How to set a trust. Restoring trust relationships in the domain. How to reinforce a pleasant feeling in your interlocutor

Hello Dear Habrahabr readers! On the Internet, each of us can find many individual articles about a computer not being authenticated through a domain controller, or more precisely, a computer connected to a domain loses connection with it.

So, let's start studying this problem.

Many IT engineers who work in large and small companies have computers with operating Windows system 7, 8.1, etc. and all these computers are connected to a domain network (DC).

This problem occurs because the Kerberos network protocol cannot synchronize and authenticate with the computer (The trust relationship between this workstation and the primary domain failed) that is connected to the domain. Then we can see such an error (see photo below).

After which we look third party program, download it, create it bootable USB flash drive and the local admin, then we log in through it and leave the domain, add the computer to the Workgroup and then connect this computer back to the domain.

Using Windows Batch scripting, I want to create a bat file and automate the process of creating and adding a local admin. The only thing we will need is after creation this file run it.

Open our text editor, enter the command shown below.

Net user admin Ww123456 /add /active:yes WMIC USERACCOUNT WHERE "Name="admin"" SET PasswordExpires=FALSE net localgroup Administrators admin /add net localgroup Users admin /delete netsh advfirewall set allprofiles state off
Let's go through all the commands point by point to eliminate any unclear points.

Net user admin (instead of the word admin, you can add any name that suits you; the default is administrator, in my case it is admin).
Next we see the password that I set there: Ww123456 (You can set any password that you remember).

After we see /add /active:yes – add and activate: YES

WMIC USERACCOUNT WHERE “Name="admin"” SET PasswordExpires=FALSE – this command means that the admin that is being added had a permanent password without an expiration date (see the picture below).

The third and fourth points are interconnected by the fact that by default, when a local admin is created, the Member Of item is Users (see photo). We don't need it (Users) because we are creating a full-fledged administrator for our OS. Therefore, the fourth command - net localgroup Users admin /delete - deletes Users, and the previous command - net localgroup Administrators admin /add, adds an administrator (see photo).

The last command, netsh advfirewall set allprofiles state off, disables the Windows firewall.
Sometimes, in order to install any program or give any command in Windows, you need to disable the firewall (After running the script, you can enter the command - netsh advfirewall set allprofiles state on and turn it on again. I have it set to off by default, since I use a third-party firewall. This is at the discretion of each individual).

Next, go to our notepad, click File, save as... (save as...) enter the name of our script (in my case: localadmin). Then put a dot (.) and write the bat script format. Choosing a place to save this entry and click save. Shown in more detail in the picture.

The result is a script like this (see photo).

When running, this script must be opened as an administrator:

Click the right mouse button and Run as administrator (see photo).

After running the script, you should see a window like this (see photo).

If for some reason an error occurs, then in 90% of such cases this is due to the fact that the image from which you installed Windows is unlicensed, some kind of repack, etc. Download and use licensed and proven software.

After successfully adding a local administrator, you can run this script on all working machines in your office that have Windows installed.

If you ever get this error: The trust relationship between this workstation and the primary domain failed - You will only need to make switch user and where to write the login.\admin (remember! At the beginning there is a dot before the slash!), then below enter the password that you added to your script (in my case: Ww123456). After that, you log into the working OS.

All that remains is to remove our computer from the domain and add it to Workgroup. Instead of Workgroup, enter any letter (see photo).

Next, the domain administrator password is entered and the computer asks us to reboot.
After the reboot, log in again under our local admin and then add the computer to our domain. The system once again requires a reboot and Voila! Our User can connect to the domain again without any problems!

P.S – This system It also works for the Windows server side, however, if you write such a script for servers after disabling the firewall, you will need to enable it again (before - netsh advfirewall set allprofiles state off, after netsh advfirewall set allprofiles state on).

Thank you for your attention!

Good afternoon. Elena, the first thing I read from you was Life without hysterics... This is still relevant. Children's tantrums and how adults can avoid losing their temper. Those. everything related to education is how not to miss the moment that it will be too late to fix something. It already seems that it’s too late (daughters are 3.7)... How to make sure that there is a trusting relationship with the baby. Anna

Anna, in fact, there are no uniform recipes or clear algorithms for raising children. Everything is very individual, all families are different, and the children are also different: developmental conditions are different, characters and temperaments are different, etc. But there are certain general principles that must always be adhered to. These principles help you establish warm, friendly relationships with your child. Well, if there is mutual understanding in the family, then there will be fewer hysterics. All these principles can be applied from the very beginning until adulthood.

Unconditional love and acceptance of the child

I never tire of repeating this and writing about it. After all, this is the basis of all good and happy relationships with any child. By accepting your child, you recognize all his strengths, abilities, talents and interests, and also recognize his characteristics and shortcomings. Parents who strive to love and accept the child for who he is help him develop strengths, and do not try to remake the child, to “fashion” their ideal out of him. You can and should always be interested in your child. Find out what he wants, what he likes, what is valuable to him in this life stage. Help your child find himself by highlighting and developing his character strengths.

Consistency and systematicity in education

If you want to get rid of your child’s bad behavior, you want him to listen and fulfill your requests, if you want to get a specific result - be consistent, work on it systematically. Parents are role models. From birth until school age, parents are the most important source of knowledge of the world around us. In the period from 3 to 5 years, the child exactly copies the behavior of his parents. The most important and most profound things are laid down in early childhood in the family.

If you don’t want your child to throw tantrums, remain calm and neutral. If you want to raise a friendly person, forget about your own aggressive feelings. Never demand from your child what you yourself do not do.

The ability to hear and listen to your own child

Talk to your child. Be his friend. Ask his opinion. A child who sees understanding parents nearby will rush to tell him more about himself, and you will be able to understand him better. Respect the feelings and experiences of the baby, no matter how ridiculous, absurd and stupid they may seem to you. Any communication will be effective if it is based on an agreement. By agreeing, you indicate your interests and clarify the interests of the child. Thanks to this, together you can find a way out of difficult situations. And the older the child, the more responsibility should be given to him for formulating the contract. Ideally, the child himself should offer solutions and take responsibility for the choices made.

Awareness of your educational actions

As a parent, you should constantly ask yourself the following questions: “What am I doing now?”, “Why am I doing this?”, “How do I feel?” Pay attention to what demands you make of your child, as well as your behavior when making these demands. A child definitely needs rules, boundaries and boundaries. He needs a guideline according to which he must act. The main rule for parents: “All demands must be reasonable and justified.”

If there are too many prohibitions and they are all fundamental, then parents risk getting the following scenarios:

• The child will be uninitiative, because... he will be afraid of doing something wrong.
• The child will generally stop obeying and, as they say, “lose fear” and will do whatever he wants.

To control their own emotions, parents should speak them out loud so that the child is aware that you are unpleasant about his behavior. All problematic situations must be resolved with a “cool” head.

Constantly develop yourself

Remember that when the baby was born, you had to remember poems and nursery rhymes, learn to talk, sing, draw, dance again. When he goes to school, you will need to remember the school curriculum, study information about various sections and clubs, etc.

As your child grows up, rejoice with him in his successes, together look for a way out of difficult situations, look for common interests, and then your child will grow up to be a successful, understanding and sensitive person.

With the error "It was not possible to establish a trust relationship between this workstation and the main domain" everyone has to face from time to time system administrator. But not everyone understands the causes and mechanisms of the processes leading to its occurrence. Because without understanding the meaning of current events, meaningful administration is impossible, which is replaced by thoughtless execution of instructions.

Computer accounts, like user accounts, are domain security principals. Each security principal is automatically assigned a security identifier (SID) at which level it can access domain resources.

Before you grant an account access to a domain, you must verify its authenticity. Each security participant must have his own account and password, computer account is no exception. When connecting a computer to Active Directory an account of the "Computer" type is created for it and a password is set. Trust at this level is ensured by the fact that this operation is performed by a domain administrator or other user who has explicit authority to do so.

Subsequently, each time the computer logs into the domain, it establishes a secure channel with the domain controller and provides it with its credentials. Thus, a trust relationship is established between the computer and the domain and further interaction occurs in accordance with the security policies and access rights set by the administrator.

The computer account password is valid for 30 days and is automatically changed thereafter. It is important to understand that the password change is initiated by the computer. This is similar to the process of changing a user password. Having discovered that the current password has expired, the computer will replace it the next time you log into the domain. Therefore, even if you have not turned on the computer for several months, the trust relationship in the domain will remain, and the password will be changed the first time you log in after a long break.

Trust is broken if a computer attempts to authenticate to a domain with invalid password. How can this happen? The easiest way is to roll back the state of the computer, for example, using a standard system restore utility. The same effect can be achieved when restoring from an image, snapshot (for virtual machines) etc.

Another option is to change the account with another computer with the same name. The situation is quite rare, but sometimes it happens, for example, when an employee’s PC was changed while the name was saved, the old one was removed from the domain, and then they were reintroduced to the domain, forgetting to rename it. In this case, the old PC will change its password when re-entering the domain scientific record computer and the new PC will no longer be able to log in, since it will not be able to establish a trusting relationship.

What actions should you take if you encounter this error? First of all, establish the reason for the violation of trust. If it was a rollback, then by whom, when and how it was performed; if the password was changed by another computer, then again we need to find out when and under what circumstances this happened.

Simple example: old computer renamed and transferred to another department, after which a failure occurred and it automatically rolled back to the last checkpoint. After which this PC will try to authenticate in the domain under the old name and will naturally receive an error establishing a trust relationship. The correct action in this case would be to rename the computer as it should be called, create a new checkpoint and delete the old ones.

And only after making sure that the violation of trust was caused by objectively necessary actions and that it is for this computer that you can begin to restore trust. There are several ways to do this.

Active Directory Users and Computers

This is the simplest, but not the fastest and convenient way. Open the snap-in on any domain controller Active Directory Users and Computers, find the required computer account and, by right-clicking, select Reset account.

Then we log in on the computer that has lost the trust relationship under local administrator and remove the machine from the domain.

Then we enter it back; you can skip the reboot between these two actions. After re-entering the domain, reboot and log in under a domain account. The computer's password will be changed when the computer is rejoined to the domain.

The disadvantage of this method is that the machine needs to be taken out of the domain, as well as the need for two (one) reboots.

Netdom utility

This utility is included in Windows Server starting from edition 2008, it can be installed on user PCs from the RSAT package (Tools remote administration server). To use it, log in to the target system local administrator and run the command:

Netdom resetpwd /Server:DomainController /UserD:Administrator /PasswordD:Password

Let's look at the command options:

• Server- name of any domain controller
• UserD- domain administrator account name
• PasswordD- domain administrator password

Once the command is completed successfully, no reboot is required, just log out of your local account and log in to your domain account.

PowerShell 3.0 cmdlet

Unlike the Netdom utility, PowerShell 3.0 is included in the system starting from Windows 8 / Server 2012, for older systems it can be installed manually, Windows 7, Server 2008 and Server 2008 R2 are supported. Required as a dependency Net Framework not lower than 4.0.

Similarly, log on to the system for which you want to restore trust as a local administrator, launch the PowerShell console and run the command:

Reset-ComputerMachinePassword -Server DomainController -Credential Domain\Admin

• Server- name of any domain controller
• Credential- domain name / domain administrator account

When you execute this command, an authorization window will appear in which you will have to enter the password for the domain administrator account you specified.

The cmdlet does not display any message when it completes successfully, so just change the account, no reboot is required.

As you can see, restoring trust relationships in a domain is quite simple; the main thing is to correctly determine the cause of this problem, since different cases will require different methods. Therefore, we never tire of repeating: when any problem occurs, you first need to identify the cause, and only then take measures to correct it, instead of mindlessly repeating the first instruction found on the network.

I want to say right away that in order to recognize transitive trust relationships, we do not necessarily need a third participant to ensure trust transitive relationships.

But let's look at the process of establishing trust between forests.

Note: Do not forget that the first domain created is and root domain And tree And forest. That is, the first domain created in our network by default should be considered both as a root domain, and as a forest, and as a tree (three in one glass...sorry bottle)

For simplicity, we will place these root domains on the same network, since if they were located on different networks, we would need (and this is done if necessary) to have these domains (or rather the DNS of these domains, and hence, naturally, the domain controllers ) saw each other in some way. If the DNS servers are located on different networks, you need to take care of how to somehow make sure that these networks see each other (how to do this is a separate conversation and we will not consider it here for now).

Why is it so important that the DNS services of these domains see each other? And because in Windows based Server finding (recognizing) domain controllers occurs using the DNS service. That is, if the DNS service in any domain is configured incorrectly, then finding this domain controller or domain controllers (if there are many of them) will be impossible. That is, to put it simply - Domain controllers see each other using the DNS service . I think later I will describe in a separate article the process of finding domain controllers, but for now just remember that domain controllers are “blind” (they do not see anything on the network) without a correctly configured DNS service.

As already mentioned, trust relationships act as a connecting link between forests, trees, and domains. To administer trust relationships, use the Active Directory Domains and Trust snap-in, see Figure 1.

Figure 1.

But before we create a trusting relationship, let’s describe what we have. So we have two root domains and, accordingly, forests and trees, namely rk.com and xu.com, let’s assume that they belong to the same company and are located on the same network. The IP address of the first domain controller with the installed integrated DNS service with Active Directory (for those who don’t remember that, see here) will be 192.168.0.1 (rk.com), and the second forest root domain will be 192.168.0.5 (xu.com). That is, the DNS service is installed on both the first and second domain controller. (You will find how to install and configure DNS on the website in other articles)

The first thing we need to make sure before we start creating a trust relationship is that the root domains in both forests can see each other through DNS. To do this, we will use the well-known nslookup utility from the forest root domain rk.com and see what it gives us. See Figure 2.

Figure 2.

In Figure 2 (damn... probably you should write not a drawing but a figure, but forgive me generously...) it is clear that we are in command line we typed the nslookup command with the parameter xu.com (neighboring forest) and it gave us it, which basically means that the DNS service is working and the DNS services see each other. The same can be done from the root domain xu.com, see Figure 3.

Figure 3.

In order to set up forwarding, we go to the DNS snap-in of the domain controller that is located on the computer under the name server1, stand on it, right-click open context menu, select properties in the context menu and click on it. The window shown in Figure 4 opens and select the “Forwarding” tab.

Figure 4.

On this tab, click the “Create” button and write the domain name where we want to forward it. In our case, this is the forest root domain xu.com. Right there on the tab, just below in the “List of IP forwarding servers for the selected domain” field - add its IP address. In our example it is 192.168.0.5.

The same can be done on the xu.com domain controller server...the process is absolutely similar, only you need to write a different domain and a different address. In our case, this is the domain rk.com and its IP is 192.168.0.1.

So after we dealt with DNS servers and made sure that they see each other, proceed to creating trust relationships and go to the “Domains and Trust” snap-in shown in Figure 1.

Next, if we want these two forests (rk.com and xu.com) to be connected to each other through transitive trust relationships, then we need to set the forest operating mode to the “Windows Server 2003” level (for information about the forest and domain operating modes, see here ). Therefore, in the “Domains and Trusts” snap-in, we go to the top inscription “Active Directory - Domains and Trusts” and right-click to open the context menu, see Figure 5.

Figure 5.

In the context menu, select " Changing the forest operating mode..." and click on it. A window will open with possible forest operating modes. Select the "Windows Server 2003" operating mode. I cannot show this window with the choice of operating mode because my forest is already switched to the "Windows Server 2003" operating mode, and transferring from this operating mode to lower forest operating modes is impossible, see Figure 6. That is, when choosing a forest operating mode, think carefully, since it is simply impossible to transfer the forest to another operating mode....

Figure 6.

After the forest operating mode was increased to the maximum possible, namely to"Windows Server 2003", for educational purposes we will increase the domain operating mode to the level"Windows Server 2003". To do this, go to the root domain and open the context menu, see Figure 7.

Figure 7.

The same operations, that is, we raise the level of the forest and domain on the root domain controller xu.com.

When we are sure that our forests (rk.com and xu.com) and domains are working in functional mode"Windows Server 2003", we begin to create transitive trust relationships between forests.

Attention! If at least one of the domain forests was at the functional levelWindows 2000, domain forests can only be connected by external trust relationships.

In the “Domains and Trusts” snap-in, select the name of the root domain, in our case it is rk.com and open the context menu with the right mouse button. The window shown in Figure 8 will open. Go to the “Trusts” tab.

Figure 8.

On this tab, click the “Create trust” button. After clicking this button, the “Trust Relationship Creation Wizard” opens, see Figure 9.

Figure 9.

Figure 10.

In the "Name" field, write the name of the domain with which we want to create a trust relationship, in our example this is the root domain of the forest xu.com.... Press the keyboard not - Next....

A window opens with suggestions for choosing the type of trust, see Figure 11.

I have repeatedly heard the opinion that men are very vulnerable creatures. Therefore, you should not traumatize them with stories about life’s troubles. It’s better to use a friend as a vest, or, as a last resort, tell your mom about the problems.

One day I was talking to my friend Vika. I remember a couple of phrases. Mine: “My husband, the person closest to me, does this too!” And the answer of wise Victoria: “Linda, are you sure that he is close to you? Judging by his behavior, you and him are basically two strangers, even though you live in the same territory.”

Picture of family life

My husband and I had different opinions about trusting relationships in the family. In his understanding, the wife should not burden her husband with her personal troubles. “When you come home, you should leave the situation at work at the door, come in with a smile, and be ready to give affection and tenderness.”

I may not be conveying my ex-husband's words verbatim, but the gist is clear. The fake smile suited him just fine. The main thing is that I don’t show my negative emotions, and what’s boiling inside me is the tenth thing.

While working on my mistakes, I can express a few thoughts on how to have a trusting relationship with my husband.

1. Choose a person who is truly interested in you. Moreover, it is important to remain interesting to him even with a temperature below 40, and with a waist unclearly defined after childbirth, and even without makeup. Such a man really cares about your sincere answer to the question: “How are you doing?”

2. Make time for communication. This usually happens in the evening at dinner. I heard from my husband that you shouldn’t spoil your appetite with stories about conflicts or unpaid bonuses. To find a compromise solution, you can start sharing painful issues when you are already moving on to evening tea.

3. Be able to listen. When they listen to you attentively, with interest, asking clarifying questions, you want to open your soul and talk about what’s boiling over. And if at the same time they look at the TV screen with one eye, you get the feeling that your news is not interesting.

4. Give enough time. Usually each spouse has news. At the same time, it is important to give the floor to your soul mate, and only then start talking about your own. If there are children in the family, then there is almost no time left for emotional conversations. But you still need to find it.

5. Don't lie. In conversations with my husband, who repeatedly told lies, I often wondered: “Is he deceiving me this time too?” It is very easy to lose trust, and it can take a lot of time to restore a trusting relationship.

To receive the best articles, subscribe to Alimero's pages on