Every system administrator has to deal with the error "Failed to establish a trust relationship between this workstation and the main domain" from time to time. But not everyone understands the causes and mechanisms of the processes leading to its occurrence. Because without understanding the meaning of ongoing events, meaningful administration is impossible, which is replaced by thoughtless execution of instructions.

Computer accounts, like user accounts, are members of a domain's security. Each security principal is automatically assigned a security identifier (SID) at the level at which domain resources are accessed.

Before you grant an account access to a domain, you must verify its authenticity. Each security principal must have its own account and password, and the computer account is no exception. When a computer is joined to Active Directory, a computer account of type "Computer" is created for it and a password is set. Trust at this level is ensured by the fact that this operation is performed by a domain administrator or another user who has explicit authority to do so.

Subsequently, each time the computer logs on to the domain, it establishes a secure channel with the domain controller and tells it its credentials. Thus, a trust relationship is established between the computer and the domain, and further interaction occurs in accordance with the security policies and access rights set by the administrator.

The computer account password is valid for 30 days and is automatically changed thereafter. It is important to understand that the password change is initiated by the computer. This is similar to the process of changing a user's password. If the computer detects that the current password has expired, it will replace it the next time it logs on to the domain. Therefore, even if you have not turned on the computer for several months, the trust relationship in the domain will be preserved, and the password will be changed at the first login after a long break.

The trust relationship is broken if a computer attempts to authenticate to a domain with an invalid password. How can this happen? The easiest way is to roll back the state of the computer, for example, with a standard system restore utility. The same effect can be achieved when restoring from an image, snapshot (for virtual machines), etc.

Another option is to change the account by another computer with the same name. The situation is quite rare, but sometimes it happens, for example, when an employee's PC was changed while keeping the name, removing the old one from the domain, and then re-entering it into the domain, forgetting to rename it. In this case, the old PC, when re-entering the domain, will change the computer account password and the new PC will no longer be able to log in, since it will not be able to establish a trust relationship.

What action should be taken when faced with this error? First of all, establish the cause of the breach of trust. If it was a rollback, then by whom, when and how it was made, if the password was changed by another computer, then again we need to find out when and under what circumstances this happened.

A simple example: an old computer was renamed and given to another department, after which it crashed, and it automatically rolled back to the last checkpoint. After that, this PC will try to authenticate in the domain under the old name and will naturally receive an error establishing trust relationships. Right actions in this case it will rename the computer as it should be called, create a new checkpoint and delete the old ones.

And only after making sure that the violation of trust was caused by objectively necessary actions and it is for this computer that you can begin to restore trust. This can be done in several ways.

Active Directory Users and Computers

This is the easiest, but not the fastest and most convenient way. Open snap-in on any domain controller Active Directory Users and Computers, find the required computer account and, by right-clicking, select Reinstall account.

Then we log in on the computer that has lost trust under local administrator and remove the machine from the domain.

Then we enter it back, you can skip the reboot between these two actions. After re-entering the domain, we reboot and log in under the domain account. The computer password will be changed when the computer is rejoined to the domain.

The disadvantage of this method is that the machine must be removed from the domain, as well as the need for two (one) reboots.

Netdom utility

This utility is included with Windows Server since edition 2008, it can be installed on user PCs from the RSAT (Remote Server Administration Tools) package. To use it, log in to the target system local administrator and run the command:

Netdom resetpwd /Server:DomainController /UserD:Administrator /PasswordD:Password

Let's look at the command options:

• server- name of any domain controller
• UserD- domain administrator account name
• PasswordD- domain administrator password

After the successful execution of the command, a reboot is not required, just log out of the local account and log in to the domain account.

PowerShell 3.0 cmdlet

Unlike the Netdom utility, PowerShell 3.0 is included with the system starting with Windows 8 / Server 2012, for older systems it can be installed manually, Windows 7, Server 2008 and Server 2008 R2 are supported. Net Framework 4.0 or higher is required as a dependency.

In the same way, log on to the system for which you want to restore trust as a local administrator, start the PowerShell console, and run the command:

Reset-ComputerMachinePassword -Server DomainController -Credential Domain\Admin

• server- the name of any domain controller
• Credential- domain name / domain administrator account

When this command is executed, an authorization window will appear in which you will have to enter the password for the domain administrator account you specified.

The cmdlet doesn't display any messages on success, so just change your account, no reboot required.

As you can see, restoring trust in a domain is quite simple, the main thing is to correctly determine the cause of this problem, since different methods will be required in different cases. Therefore, we do not get tired of repeating: if any problem occurs, you first need to identify the cause, and only then take measures to correct it, instead of mindlessly repeating the first instruction found on the network.

The purpose of this article is to create step by step instructions to create in external trust relationship between two domains Windows 2000. It would seem that there is everything necessary for setting up trust relationships, there are rights, tools for creating trust are known, but in practice simple instructions don't always work. Let's try to figure it out together.

Speaking in dry terms, we recall that trusting relationship refers to a logical relationship between domains that provides pass-through authentication, in which trust domain accepts authentication performed in trusted domain. In this case, user accounts and global groups defined in the trusted domain can gain rights and permissions on resources in the trusting domain even if those accounts do not exist in the trusted domain's reference database.

When is it necessary to build trust? The first answer is that users in one enterprise (domain in one forest) need to use resources from another enterprise (another domain in another forest) or vice versa, then trust relationships are required when migrating security objects from one domain to another (for example, when using the ADMT v2 tool from Microsoft) and in many other work environments.

An external trust can be created to form a one-way or two-way non-transitive trust (that is, a relationship in a multi-domain environment limited to only two domains) with domains outside the forest. External trusts are sometimes used when users need to access resources located in a Windows domain located inside another forest, as shown in the figure.

When a trust is established between a domain in a particular forest and a domain outside that forest, security principals (this can be a user, group, or computer) from the external domain gain access to resources in the internal domain. creates an "external security principal object" in the internal domain to represent each security principal from the external trusted domain. These foreign security principals can become members of domain local groups in the trusting internal domain. Domain local groups (usually used to assign access rights to resources) can include security principals from domains outside the forest.

Having defined the concepts, let's proceed to the establishment of external one-way trust relationships of the domain D01 to the domain D04.

Systems configuration:

Usually, both domains are deployed in different networks and communication between them is made through gateways. Sometimes, for these purposes, a second network card is added to domain controllers, establishing a connection with external networks through them. In this example, I used the simplest case where both domains are on the same subnet. At the same time, it is possible to establish trust relationships simply by specifying NETBIOS domain names and these calculations are redundant, however, with the complexity of the network structure (different subnets of domains, communication through gateways and virtual private networks), it is not so easy to set up trust. Then you should implement additional settings in the network below.

Let's draw up an action plan to create a trusting relationship:

• checking connections between two servers
• checking the settings of each domain
• configuring name resolution for external domains
• creating a relationship from the trusting domain
• creating a relationship from a trusted domain
• verification of established one-way relationships
• creating a two-way trust (if needed)

Everything is not as difficult as it might seem. The key ones in this list are the first three points, the correct implementation of which directly affects the final result. I also note that all actions are performed on behalf of the accounts of administrators of the respective domains, which have all the necessary rights for this.

Let's get started.

The first thing to do is to backup the System State all domain controllers in both domains (and system directories as well).

And only then start making changes. So, make sure that communication between the two servers is possible:

• From the Server01 server, make sure that it is available with the Server04 server (192.168.1.4)
  It is important to link by IP address to avoid name resolution errors.
  On the command line, enter: ping 192.168.1.4
  Should receive responses from the remote address. If the answer is no, analyze your network infrastructure and fix the problems.

• From the Server04 server, make sure that it is available with the Server01 server (192.168.1.1)
  On the command line, enter: ping 192.168.1.1
  Should receive responses from the remote address of Server01.

If everything is in order, go to the next step, checking the domain settings.

Of all the settings, we will only check the configuration of the primary DNS zone that supports each Active Directory domain. Since it is the data from this zone that contains the resource records of the domain and allows you to determine the location and addresses of the corresponding domain services.

Execute commands on each server ipconfig.exe /all and nslookup.exe(screen 1 and 2).

Ipconfig displays the TCP/IP protocol configuration - IP addresses, gateway and DNS server addresses for the controller. If the DNS infrastructure is configured correctly, nslookup lists the IP addresses of domain controllers when querying the DNS name of the local domain. If you cannot obtain controller addresses for the local domain, check the primary DNS server setup and the contents of the DNS server forward lookup zone (Figure 3).

Please note that the system does not have any information on the external domain (an error message when trying to resolve by the name of the remote domain - screen 1 and 2), and therefore finding controllers to establish communication with external domains will be extremely difficult. In this scenario, attempting to link to a trusted domain will result in an error message (Figure 4).

Now let's move on to resolving this situation. Let's configure DNS name resolution for external domains on each server.

What needs to be done? You need to achieve name resolution and get resource records for the external domain. All this is possible if you set the local server to be able to access a DNS zone that supports the external domain and is able to resolve the required queries. I will immediately note that an attempt to solve this problem - simply by adding the IP address of an external DNS server as an alternative in the TCP / IP settings, is doomed to failure. Let's take the right steps for this situation.

On the local DNS server in each domain, we will create an additional zone containing a copy of the external domain's primary DNS zone. As a result, this server can return answers both for queries about the local domain and records from the additional zone about the external domain.

I will give an example of creating an additional zone for the Server01 server; on Server04, the sequence of actions is similar.

Let's change the transfer settings for the primary DNS zone on the remote server.

On (Server04), open the DNS snap-in window (via the Start menu, then Programs and Administrative Tools).

Right-click the DNS zone and select Properties.

On the Zone Transfers tab, select the Allow zone transfers check box.

Allow zone transfers only to certain DNS servers and select the option only to servers from this list, and then specify the IP addresses of the DNS servers of the first domain (in our case it will be IP Server01 - 192.168.1.1 screen 5).

This can be more easily configured to allow transmissions to any server, but this results in less security. In addition, for example, it is much more efficient to set this IP address in the list of name servers for the current zone.

• Enable notifications for additional zones on other DNS servers

Click the Notify button on the Zone Transfers tab.

Make sure the Automatically notify check box is selected.

Select the Specified servers only option and add the server IP addresses to the required notification list.

To do this, in the notification list, enter the server IP address from the previous paragraph (192.168.1.1) in the IP address field and click the Add button (screen 6).

• Let's create an Additional DNS zone on the local server.

On (Server01), open the DNS window.

In the console tree, right-click the DNS server and select Create Zone to open the Create Zone Wizard (Figure 7).

Select the Additional zone type, enter its name (D04.local) and the IP address of the main server (IP 192.168.1.4) in the IP address field and click the Add button.

Once the zone creation is complete, it takes some time for the data to be received from the primary server (after which the primary zones should look like Figure 8).

• Let's check the new DNS server configuration.

On (Server01), open a command prompt window, run the command nslookup.exe and enter a query for the DNS name of the external domain D04. local - and the result of the IP address of the domain controllers in this domain (Figure 9).

Here's what we were trying to achieve - now, when creating a trust relationship, the current domain will be able to determine the necessary external domain service addresses.

Of course, the given calculations are possible for implementation in domains with default settings. If your network has special DNS settings configured, you should change these items according to your requirements.

Now you need to repeat the previous steps on another controller in the trusted domain (Server04) so ​​that this controller can also get name resolutions and get a list of services for the first domain (screen 10).

After the names of both domains can be resolved through the DNS servers, we can proceed to standard procedure creating a direct external one-way trust relationship.

• Let's create a connection from the side of the trusting domain (d01.local)

On the controller (Server01), open the Active Directory Domains and Trusts snap-in (via the Start menu, then Programs and Administrative Tools).

In the console tree, right-click the domain node you want to manage (D01.local) and select Properties (Figure 11).

Select the Trust tab.

Select Domains that this domain trusts, and then click Add.

Enter the fully qualified DNS name of the domain, i.e. D04. local (for a Windows NT domain, just the name is screen 12).

Enter a password (for example, 12 W#$r) for this trust relationship. The password must be valid in both domains: the trusted domain and the trusted domain. The password itself is used only for the duration of the establishment of trust relationships, after they are established, the password will be deleted.

At the same time, since we establish only one of the two necessary relationships, it is impossible to check the trust relationship right away (screen 13). A similar but trusted domain feedback should be created.

Being in this mode, you can view the properties of the created outgoing connection (screen 14).

Let's repeat this procedure for the domain that makes up the other part of the direct trust relationship.

Let's create a connection from the trusted domain (d04.local)

On the controller (Server04), open the Active Directory Domains and Trusts snap-in.

In the console tree, right-click the domain node you want to manage (D04.local) and select Properties.

Select the Trusts tab (screen 15).

Select Domains that trust this domain, and then click Add.

Enter the fully qualified DNS name of the domain - D01. local.

Enter the password for this trust that you specified earlier (12 W#$ r - Screen 16).

Because Since we have set up an opposite relationship for our trust relationship, we need to test the new relationship (Screen 17).

To do this, you must specify a user account that has the right to change trust relationships from the opposite D01 domain. local, those are the Domain Admin entry d01 (screen 18).

If the credentials are correct, the relationship is pinged and the trust is established (screen 19).

Now let's see how to perform external trust verification. For example, let's check the relationship from the trusting domain (D01.local)

To test a trust relationship:

Open the Active Directory Domains and Trusts snap-in.

In the console tree, right-click the domain participating in the trust you want to verify (D01.local) and select Properties.

Select the Trust tab.

In the Domains trusted by this domain list, select the trust you want to check (D04.local) and click Edit (screen 20).

Click the Check button.

In the dialog box that appears, you must enter the credentials of the user who has the right to change trust relationships, i.e. the entry of the Administrator of the external domain d04 and his password (screen 21).

As before, if the credentials are correct and the relationship is healthy, a confirmation message is displayed (screen 22).

In case of errors, check your network structure (settings of gateways, firewalls, routers separating domain subnets), DNS infrastructure settings, the health of physical links between domain controllers, and possible errors within Active Directory domains (by analyzing Event Logs on domain controllers).

After establishing a trust relationship from a trusted domain, it is now possible to view resources in the trusting domain using authenticated Authenticated users (those members of the ALL group special group).

Let's make sure that we can use security principal objects from the trusted domain (accounts from the D04.local domain) in the trusting domain. To do this, we will create a shared resource in the D01 domain and provide access to it to the Domain Users global group from the trusted domain D04.

Create in the D01 domain. local file share on the Server01 domain controller.

Thus, from the trusted domain D04, we got access to a resource in the domain of the principal D01, which is what we needed.

If necessary, it is possible to set up trust relationships in the reverse direction, from domain D04 to D01. That is, the D04 domain will become the trusting domain. local, and the trusted domain will already be D01. local.

In this article, we will talk about what a serious relationship between a man and a woman is built on.

Serious relationships between men and women = are built, of course, on trust.

Without trust = serious relationships are a priori, in principle, impossible!

Trust is the foundation on which relationships are built. House = without a foundation (proper foundation) = impossible to build, it will fall apart, the same is true in relationships with a man and a woman.

If you do not trust your partner = sooner or later = everything will fall apart (collapse), because relationships with fear, anxiety, worries, stress, pain, quarrels, etc. will not last long.

What is trust and its absence?

Trust knows no doubt, where doubt begins, trust dies.

This is what trust in a partner is (lack of doubt) and this is what lack of trust is (presence of doubt). Trust in a relationship must be complete and mutual. If this is not the case, one of the partners does not have confidence = doubts gnaw, etc. - there will be no serious relationship (without solving this problem), such relationships will have no future, they will be doomed to failure.

So what is the solution in this situation? In my opinion, there are 2 ways to solve the problem:

• 1st build trust (if it has been lost) with a partner. (difficult, but possible, and if it’s worth it (it makes sense, more details in the article: “Is it worth keeping a relationship”) - this really needs to be done, both partners, relationships are work!).
• 2nd disperse and do not suffer. (easy, simple, know comments, there is nothing to even say).

Ask yourself, do you trust your partner? If not, can you trust him(hey) again?

If your answer is “no”, then it would be best to take and end this relationship, and not complicate each other’s life, spending all this invaluable time, energy, and other resources making each other unhappy.

The point of a relationship is to make each other stronger. I talked about this in more detail in the article: "The meaning of the relationship between a man and a woman." If this is not the case, then the relationship is meaningless.

Sooner or later = without complete trust = the end will come anyway, couples will break up, so why waste time, the main resource in the life of any person? Why suffer, make each other more unhappy, put off this moment? I had a girlfriend who lost confidence - after her joke.

I still don't know if it was a joke or not (love is blinding) but it is imprinted in my brain = very very much, to the point that it will be very difficult for me to start trusting hey again.

But. Nevertheless, in my case, one could try to find out everything, fix it (and not exactly - no).

Only you yourself (a) know the answer to the question - can you trust him (hey) again or not, because each case is individual and we are all, in principle, individual individuals. Understand?

If definitely “no”, then there is only one way out, just move on without torturing yourself and your partner.

But, if you still have doubts, and your answer, perhaps, may be, etc. = then, in order to renew trust = the daily desired work of both partners in this direction will be required.

Relationships are a constant work of two partners. This is work. Job. And once again work. Daily. And not only in terms of trust, but also many other components that we are not talking about now ...

If this work is not there, then harmonious, holistic, right relationship, alas, and will not.

To try to regain your partner's trust, first of all, you need to sit down and discuss everything with your partner in as much detail as possible, all your doubts, thoughts, fears, claims, etc. to your partner in a sincere and honest manner. Complete sincerity, emancipation and honesty are important. Without this, nothing will come of it.

P.s. trust is closely related to honesty, sincerity and integrity.

And it is extremely important to do it, and not avoid it, thinking that everything will pass / be forgotten. Not! The longer everything drags on, the longer everything keeps inside itself = the more “feces” then come out.

All doubts, fears, insecurities, etc. need to be told to your partner. Tell him (hey) about what you don’t like in your relationship, in her (him), tell me what you experience discomfort, displeasure, and so on. You need to discuss and express to each other absolutely everything and always, throughout the development of your relationship - and not on “holidays” (when it’s already boiling).

In our case, regarding trust, you need to fully open up and lay it all out. Feelings and all your emotions = not embarrassed, not afraid, not holding back ABSOLUTELY NOTHING!

All fears, deeds, actions, claims, problems, desires, etc., etc., everything you want = needs to be discussed. Everything from and to, in one sitting. And after all this, we need to create a concrete plan of joint action together and start working with each other, together, starting to develop trust, how? => getting rid of all these doubts, fears, problems, claims and other components together.

Learn to trust each other, learn to admit your mistakes, learn to take the blame (responsibility), in my understanding, this means that you need to be ready to correct what happened through your fault, learn to forgive / ask for forgiveness, repent, learn to compromise , learn to speak (communicate) with each other (where, how, with whom, when, calls / sms, full openness, full access), you need to be completely sincere and honest with each other. All “this” is yours = joint actions.

Why are they important? The fact that when work (deeds, actions) are established TOGETHER (with each other) = a report is also established (the same connection) (communication is established with joint actions) = and therefore trust is also established. Report (communication) = trust. Remember this, like our father.

And of course, do not forget about the expression "patience and work = grind." If you really want both to be with each other together = if you want = a strong, happy, harmonious, holistic relationship = then work on it = with each other, together, every single day and you will be rewarded according to your deserts. That's all for me.

But, the best thing is to prevent the loss of trust in principle, then the problems will not have to be solved. Nevertheless, everyone makes mistakes, according to rumors even Robots =) the topic was very close to me today ...

Regards, administrator.

CryptoPro cryptographic utilities are used in many programs created by Russian developers. Their purpose is to sign various electronic documents, organize PKI, manipulate certificates. In this article, we will look at the error that appears as a result of working with a certificate - “An error occurred while verifying trust relationships. system error».

The reason for the error in CryptoPro

The appearance of a system error message is often associated with conflicting versions of Windows and CryptoPro. Users tend to become familiar with system requirements software, its properties and capabilities. That is why you have to study instructions and forums in more detail only after a failure has occurred.

Often the software itself is installed into the system with errors. There are plenty of reasons for this:

• Problems in the Windows registry;
• The hard drive is full of junk that prevents other software from working properly;
• The presence of viruses in the system and so on.

Solving the error with the certificate

A system error occurred in the CryptoPro software product "A system error occurred while checking trust relationships." Let's try to solve this problem. In some cases, the program may display a message on the screen if the system does not have the appropriate updates. You may also receive an error if you are using CryptoPro version 3.6 on Windows 8.1 operating system. For this OS, version 4 and above must be used. But to install a new one, you need to uninstall the old version.

All important data from the previous version must be copied to removable media or to a separate Windows folder.

Then you need to visit the official website and download the latest version of the utility package, download them and install them on your computer. Go to the address - https://www.cryptopro.ru/downloads. When installing temporarily, disable the Windows firewall and other programs or antiviruses that may block the operation of CryptoPro.

You can install a new product using personal account on the site. To do this, you need to login and log in.

1. Then go to LC;
2. Open the tab at the top "Service Management";
3. Go to the "Workstation" section;
4. Then find the item "Plugins and add-ons" and click on one of the versions of CryptoPro.

Installing a personal certificate

Next, you need to install the certificate in the CryptoPro utility in order to fix the certificate failure - the trust relationship verification failed. Run the software as an administrator. The best way to do this is from the Start menu.

Other Methods for Troubleshooting a Trust Verification Error

If you are using CryptoPro version 4, but the error still appears, try to simply reinstall the program. In many cases, these actions helped users. It is also possible that your hard drive is full of unnecessary files and they need to be deleted. The standard Windows utilities will help us with this.

1. Open Explorer (WIN + E) and select one of the local disks RMB;
2. Click on "Properties";
3. Under the image of the used disk space, find and click the "Clear" button;
4. Then a window will appear where you need to select the files to be deleted;
5. You can select all items and click OK.

This instruction must be followed for all local drives on your computer. Next, run the following instruction to check Windows files

1. Open the Start menu;
2. Enter "Command Prompt" in the search bar;
3. Select this line with RMB and select the item “On behalf of the administrator” with the mouse;
4. Enter the command in this window to run the scan "sfc /scannow";
5. Press the ENTER key.

Wait for this process to complete. If the utility finds problems in the file system, you will see this in the final message. Close all windows and try to launch the CryptoPro program to make sure that the error "A certificate error occurred while verifying trust relationships" has already been resolved. For special cases, there is a software technical support number - 8 800 555 02 75.