Home-Browsers-The network connection is not authenticated. Restoring trust in the domain

The network connection is not authenticated. Restoring trust in the domain

There may be a situation where a computer cannot authenticate to a domain. Here are some examples:

  • After reinstalling the OS on a workstation, the machine cannot authenticate even using the same computer name. Because in the process new installation OS is generated SID identifier and the computer does not know the computer object account password in the domain, it does not belong to the domain, and it cannot authenticate to the domain.
  • The computer has been fully restored from a backup and cannot be authenticated. The computer object may have changed its domain password after archiving. Computers change their passwords every 30 days, and the structure Active Directory remembers the current and previous password. If it was restored backup computer with a long-outdated password, the computer will not be able to authenticate.
  • Secret LSA computer has not synchronized with a password known to the domain for a long time. Those. the computer did not forget the password - it’s just that this password does not correspond to the real password in the domain. In this case, the computer cannot be authenticated and a secure channel will not be created.

Main features possible problems computer account:

  • Domain logon messages indicate that the computer was unable to communicate with the domain controller, the computer account is missing, the wrong password computer account or trust has been lost ( secure communication) between the computer and the domain.
  • Messages or events in the event log that indicate similar errors or suggest password problems trust relationships, secure channels, or communication with a domain or domain controller. One such error is Authentication Failure with error code 3210 in the computer event log.
  • There is no computer account in Active Directory.

How to treat?

You need to reinstall your computer account. There are recommendations online for such a reinstallation: remove the computer from the domain and then re-join it. Yes it works, but this option It is not recommended to do this because the SID identifier and the computer’s workgroup membership are lost.

Therefore it is necessary to do this :

Open the Active Directory snap-in, select Users and Computers, click the computer object right click mouse and use the "Reinstall account" command. After this, the computer should be re-joined to the domain and rebooted.

Using an account related to local group"Administrators":

netdom reset Machine_name /domain Domain_name /Usero User_name /Passwordo (Password | *)

On a computer where trust has been lost:

nltest /server:Server_name /sc_reset:DOMAIN\Domain_controller

. Windows XP

1 . Let's launch the registry editor, ( Start - Run-regedit- Enter)


How to clear traces from remote programs in the registry you can find out
2. Next we find the registry section
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon


3. After that we delete the entire section WgaLogon(those in doubt can make a copy of this section first)
4. We reboot the system
After reboot message about authentication will disappear

. Windows 7

As for Windows 7, remove using the program RemoveWAT21
1. Download this program With Deposit or Letitbit
2. Remove the old activation
3. Activate again
4. And remove authentication forever
Detailed instructions are described in the program itself; the entire operation takes place in just three clicks.

How to get rid of the message about unlicensed Windows

Update ( KB971033) authenticates the activation and verification components included in the technologies Windows activation for the system Windows 7.
Right-click on the icon: Computer - Properties.
Choose Windows Update - Installed updates.
We find, among the installed updates (Update for Microsoft Windows KB971033), select and delete it.
To, Windows no longer crashed from activation making an update (KB971033) hidden. Right-click on the icon: Computer - Properties. Choose Windows Update - Important updates . Find (KB971033) and make it hidden by right-clicking on it. It will no longer come from Microsoft.

So don't install these updates.
For example, if you have pirate version then: KB905474, KB2882822, KB2859537, KB2862330, KB2864058, KB2872339,
If you install KB971033- he will find crack and will display a message that "You have become a victim of fake software."
KB2859537- V Windows XP may block everyone from starting exe files, except those that
lie in Windows folder . Uninstalling an update fixes the problem.
How to get updates for Windows XP read
Like from Windows XP Home Edition make Windows XP Professional Edition , read
Here briefly about that How can I remove this window?

Black Lord January 14, 2013 at 5:27 pm

Violation of trust between workstation and domain controller (solution)

Online with a fleet of 150 cars after the update operating system Before MS Windows 7, there was a constant problem with user login. One fine day, the user turned on the computer and discovered that he could not log into the system, but he saw a message that was stunning in its information content:
"Trust could not be established between this workstation and the primary domain"

There is only one solution. Take the machine out of the domain and bring it back in. When this situation began to repeat itself more than once a day, and I just got tired of it, I started thinking about prevention. And here the Internet remained silent. After some time of despondency, and despondency, as we know, is a sin, it was decided to dig. As a result of the torture of excavation, the reason was obtained in 99% of cases (and I suspect that the remaining 1% simply did not admit to the same reason). The reason is the Startup Repair service, which is enabled when the system shuts down abnormally. On the first screen of the dialogue, the service asks the user whether to restore the system or not. If the answer is positive, the system rolls back to more early state and perhaps the car's sid is beating. Be that as it may, the domain will not allow users with such a machine after such an operation. It is useless to rely on the user in such a matter. You can ask him to refuse if such a situation arises, but the user is very likely to press the “restore” button and then throw up his hands, saying the demon has misled him. In general, you need to batch disable the boot recovery service on n-machines.

Locally, the solution looks like a console command:

Reagentc.exe /disable

The network will require PsExec utility from Microsoft package Sysinternals PsTools, a description of the utility and the package itself are

We put Psexec.exe in the same folder as ours batch file(let's call it broff.cmd)
inside broff.cmd we write:

::We get a list of computers on the network, clear it of garbage and put it in net.lst net.exe view /domain:megafon >>net.tmp for /f "tokens=1,2 delims= " %%i in (net.tmp ) do (Echo %%i>>net1.tmp) for /f "tokens=1,2 delims=\" %%i in (net1.tmp) do (Echo %%i>>net.lst) DEL *. TMP::We go through the list and disable boot recovery for /f "tokens=1,2 delims= " %%F in (net.lst) do (start psexec \\%%F reagentc.exe /disable)

That's it. The user is no longer our enemy.

Tags: Trust relationships, DC, IT, network administration, networks, deployment

In this article we will touch upon the problem of violation of trust relationships between the workstation and the domain, which prevents the user from logging into the system. Let's look at the cause of the problem and a simple way to restore trust over a secure channel.

How the problem manifests itself: the user tries to log in to a workstation or server using his account and after entering the password an error appears:

Failed to restore trust between workstation and domain

Or this:

The security database on the server does don't have a computer account for this workstation trust relationship

Let's try to figure out what these errors mean and how to fix them.

Computer password in AD domain

When a computer is registered in a domain, a secure channel is established between it and the domain controller, through which credentials are transmitted, and further interaction occurs in accordance with the security policies set by the administrator.

The default computer account password is valid for 30 days, after which it changes automatically. Password changes are initiated by the computer itself based on domain policies.

Advice. The maximum password lifetime can be configured using a policy Domain member: Maximum machine account password age, which is located in the section: ComputerConfiguration->WindowsSettings->SecuritySettings->LocalPolicies->SecurityOptions. The computer password validity period can be from 0 to 999 (30 days by default).

If your computer password has expired, it is automatically changed when next registration in the domain. Therefore, if you have not rebooted your computer for several months, the trust relationship between the PC and the domain is preserved, and the computer password will be changed the next time you reboot.

The trust relationship is broken if a computer tries to authenticate to a domain with an incorrect password. This usually happens when the computer or from a snapshot virtual machine. In this case, the machine's password stored locally and the password on the domain may not match.

The “classic” way to restore trust in this case:

  1. Reset local administrator password
  2. Remove the PC from the domain and include it in a workgroup
  3. Will reboot
  4. Using the snap-in, reset the computer’s registration in the domain (Reset Account)
  5. Re-join the PC to the domain
  6. Reboot again

This method is the simplest, but too clumsy and requires at least two reboots and 10-30 minutes of time. Additionally, there may be problems using old local user profiles.

There is a more elegant way to restore trust without rejoining the domain and without reboots.

Netdom utility

UtilityNetdom included in Windows composition Server starting from version 2008, and can be installed on users’ PCs from RSAT ( Remote Server Administration Tools). To restore trust, you need to log in as a local administrator (by typing “.\Administrator” at the login screen) and run the following command:

Netdom resetpwd /Server:DomainController /UserD:Administrator /PasswordD:Password

  • Server– the name of any available domain controller
  • UserD– username with domain administrator rights or Full control on the OU with account computer
  • PasswordD– user password

Netdom resetpwd /Server:sam-dc01 /UserD:aapetrov /PasswordD:Pa@@w0rd

Once the command has been successfully completed, there is no need to reboot; just logoff and log in using a domain account.

Reset-ComputerMachinePassword cmdlet

The cmdlet appeared in PowerShell 3.0, and unlike the Netdom utility, it is already available in the system starting with Windows 8 / Windows Server 2012. On Windows 7, Server 2008 and Server 2008 R2 it can be installed manually (http://www.microsoft.com/en-us/download/details.aspx?id=34595), it also requires Net Framework 4.0 or higher.

You also need to log in with a local administrator account, open the PowerShell console and run the command:

Reset-ComputerMachinePassword -Server DomainController -Credential Domain\Admin

  • Server– domain controller name
  • Credential– username with domain administrator rights (or rights to OU from a PC)

Reset-ComputerMachinePassword -Server sam-dc01 -Credential corp\aapetrov

In the security window that opens, you need to specify the user password.

Advice. The same operation can be performed using another Powershell cmdlet Test-ComputerSecureChannel:

Test-ComputerSecureChannel -Repair -Credential corp\aapetrov

You can check the presence of a secure channel between the PC and DC with the command:

nltest /sc_verify:corp.adatum.com

The following lines confirm that the trust relationship was successfully restored:

Trusted DC Connection Status Status = 0 0x0 NERR_Success

Trust Verification Status = 0 0x0 NERR_Success

As you can see, restoring trust in a domain is quite simple.



Related publications: