Friday, February 27, 2009

manage trust using netdom

Netdom.exe is a tool which is used for managing domain workstations in a domain and trust relationships between domains.
This post discusses on adding,removing and managing trusts between domains(forests).

To Create an external trust (External trust is a trust relationship between domains of different forests):

External trust can also defined as a trust between an active directory(AD)domain to Windows NT Domain or to external forest is called external trust. Follow the instructions shown below to add external trust from AD domain to forest or Windows NT domain.

1.
First, assume the trusting domain is "myrootdns2003.com", trusted domain is "mytestforest.com", trusting domain administrator password is "Mydns123" and trusted domain(forest) administrator password is "Myforest123".

2. Now run the simple command shown below to add trust from "myrootdns2003.com" to "mytestforest.com".

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:Myforest123 /add

Output:To improve the security of this external trust, security identifier (SID)filtering is enabled. However, if users have been migrated to the trusteddomain and their SID histories have been preserved, you may choose to turnoff this feature.
For more information about SID filtering and how to turn it off, see the helpfor netdom trust /FilterSids or see Help and Support.
The command completed successfully.
Suppose if you want to provide trusting domain passwords along with the trusted domain password, which is needed in a situation like creating trust from a remote machine, to create trust, then run

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:Myforest123
/usero:myrootdns2003\Administrator /passwordo:Mydns123 /add

If you can also create trust without passing passwords by running the command below

netdom trust myrootdns2003.com /domain:mytestforest.com

/userD:mytestforest\Administrator /passwordd:*
/usero:myrootdns2003\administrator /passwordo:* /add

In the above, passwords will be asked interactive for making connections with trusting and trusted domains.

All the above created trusts are one way trust. This is because, By default trust between two domains of different forests is one-way. However a two-way external trust can be created with the option /two-way. See below

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:* /usero:myrootdns2003\administrator /passwordo:* /add /two-way


The /Quarantine option is used to Set the domain quarantine attribute in an exiting trust. i.e if it is "yes", then only SIDs from the directly trusted domain will be accepted for authorization. SIDS from any other domains will be removed. Specifying /Quarantine without yes or no will display the current state.
To set Quarantine for an existing trust, run

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:* /usero:myrootdns2003\administrator /passwordo:* /Quarantine:"yes"

To list routed name suffixes in an exiting external trust, then run

netdom trust myrootdns2003.com /usero:myrootdns2003\administrator /passwordo:* /Quarantine:"yes" /NameSuffixes:mytestforest.com

Note: 1. trust name is "mytestforest.com" from trusting domain "myrootdns2003.com"
2. /Domain option is not required
3. One find trust name using the command netdom query as shown below.

netdom query /domain:myrootdns2003.com /userD:myrootdns2003\Administrator /passwordd:* trust


To change the status of a routed name suffix of a trust, then do run

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:* /usero:myrootdns2003\administrator /passwordo:* /Quarantine:"yes" /ToggleSuffix:1 /NameSuffixes:mytestforest.com

Here the no#1 specifies the first name suffix status to be changed.

To allows users migrated to the trusted forest from other forest to access resources in this forest using SID history, run

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:*
/usero:myrootdns2003\administrator /passwordo:* /EnableSIDHistory:"yes"

Bydefault, disables migrated users in the trusted forest to use SID history to access resources in this forest.

To specify selective authentication across the external trust, then run

netdom trust myrootdns2003.com /domain:mytestforest.com /userD:mytestforest\Administrator /passwordd:*
/usero:myrootdns2003\administrator /passwordo:* /SelectiveAUTH:"yes"

To create with a non-Windows Kerberos realm, run (Assume the target non-windows kerberos domin is mytestforest.com)

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:Myforest123
/usero:myrootdns2003\administrator /passwordo:Mydns123 /add /REAlm /PasswordT:"mytrustpass"

Here /PasswordT is the New trust password needed for windows domains to make any changes, updates or resets made to this trust.
To allow the external trust to be created for only one of the domains, then run trust create command wiht /oneside option.

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:Myforest123 /usero:myrootdns2003\administrator /passwordo:Mydns123 /add /REAlm /PasswordT:"mytrustpass" /oneside:trusted

Thus the above allows the trust to be created or remove for "trusted domain" only.

To specify the Kerberos authentication protocol should be verified between windows and non-windows domains, run

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:Myforest123 /usero:myrootdns2003\administrator /passwordo:Mydns123 /add /REAlm /PasswordT:"mytrustpass" /Kerberos

To remove the trust, just run the below command

netdom trust myrootdns2003.com /domain:mytestforest.com /userD:mytestforest\ Administrator /passwordd:* /usero:myrootdns2003\administrator /passwordo:* /remove

No comments:

Post a Comment