Issue with SCOM agent in forest trust domain(0x80090311)

Issue with SCOM agent in forest trust domain.

Event ID : 20057
Failed to initialize security context for target MSOMHSvc/rms_fqdn The error returned is 0x80090311(No authority could be contacted for authentication.).  This error can apply to either the Kerberos or the SChannel package.
And also this one less frequently:

Event ID : 21016
OpsMgr was unable to set up a communications channel to rms_fqdn and there are no failover hosts.  Communication will resume when rms_fqdn is available and communication from this computer is allowed.

If you see these events  with code (0x80090311), that is mean (trust is corrupted) and agents can not authenticate to MS.
The most common reason is Firewall issue.
(TCP/UDP 88 port (Kerberos) and TCP/UDP 389 port (LDAP)) should be open from Agent to Management Server DCs.

0x109_7_1a0_40000 Research into hyper-v cases

0x109_7_1a0_40000

Research into hyper-v cases and looking at vmware workaround
For example, VMWare has a known issue that will modify this MSR register

https://support.microsoft.com/en-us/kb/2902739

Our internal security mechanism are detecting a change / misalignment in the Machine Specific Registers

What content was changed in the MSR register, we cannot find out in a dump, since this information is not included in the dump.

Sicne we have seen similar issues in the past we assume that this is because HW/BIOS is not synchronizing register correctly once the security feature called TXT (Intels Trusted Execution Technology) is enabled.

Solution

=======

To enable Processor Compatibility Mode on existing VMs, you need to shut down the VM and change the Processor setting for the VM, selecting the Migrate To A Physical Computer With A Different Processor Version check box, which you’ll find in the Settings dialog box of Hyper-V Manager. 

Windows updates rollback after reboot and update installation fails Error: Windows failed to install the following update with error 0x800F0922

Cause
=======

CBS Corruption

Resolution
=========

Ran dism commands to remove-package Package_for_KB2919355~31bf3856ad364e35~amd64~~6.3.1.14

dism /online /cleanup-image /startcomponentcleanup

dism /online /cleanup-image /restorehealth

Check for App Readiness service and start the service.

Installed rest of the update except KB2919355 and rebooted the server.

Ran sfc scan and installed KB2919355 successfully. 

How do Rejoin a Computer to the Domain without Losing it’s SID

There are a couple of ways do this:

1. In AD right click the computer and select Reset Account. Then re-join without un-joining the computer to the domain. Reboot required.
2. In an elevated command prompt type: dsmod computer “Computer DN” – reset. Then re-join without un-joining the computer to the domain. Reboot required.
3. In an elevated command prompt type: netdom reset MachineName /domain DomainName /User0 UserName /Password0 {Password | *} The account whose credentials you provided must be a member of the local administrators group. No rejoin. No reboot.
4. In an elevate command prompt type: nltest /Server:ServerName /SC_Reset:DomainDomainController  No rejoin. No reboot.