you happen to be editing. But we can re-use that generic boot disk for any other layer edits, and we don’t bother to change the machine name. So, as an example:

The first layer you edit with OS revision 5 is called CITRXAL_1000001, because it happens to have layer ID 1000001. If you create layer 100002 based on OS revision 5, since we already have a copy of OS revision 5 cached in the connector, we’ll just re-use it, and the packaging machine for 1000002 will still be named CITRXAL_1000001.

Then I create revision 6 of my OS layer. There is no cached copy of revision 6. So immediately after creating R6, I version layer 1000002. The ELM has to construct and upload a generic boot disk for OS revision 6, and since I happen to be working on 1000002, the boot disk has the machine name CITRXAL_1000002. If an hour later I go back to edit 1000001 using OS revision 6, it will use the cached copy of OS revision 6, and it will boot up in a machine named CITRXAL_1000002 in Windows. Since domain trust requires that the machine name match the MachineAccount name in AD, the unexpected ComputerName change breaks domain trust.

Starting in 4.12, cached layers involve an additional small boot disk. That disk is much smaller than your OS layer. Previously, each cached layer versin included the layer package disk and a private copy of the OS layer version. Starting in 4.12, each layer includes the package disk and the smaller local boot disk, and shares single copy of the OS Layer revision with all other layer versions built with this OS version. The total space consumed will be considerably smaller as yo accumulate more cached layers.

This new boot disk allows machine names to persist across OS version changes, because the name change is written directly into this boot disk, and it survives changing the OS layer or any prerequisite layers.

Related:

Leave a Reply