Netdom - Verify Trust

It is often needed to verify a trust relationship, particularly external trust relationship, is working properly before using any cross domain network resources. To verify a trust on command line. do the following.



1. Assume the trusting and trusted domains are "myrootdns2003.com" and "myforesttest.com" respectively and passwords are "Mydns123" and "Myforest123".
2. Now run the below command to verify the external trust.



netdom trust myrootdns2003.com /domain:myforesttest.com
/userd:myforesttest\Administrator /Passwordd:Myforest123 /usero:myrootdns2003\Administrator /passwordo:Mydns123 /verify




3. To verify trust relationship between Active Directory based windows domain and non-windows realm kerberos domain (Assume the kerberos realm password is "Mytrust123"), run

netdom trust myrootdns2003.com /domain:myforesttest.com
/userd:myforesttest\Administrator /Passwordd:Myforest123 /usero:myrootdns2003\Administrator /passwordo:Mydns123 /verify /Passwordt:Mytrust123

reset trust relationship

When a trust relationship is broken, then it is necessary to reset the trust relationship. The following illustrates on how to reset a broken domain trust relationship.

1. Assume the trusting domain name is "myrootdns2003.com" and trusted domain is "myforesttest.com".
2. Open "Active Directory domains and trusts" Console diagram using the command "domain.msc".
3. Right click on domain node "myrootdns2003.com" and select properties.
4. In "myrootdns2003.com" properties dialog, select the domain "myforesttest.com" and click properties. 5. Click validate button in "myforesttest.com" properties dialog.
6. If validation fails, a dialog box comes to reset the trust relationship. Then follow up with the dialog box and complete the resetting.

netdom - reset trust

If a trust relationship between two domain is broken, then it is necessary to reset the trust. netdom.exe is a command tool which can be used to reset the trust. Follow the steps below to reset the trust.

1. Assume the trust exists between the domains "myrootdns2003.com" and "myforesttest.com". Passwords of both the domains are "Mydns123" and "Myforest123" respectively.

2. Now run the below command to reset trust.

netdom trust myrootdns2003.com /domain:myforesttest.com /userd:myforesttest\Administrator /passwordd:Myforest123 /usero:myrootdns2003\Administrator /passwordo:Mydns123 /reset


3. If the trust is between windows domain and non-windows realm (kerberos) , then run the below command to reset the trust,

netdom trust myrootdns2003.com /domain:myforesttest.com /userd:myforesttest\Administrator /passwordd:Myforest123 /usero:myrootdns2003\Administrator /passwordo:Mydns123 /reset /Passwordt:Mytrust123

Note, the passwordt has to be provided to reset the trust with Kerber0s realm.

manage trust using netdom

Netdom.exe is a tool which is used for managing domain workstations in a domain and trust relationships between domains.
This post discusses on adding,removing and managing trusts between domains(forests).

To Create an external trust (External trust is a trust relationship between domains of different forests):

External trust can also defined as a trust between an active directory(AD)domain to Windows NT Domain or to external forest is called external trust. Follow the instructions shown below to add external trust from AD domain to forest or Windows NT domain.

1. First, assume the trusting domain is "myrootdns2003.com", trusted domain is "mytestforest.com", trusting domain administrator password is "Mydns123" and trusted domain(forest) administrator password is "Myforest123".

2. Now run the simple command shown below to add trust from "myrootdns2003.com" to "mytestforest.com".

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:Myforest123 /add

Output:To improve the security of this external trust, security identifier (SID)filtering is enabled. However, if users have been migrated to the trusteddomain and their SID histories have been preserved, you may choose to turnoff this feature.
For more information about SID filtering and how to turn it off, see the helpfor netdom trust /FilterSids or see Help and Support.
The command completed successfully.

Suppose if you want to provide trusting domain passwords along with the trusted domain password, which is needed in a situation like creating trust from a remote machine, to create trust, then run

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:Myforest123
/usero:myrootdns2003\Administrator /passwordo:Mydns123 /add

If you can also create trust without passing passwords by running the command below

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:*
/usero:myrootdns2003\administrator /passwordo:* /add

In the above, passwords will be asked interactive for making connections with trusting and trusted domains.

All the above created trusts are one way trust. This is because, By default trust between two domains of different forests is one-way. However a two-way external trust can be created with the option /two-way. See below

netdom trust myrootdns2003.com /domain:mytestforest.com

/userD:mytestforest\Administrator /passwordd:* /usero:myrootdns2003\administrator /passwordo:* /add /two-way


The /Quarantine option is used to Set the domain quarantine attribute in an exiting trust. i.e if it is "yes", then only SIDs from the directly trusted domain will be accepted for authorization. SIDS from any other domains will be removed. Specifying /Quarantine without yes or no will display the current state.
To set Quarantine for an existing trust, run

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:* /usero:myrootdns2003\administrator /passwordo:* /Quarantine:"yes"

To list routed name suffixes in an exiting external trust, then run

netdom trust myrootdns2003.com /usero:myrootdns2003\administrator /passwordo:* /Quarantine:"yes" /NameSuffixes:mytestforest.com

Note: 1. trust name is "mytestforest.com" from trusting domain "myrootdns2003.com"
2. /Domain option is not required
3. One find trust name using the command netdom query as shown below.

netdom query /domain:myrootdns2003.com /userD:myrootdns2003\Administrator /passwordd:* trust

To change the status of a routed name suffix of a trust, then do run

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:* /usero:myrootdns2003\administrator /passwordo:* /Quarantine:"yes" /ToggleSuffix:1 /NameSuffixes:mytestforest.com

Here the no#1 specifies the first name suffix status to be changed.

To allows users migrated to the trusted forest from other forest to access resources in this forest using SID history, run

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:*
/usero:myrootdns2003\administrator /passwordo:* /EnableSIDHistory:"yes"

Bydefault, disables migrated users in the trusted forest to use SID history to access resources in this forest.

To specify selective authentication across the external trust, then run

netdom trust myrootdns2003.com /domain:mytestforest.com /userD:mytestforest\Administrator /passwordd:*
/usero:myrootdns2003\administrator /passwordo:* /SelectiveAUTH:"yes"

To create with a non-Windows Kerberos realm, run (Assume the target non-windows kerberos domin is mytestforest.com)

netdom trust myrootdns2003.com /domain:mytestforest.com
/userD:mytestforest\Administrator /passwordd:Myforest123
/usero:myrootdns2003\administrator /passwordo:Mydns123 /add /REAlm /PasswordT:"mytrustpass"

Here /PasswordT is the New trust password needed for windows domains to make any changes, updates or resets made to this trust.
To allow the external trust to be created for only one of the domains, then run trust create command wiht /oneside option.

netdom trust myrootdns2003.com /domain:mytestforest.com

/userD:mytestforest\Administrator /passwordd:Myforest123 /usero:myrootdns2003\administrator /passwordo:Mydns123 /add /REAlm /PasswordT:"mytrustpass" /oneside:trusted

Thus the above allows the trust to be created or remove for "trusted domain" only.

To specify the Kerberos authentication protocol should be verified between windows and non-windows domains, run

netdom trust myrootdns2003.com /domain:mytestforest.com

/userD:mytestforest\Administrator /passwordd:Myforest123 /usero:myrootdns2003\administrator /passwordo:Mydns123 /add /REAlm /PasswordT:"mytrustpass" /Kerberos

To remove the trust, just run the below command

netdom trust myrootdns2003.com /domain:mytestforest.com /userD:mytestforest\ Administrator /passwordd:* /usero:myrootdns2003\administrator /passwordo:* /remove

How to Join a domain

To join a machine to a domain, follow the instructions shown below.
1. Assume the domain to which this machine going to be joined is "myrootdns2003.com".
2. Open mycomputer, right click on it and select properties.
3. In mycomputer properties, go to Computer Name tab, click on "change" button.
4. Enter domain name "myrootdns2003.com" in to which this machine will join in Compute Name Changes dialog and click ok.

5. Enter user name and password which has privileges to join in target domain and click ok.
6. Thus domain join success pop up dialog comes up.Relevant Posts:
Join a target domain on command line

remove machine from domain using netdom

To unjoin a dns client machine from it's domain on command line, do the following

1. Assume the domain to be joined is "myrootdns2003.com", machine name which is going to join domain "myrootdns2003.com" is "dnsclient", domain user account name is "Administrator" and password is "Mydns123", dnsclient machine user account and password is "Administrator" and "dnsclient123".
2. Now run the following command to remove machine from the domain,

netdom remove dnsclient /domain:myrootdns.com /userd:Administrator /passwordd:Mydns123 /usero:Administrator /passwordo:dnsclient123


3. To un-join machine with reboot option (say 100secs restart time), run

netdom remove dnsclient /domain:myrootdns.com /userd:Administrator /passwordd:Mydns123 /usero:Administrator /passwordo:dnsclient123 /REboot:100

Join domain using netdom

The following illustrates on how to join a domain on command line.

1. Assume the domain to be joined is "myrootdns2003.com", machine name which is going to join domain "myrootdns2003.com" is "dnsclient", domain user account name is "Administrator" and password is "Mydns123", dnsclient machine user account and password is "Administrator" and "dnsclient123"

2. Now run the following command to add the machine "dnsclient" to the domain "myrootdns2003.com"

netdom join dnsclient /domain:myrootdns.com /userd:Administrator /passwordd:Mydns123 /usero:Administrator /passwordo:dnsclient123To specify the reboot time (say 100 secs) after joining domain, run

netdom join dnsclient /domain:myrootdns.com /userd:Administrator /Passwordd:Mydns123 /usero:Administrator /passwordo:dnsclient123 /REBoot:100
The reboot message box comes up

Notes: 1. Check the domain "myrootdns2003.com" and FQDN dnsserver2003.myrootdns2003.com is pingable from dnsclient machine.
2. Sometimes firewall blocks from joining domain. So Check the firewall is disabled before joining.
3.NetDom needs access to ports 135 and 139 for joining domain. Check that the target domain machine listens on these ports.
4. Check the reg key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\EnableLUA to 1
Relevant Posts:
Un-join client from domain on command line