Error: The trust relationship between this workstation and the primary domain failed

Option 4) CMD line using NETDOM tool:

1. Logon to the machine with a local administrator account.

2. Obtain the tool netdom.exe from Windows Server 2008 or Windows Server 2008 R2 CD to enable the Active Directory Domain Services role.

3. Note: For Windows Vista and Windows 7, utilize the Remote Server Administration Tools (RSAT) to enable the Active Directory Domain Services role.

4. Run netdom.exe to change the password.

5. Open command prompt with administrator rights.

6. Execute the command: netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

7. Restart the machine

Provisioning Services Target Device

Make sure that you have configured the PVS environment properly.

Reference the following article:

Once that is confirmed. Shut the target device down and reset the machine account password for the affected target device in the PVS console.

User-added image


  • No Related Posts

Error “Invalid Login” on launch of FAS enabled Linux VDA Desktop.

You need to have the Kerberos Authentication certificate on all the domain controllers. To enroll for a new certificate follow the below steps.

1.On the domain controller, open mmc.

2.Click File, Click Add/Remove Snap-in.

3.Select Certificates, click Add, then select Computer account.

4.Expand Certificates (Local Computer), right-click Personal, click All Tasks, and then click Request New Certificate.

5.Press Next.

6.Select Kerberos Authentication and press Enroll.

Note: If you do not see the Kerberos Authentication on the Auto Enrollment in the Domain Controller certificate mmc, you need to go to Certificate Authority server and add the domain controller in the security of the Domain Controller Authentication Template and give AutoEnroll permissions.

Also, make sure you have configured krb5.conf on the VDA with the correct RootCA & Subordinate CA certificate information.

Refer ‘Incorrect root CA certificate configuration’ section in the below link:


  • No Related Posts

Deploy ShareConnect Host Installer

Note: To follow the steps below, you must have a Windows 2012 domain controller. There may be slight differences in the 2008/2003 environments of the domain controller.

1. Log in to the domain controller and open the Active Directory Users and Computers window.

2. On the Active Directory console tree, right-click on your domain to create a newOrganizational Unit (for example, ShareConnect) and add computers you want to install ShareConnect to this organizational unit.

User-added image

3. Open Group Policy Management window to create a new Group Policy Object (for example, Windows SSO) for the Organizational Unit that you’ve created above.

User-added image

4. Right-click on the Group Policy object created and select Edit to modify its properties.

User-added image

5. In the Group Policy Management Editor window, go to Computer configuration >Policies > WindowsSettings > Scripts in the console tree.

User-added image

6. Click on the Properties link under Startup script to open the Startup Properties windows.

Note: You can also right-click on Startup script to open the Startup Properties window.

7. Click on the Add button to open the Add Script window. In the Script Name field enter the script path created here.

Leave the Script Parameters field empty.

User-added image

8. Right-click on the organizational unit created and select Group Policy Update.

This will update the group policy settings of the computers in the domain. If this fails, open the command prompt on your client computer and run ‘gpudate /force’.

User-added image

9. When the user reboots their computer and logs in using their domain credentials, ShareConnect will be installed.


  • No Related Posts

Resolve Username Being Modified Before Sending to RADIUS Server Using NetScaler nFactor

The solution proposed here checks for the format of the username from the client. If it is UPN, then user is taken to next factor for actual authentication. We employ NO_AUTHN to take the users to next factor in this case. If user enters domainusername, authentication is performed in the first factor itself.


Configuration is best understood by following a bottom-up manner. That is, we configure the most specific factor (or the last factor) first.

  1. Create the factor for authenticating users entering UPN
    1. Create loginschema for second factor

      > add loginschema second_factor_schema –authenticationSchema noschema –userexpression q{“@”) + “\” +“@”)}

      In the above loginschema, we are setting userExpression such that “user@domain” becomes “domainuser”. We also set authenticationSchema as noschema to signify that user intervention is not needed for this factor

    2. Create second authentication factor

      >add authentication policylabel second_factor -loginSchema second_factor_schema

      > add authentication radiusAction Radius_server -serverIP –radKey <> -radNASid netscaler –radVendorID 311 -radAttributeType 11

      > add authentication Policy Radius_Pol -rule true -action Radius_server

      Please note that same radius policy/action are used in both factors.

      >bind authentication policylabel second_factor –policy Radius_Pol –priority 100

  2. ​Add first factor
    1. Create a policy to bypass first factor if username is UPN

      >add authentication Policy upn_no_auth -rule “HTTP.REQ.BODY(1000).TYPECAST_NVLIST_T(‘=’,’&’).VALUE(“login”).CONTAINS(“%40″)” -action NO_AUTHN
    2. Bind the bypass policy to authentication vserver to navigate to second factor

      >bind authentication vserver aaa_nfactor -policy upn_no_auth -priority 90 -nextFactor second_factor -gotoPriorityExpression END
    3. Bind the radius policy to authentication vserver for domainuser format

      We will reuse the Radius policy created above in the first factor as well.

      >bind authentication vserver aaa_nfactor –policy Radius_Pol –priority 100
  3. Creating nFactor flow (required only for Gateway logins)

    > add authentication vserver aaa_nfactor SSL

    > add authnProfile nfactor_prof –authnVsName aaa_nfactor

    > set vpn vserver <> -authnProfile nfactor_prof

The above nFactor configuration can also be done using the nFactor Visualizer which is a few feature that is available on the ADC firmware starting 13.0, the above config for step 1 and 2 can be achieved as below,

Complete Flow:

  1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
  2. Click on the + sign to add the nFactor Flow

  3. Add Factor, this will be the name of the nFactor Flow

Click on Create.

  1. Click on “Add Schema” for the initial login page to be presented,

Click on Create, then click on Add.

  1. Click on “Add Policy” to create the first factor authentication, if the policy is already added select the same from drop down list if not then create the below Auth policy.

Click on OK.

  1. Click on the green + icon to add the next factor in case the user has entered the UPN in the username field.

Click on Create

  1. Click on “Add Schema” to add the schema for second factor, the userExpression added is such that “user@domain” becomes “domainuser”

In case the schema is already added then select the same from the drop down list, if not then create the schema as below,

Click on Create and then click on Add

  1. Click on “Add Policy” to add the authentication for the second factor, In case the Radius server is added then select the same from drop down list if not then add the Radius server,

Click on Create and then click on Add.

  1. Click on the blue + icon of the first factor to add the authentication policy for users that are entering the username in domainuser format,

  1. In the Add Policy, we will be reusing the same Radius policy that we just added in step 8

Click on Add, then click on Done

  1. Now Select the Nfactor flow that we created to bind it to an authentication Vserver.


User mode communication settings

I need a solution

Hi I have installed a new symantec server.Now i want to migrate the old users from old server to new one.For that i have export the the user mode communication settings from new server.If i import the user communication setting in client machine it is comming to computer mode in sepm.I am changing to user mode manually.How to do user mode directly?



7005894: IDM Remote Loader on Windows 2008 R2 and PWFilter firewall settings

The existing Windows Firewall configuration prevents the remote loader from receiving any password changes as captured by the PWFilter.dll on other Domain Controllers within the domain. To solve this problem, do the following:

On the Windows Server firewall, (required only on the server which hosts the Active Directory Remote Loader) add the following rules:

— Inbound Rules —

Name Group Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Allowed Users Allowed Computers.

Rule 1

dirxml port 8090 IN Domain Yes Allow No Any Any Any TCP 8090 Any Any Any

Rule 2

dirxml process dirxml_remote.exe IN Domain Yes Allow No %SystemDrive%NovellRemoteLoaderdirxml_remote.exe Any Any Any Any Any Any Any

NOTE: The port number should be the port number specified on the Remote Loader configuration. So instead of 8090, it will be whatever you specified in the configuration.

No specific Outbound Rules are needed.

The rules can be given any name.

They rules must be assigned to at least the Domain profile.

If using the 64 bit remote loader, the path differs: %SystemDrive%NovellRemoteLoader64bitdirxml_remote.exe

The rules can be also added from the command line using the following commands, modifying the port and path as applicable:

netsh advfirewall netsh advfirewall firewall add rule name="dirxml port 8090" dir=in action=allow enable=yes profile=domain protocol=TCP localport=80
netsh advfirewall firewall add rule name="dirxml process dirxml_remote.exe" dir=in action=allow program="%SystemDrive%NovellRemoteLoaderdirxml_remote.exe" enable=yes profile=domain


“New users or computer that have been created but that dont yet have client software installed” Report

I need a solution


In client windows, the filter of computer is set to show the “New users or computer that have been created but that dont yet have client software installed”

Is possible to take a list or report of this computer? 



Can an integrity check be made completely invisible to the user?

I need a solution

I setup a host integrity check with notifications turned off, but machines that failed the check still have a SEP icon indicator and a warning message “Your computer failed its security compliance check.  Please see the Client Managemnet Security log for more information.”

Can an integrity policy be configured to provide no end-user visibility at all?