Netdom - Verify Trust

It is often needed to verify a trust relationship, particularly external trust relationship, is working properly before using any cross domain network resources. To verify a trust on command line. do the following.



1. Assume the trusting and trusted domains are "myrootdns2003.com" and "myforesttest.com" respectively and passwords are "Mydns123" and "Myforest123".
2. Now run the below command to verify the external trust.



netdom trust myrootdns2003.com /domain:myforesttest.com
/userd:myforesttest\Administrator /Passwordd:Myforest123 /usero:myrootdns2003\Administrator /passwordo:Mydns123 /verify




3. To verify trust relationship between Active Directory based windows domain and non-windows realm kerberos domain (Assume the kerberos realm password is "Mytrust123"), run

netdom trust myrootdns2003.com /domain:myforesttest.com
/userd:myforesttest\Administrator /Passwordd:Myforest123 /usero:myrootdns2003\Administrator /passwordo:Mydns123 /verify /Passwordt:Mytrust123

Raise Functionality Level of a Windows Server 2003 on command line

The following illustrates changing domain functionality level on command line.
1. Assume the domain is "myrootdns2003.com".
2. Create a file raise_domain_func_level.ldf with the following contents
dn: myrootdns2003.com
changetype: modify
replace: msDS-Behavior-Version
msDS-Behavior-Version: 2
-
3. Now run the following command to change the functionality level.
ldifde -i -f raise_domain_func_level.ldf

4. Alternatively, admod tool can also be used to change functionality level.
admod -b dc=myrootdns2003,dc=com "msDS-Behavior-Version::2"

5. Also using vbscript functionality level cab be changed, The following snippet changes functionality level to windows 2003.

strDomain = "myrootdns2003.com"
' ------ END CONFIGURATION ---------

set objDomain = GetObject("LDAP://" &  strDomain)
objDomain.GetInfo
if objDomain.Get("msDS-Behavior-Version") <>
Wscript.Echo "Changing domain to  
Windows Server 2003 functional level … "
objDomain.Put "msDS-Behavior-Version", 2
objDomain.SetInfo
else
Wscript.Echo "Domain already at Windows Server 2003 functional level "
end if

List domains in a forest using script

The following code displays the domains contained in a forest.

1. Assume the foresst root is "microsoft.com"

strForestRoot = "microsoft.com" ' i.e., dc=microsoft, dc=com
strADsPath = ";"
strFilter = "(netbiosname=*);"
strAttrs = "dnsRoot;"
strScope = "SubTree"
set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope)
objRS.MoveFirst while Not objRS.EOF
For Each root in objRS.Fields("dnsRoot").Value
WScript.Echo(root)
Next objRS.MoveNext
wend

Find domains in a forest on command line

To findout list of domains in a forest through command prompt, do the following

1. Assume the dns server (Domain Controller) is dnsserver2003.
2. Now run the below command to list the domains contained in a forest.

ntdsutil "d m" "sel op tar" c "co t s dnsserver2003" q "l d" q q q
3. Dsquery command also be used to view the domains, just run the below command.
dsquery * -filter "objectcategory=domainDNS" -scope subtree


Third party tools like adfind can also be used to find domains in a forest.
adfind root s subtree f "objectcategory=domainDNS" -dn

Remove Orphaned Domain

To remove a domain that was orphaned may be because the domain was forcibly removed, or the last domain controller in the domain failed to uninstall completely or improperly removed.

The following illustrates on how to remove an orphaned domain

1. Assume the domain controller (dns server) of the orphaned domain is "dnsserver2003"

2. Now run the below command to forcibly remove orphaned domain.

ntdsutil "meta clean" "s o t" conn "con to server dnsserver2003" q q

output: metadata cleanup: "s o t" "list domains"
 Found 4 domain(s)
 0 - DC=myrootdns2003,DC=com
 select operation target: sel domain 2
 select operation target: q
 metadata cleanup: remove sel domain

A message will be displayed to indicate status of the removal.

Removing an orphaned domain consists of removing the domain object for the domain (e.g., dc=myrootdns2003,dc=com), all of its child(sub domains) objects, and the associated crossRef object in the Partitions container.

Note: The above is command is shortcut form of below command

 ntdsutil "metadata cleanup" "select operation target" connections "connect to server dnsserver2003" quit quit
  
 

Create Host A record using dnscmd

The following shows adding a host A record on command prompt.

1. assume the dns server is "dnsserver", dns zone is "myrootdns.com" and host which is to be added is "dnsclient.myrootdns.com"

dnscmd dnsserver /recordadd myrootdns.com . /Aging /OpenAcl A dnsclient.myrootdns.com

To set timeout (say 20secs) for the record, run

dnscmd dnsserver /recordadd myrootdns.com . /Aging /OpenAcl 20 A dnsclient.myrootdns.com

Create MR Record using dnscmd

The following illustrates on how to create MailBox Renamed record on command prompt using the command dnscmd.exe.
1. Asssume the dns zone is "myrootdns.com" and host name of the existing mailbox record is "dnsserver.myrootdns.com".
2. Now the command below to add MR record,
dnscmd dnsserver /recordadd myrootdns.com . /Aging /OpenAcl MR dnsserver.myrootdns.com 3. Verify the MR record created in dns manager snapin dialog.

Delete Host A record using dnscmd

To remove host Type A record on command prompt, do the following

1. Assume the dns domain is "myrootdns.com", dns server for the domain is "dnsserver", Host name for which the Type A record to be deleted is "dnsclient".

dnscmd dnsserver /recorddelete myrootdns.com dnsclient A /f

Create MG Record using dnscmd

To add MailGroup(MG) record on command prompt, do the following.
1. Assume the domain zone in which the MG record to be created is "myrootdns.com", dns server for the domain is "dnsserver", and assume mailbox(MB) record to be added is at host "dnsserver.myrootdns.com"

2. Now run the command below to add the MG resource record at
dnscmd dnsserver /recordadd myrootdns.com . /Aging /OpenAcl MG dnsserver.myrootdns.com

Create MailBox(MB) record using dnscmd

To add a MB record through command prompt, do the following

1. Assume the domain for which mailbox need to be created is "myrootdns.com", and host which will host the mailbox is "dnsserver.myrootdns.com".
2. Now run the below command to create MB record.
dnscmd dnsserver /recordadd myrootdns.com dnsserver /Aging /OpenAcl MB dnsserver.myrootdns.com

Delete MX Record Using dnscmd

Do the following command to delete a MX record on command prompt,
1. Assume the dns zone is myrootdns.com, dns server is "dnsserver", mail server node is "mailserver"

dnscmd dnsserver /recorddelete myrootdns.com mailserver MX /f

Create MX Record using dnscmd

The following illustrates on how to add mx record on command prompt using dnscmd
1. Assume the dns server "dnsserver", dns zone name is "myrootdns.com" and mail server is mailserver.myrootdns.com

dnscmd dnsserver /recordadd myrootdns.com mailserver /Aging /OpenAcl MX 10 mailserver.myrootdns.com

Create NS Record using dnscmd

The following illustrates on how to add NS (Name Server) to a dns on command prompt.

1. Assume the subdomain is "subdomain.myrootdns.com", parent domain is "myrootdns.com", parent domain's dns server is "dnsserver", the name server (dns server) for subdomain.myrootdns.com is "childdnsserver.myrootdns.com" .
2. Now run the below command to add NS for "childdnsserver" at "myrootdns.com" dns zone.

dnscmd dnsserver /recordadd myrootdns.com subdomain /Aging /OpenAcl NS childdnsserver.myrootdns.com

To set timeout(20) for the record, run

dnscmd dnsserver /recordadd myrootdns.com subdomain /Aging /OpenAcl 20 NS childdnsserver.myrootdns.com

To remove NS reocord, run

dnscmd dnsserver /recorddelete myrootdns.com dnsserver NS childdnsserver.myrootdns.com

Create Host AAAA record using dnscmd

The following shows on how to add Type AAAA resource record to a dns through command prompt.

1. Assume the domain name is "myrootdns.com", dns server is "dnsserver", Host name of the machine for which to add AAAA record is "dnsserver" and IPv6 address of dnsserver is "fe80::212:79ff:fedb:e69"/

dnscmd dnsserver /recordadd myrootdns.com dnsserver.myrootdns.com /Aging /OpenAcl AAAA fe80::212:79ff:fedb:e69

To set timeout(20 secs) for AAAA record, run

dnscmd dnsserver /recordadd myrootdns.com dnsserver.myrootdns.com /Aging /OpenAcl 20 AAAA fe80::212:79ff:fedb:e69

Create Host Type A record using dnscmd

The following illustrates on how to add Type A resource records on command prompt using dnscmd.

1. Assume the domain name is "myrootdns.com", dns server is "dnsserver", client Machine for which to add Host A record is "dnsclient.myrootdns.com" and IP address of dnsclient.myrootdns.com is "192.168.1.200".
2. Run below command to add Type A record to "dnsserver"

dnscmd dnsserver myrootdns.com dnsclient.myrootdns.com /Aging /OpenAcl A 192.168.1.200
3. To verify the record is created, run

dnscmd dnsserver /EnumRecords myrootdns.com dnsclient.myrootdns.com

To set timeout for the record, run

dnscmd dnsserver myrootdns.com dnsclient.myrootdns.com /Aging /OpenAcl 20 A 192.168.1.200

ZoneresetScavengeservers using dnscmd

To set Scavenging servers for a zone on command prompt, do the following
1. Assume the dns server is "dnsserver" and zone is "myrootdns.com" and scavenging server ip address is 192.168.1.100.
dnscmd dnsserver /zoneresetscavengeservers myrootdns.com 192.168.1.100

ZoneResetSecondaries using dnscmd

To set secondary server ip addresses with zone transfer options, do the following.
1. Assume the dns server is "dnsserver", zone name is "myrootdns.com" seconday server ip address is "192.168.1.200"

2. To allow zone transfered to only to the list of secondary servers, run
dnscmd dnsserver /zoneresetsecondaries myrootdns.com /securelist 192.168.1.200.

3. To allow zone trasfers to all secondaries, run

dnscmd dnsserver /zoneresetsecondaries myrootdns.com /nonsecure

4. To disallow zone transgers to secondaries, run

dnscmd dnsserver /zoneresetsecondaries /noxfr

5. To notify secondaries about the change in secondary settings, run

dnscmd dnsserver /zoneresetsecondaries /noxfr /notify

6. To disllow notifieing, run

dnscmd dnsserver /zoneresetsecondaries /noxfr /nonotify

7. To allow notify only to the list of ip addresses, run

dnscmd dnsserver /zoneresetsecondaries /noxfr /notifylist 192.168.1.200

Change zone type using dnscmd

To reset a zone type on command prompt, do the following

1. Assume the server name is dnsserver and zone name is myrootdns.com.

2. To reset zone from ds type to primary, run

dnscmd dnsserver /zoneresettype myrootdns.com /primary /file myrootdns.dns


3. To change type from primary to ds, run

dnscmd dnsserver /zoneresettype myrootdns.com /ds

Display All records in a zone using dnscmd

To print all the resource records in a zone on command promt, do the following
1. Assume the dns server is "dnsserver" and dns zone is "myrootdns.com".

zonewriteback using dnscmd

To write back a zone to file on command prompt, do the following

1. Assume the dns server name is "dnsserver", zone which is to be written back is "
"myrootdns.com".

dnscmd dnsserver /zonewriteback myrootdns.com