Networking

Configure IT Quick: Manage Windows trusts from the command line with Netdom.exe

With a few lines of syntax, you can achieve with Netdom.exe what would likely take a lot of clicks in the GUI.


Netdom.exe is a useful command line tool that ships in the Windows 2000 Resource Kit and is included in the \support\tools folder on the Windows 2000 CD. (The Windows 2000 edition of Netdom is version 2.0. There is also an edition for Windows NT 4, which is version 1.8.) Netdom is often thought of as the command line tool of choice when establishing or reviewing trust relationships between Windows domains. While this is true, Netdom can also do various other jobs, such as joining member machines to a domain and creating computer accounts in a domain.

The attraction in using the Netdom utility lies in the fact that with a few lines of syntax you can achieve what would likely take a lot of clicks in the GUI. It is also faster because it doesn’t have the processing overhead a GUI does. (That said, on today’s faster machines, the GUI overhead is going to be negligible.) Of course, some folks in IT just prefer doing as much administration as possible from a command line (for instance, administrators from a UNIX background). Whatever your motivation, I’m going to look at how you can use Netdom to work with Windows domains.

Using Netdom with trusts
An important concept to grasp from the outset is that of the "object" and the "domain." In the context of establishing new trust relationships between domains, the trusting domain is the "object" and the domain that will be trusted is the "domain." Just think of it as a labeling system allowing the operating system to distinguish between the different elements. In the case of a new trust, the trusted domain becomes the "domain" and the trusting domain becomes the "object."

As far as syntax goes, here is what Netdom looks like:
netdom <command>

Here, the possible commands are: Add, Join, Move, Remove, Reset, Verify, Trust, Query, and Time. In this section, you’re obviously dealing with the Trust command. Here’s a first example:
netdom trust /d:B.com A.com

Now you’ve got to specify a few more parameters, namely which administrative accounts and passwords you’re dealing with. In the case of Trust relationships, you have two pairs of variables:
/ou: and /po:
/ud: and /pd:

The first pair refers to the object’s user account and password and the second item refers to the domain’s user account and password.

You already know which component applies to the trusting vs. the trusted domain (see above), so let’s go ahead and tap out some syntax that will build a trust between two existing domains, as shown in Listing A.

Here, 1.com's administrator is admin1 and 2.com's is admin2, which use passwords 1com and 2com, respectively. Notice the /add switch, which, in this example, tells Netdom that 2.com will trust 1.com.

It’s a good idea to switch on the /verbose option because the syntax can get a little tricky, especially if you’re relatively new to it. Building a Netdom command can be complex, and /verbose will help you to figure out where you went wrong if you get an error message that Netdom doesn't work.

Another neat feature is that you can add a two-way trust as well, and it’s a piece of cake to do so. Basically you’d take the command line you used above and tack the /twoway switch on the end, as shown in Listing B.

So, you’ve established a trust relationship between two domains and now you need to know how to break it should you need to. Again, building the command to break a trust is easy because it’s the same as above except that you change the /add switch to /remove, so it all looks like Listing C.

And if you’d set the trust up as a two-way trust, then you’d just insert the /twoway switch at the end again, as shown in Listing D.

If you start using Netdom commands regularly, then you’ll want some way to check that everything’s okay with your command line operations and that the trusts work and can be verified to work. You use the /verify switch to achieve this:
netdom trust /d:1.com 2.com /verify

This command will check the synchronization of shared secrets between domains 1.com and 2.com. Specifically, it will check the one-way trust that 2.com has for 1.com. If you have a two-way trust, then simply insert the /twoway switch at the end of the /verify command:
netdom trust /d:1.com 2.com /verify /twoway

If, for any reason, the trusts you build cannot be verified, then you can re-synchronize the shared domain secrets using another switch, /reset:
netdom trust /d:1.com 2.com /ud:admin2@2.com /reset

You would then reissue the command that verifies the trust relationship.

Using Netdom to add machine account to a domain
Netdom can be used to create computer accounts in an Active Directory structure. Much of the syntax is similar to what you used when establishing trust relationships. However, instead of "netdom trust," you’ll now use "netdom join" as the starting point. Here’s the anatomy of the command line you need to build to join a machine to an existing domain:
Netdom join <computer> /Domain:<domain> /OU:<ou path> /UserD:<user> /PasswordD:<password> * UserO:<user> /PasswordO:<password> * /reboot:<Time in seconds>

Here’s a breakdown of the syntax arguments:
  • <computer> is the name of the workstation or member server to be joined.
  • /Domain specifies the domain that the machine should join.
  • /UserD is the user account used to make the connection with the domain specified by the /Domain argument.
  • /PasswordD is the password of the user account specified by /UserD. Use * to prompt for the password.
  • /UserO is the user account used to make the connection with the machine to be joined.
  • /PasswordO is the password of the user account specified by /UserO. Again, use * to prompt for the password
  • /OU refers to the organizational unit under which you create the machine account.
  • /reboot specifies that the machine should be shutdown and automatically rebooted after the Join has completed. The number of seconds before automatic shutdown can also be provided. The default is 30 seconds.

Here's a full example:
Netdom join \\mywin2kstation /Domain:1.com /UserD:admin1 /PasswordD:*�� UserO:admin2 /PasswordO:*� /reboot:15

In this example, I’m joining machine mywin2kstation to the domain 1.com using the account admin1 on the source machine to connect to the domain. User account admin2 will connect the domain to my machine and after all is said and done, I have forced a reboot 15 seconds later. The asterisks will prompt for both passwords when necessary.

Notice that I didn’t use the /OU argument in my command. This will force the machine account to be created in the default organizational unit in Active Directory. If you do use the /OU command, then it must, in Microsoft’s words, “be fully RFC 1779 compliant.” This just means you have to use the distinguished names and relative distinguished path names naming convention when specifying the OU to which the machine account will be added. If you want more information on this, check out this RFC 1779 Web site.

Summary
I've introduced you to Netdom, and shown you how to use the trust and join options. Although the syntax is a bit complex and it takes some practice, Netdom can help you quickly drill down into configuration details when setting up and administering Windows domains. I also recommend that you experiment with the other Netdom options and look at the help files for some examples of how to use them.

Editor's Picks

Free Newsletters, In your Inbox