Netdom trust
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows 8
Establishes, verifies, or resets a trust relationship between domains.
Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).
To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Important
Netdom cannot be used to create a forest trust between two AD DS forests. To create an across-forest trust between two AD DS forests, you can either use a scripting solution or the Active Directory Domains and Trusts snap-in.
Syntax
netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud: | /userd:}[<Domain>\]<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] [{/po: | /passwordo:}{<Password>|*}] [/verify] [/reset] [/passwordt:<NewRealmTrustPassword>] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:<TrustName> [/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive] [/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][/SecurePasswordPrompt] [/EnableTgtDelegation] [{/help | /?}]
Parameters
Parameter |
Description |
---|---|
<TrustingDomainName> |
Specifies the name of the trusting domain. |
{/d: | /domain:}<TrustedDomainName> |
Specifies the name of the trusted domain. If you do not specify this parameter, then netdom trust uses the domain to which the current computer belongs. |
{/ud: | /userd:}[<Domain>\]<User>] |
Specifies the user account to use to make the connection with the domain that you specify in the /d or /domain parameter. If you do not specify this parameter, then netdom trust uses the current user account. |
/pd:{<Password>|*} |
Specifies the password of the user account that you specify in the /ud or /userd: parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password. |
{/uo: | /usero:}<User> |
Specifies the user account to use to make the connection with the trusting domain. If you do not specify this parameter, then netdom trust uses the current user account. |
{/po: | /passwordo:}{<Password>|*} |
Specifies the password of the user account that you specify in the /uo or /usero parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password. |
/verify |
Verifies the secure channel secrets upon which a specific trust relationship is based. |
/reset |
Resets the trust secret between trusted domains or between the domain controller and the workstation. |
/passwordt:<NewRealmTrustPassword> |
Specifies a new trust password. This parameter is valid only if you specify the /add parameter, and only if one of the domains that you specify is a non-Windows, Kerberos realm. You set the trust password on the Windows domain only, which means that you do not need credentials for the non-Windows domain. |
/add |
Specifies to create a trust. |
/realm |
Specifies to create the trust for a non-Windows, Kerberos realm. This parameter is valid only if you specify the /add and /passwordt parameters. |
/remove |
Specifies to break a trust. |
/force |
Removes from the forest both the trusted domain object and the cross-reference object for the domain that you specify. You use this parameter to clean up decommissioned domains that you no longer use and that you cannot remove by using the Active Directory Installation Wizard. This problem can occur if the domain controller for a decommissioned domain is disabled or damaged and there are no additional domain controllers, or if you cannot recover a decommissioned domain controller from backup media. This parameter is valid only if you specify the /remove parameter. |
/twoway |
Specifies to establish a two-way trust relationship rather than a one-way trust relationship. |
/kerberos |
Specifies to exercise the Kerberos protocol between a workstation and a destination domain. This parameter is valid only if you specify the /verify parameter. |
/transitive[:{YES|NO}] |
Specifies to set either a transitive or non-transitive trust. This parameter is valid only for a non-Windows, Kerberos realm. Netdom trust creates non-Windows, Kerberos trusts that are non-transitive. If you do not specify a value for this parameter, then netdom trust displays the current transitivity state. The following list shows the values that you can specify.
Note |
/oneside:{TRUSTED| TRUSTING} |
Specifies to create or remove the trust object on only one domain. The following list shows the values that you can specify.
|
/quarantine[:{YES | NO}] |
Sets or clears the domain quarantine attribute. If you do not specify a value for this parameter, then netdom trust displays the current quarantine state. The following list shows the values that you can specify.
|
/namesuffixes:<TrustName> |
Lists the routed name suffixes for TrustName on the domain that TrustingDomainName names. You can use the /usero and /passwordo parameters for authentication. The /domain parameter is not required. |
/togglesuffix:# |
Changes the status of a name suffix. Used with the /namesuffixes parameter. The number of the name entry specified by the /namesuffixes parameter must be provided to indicate which name will have its status changed. Names that are in conflict cannot have their status changed until the name in the conflicting trust is disabled. Always precede this command with the /namesuffixes parameter because LSA will not always return the names in the same order. |
/EnableSIDhistory |
Specifying yes allows users who migrate to the trusted forest from any other forest to use SID history to access resources in this forest. Valid only for an outbound forest trust. Note Allow migrated users to use SID history only if you can trust the trusted forest administrators to specify SIDs of this forest in the SID history attribute of their users appropriately. Specifying no would disable the ability of the migrated users in the trusted forest to use SID history to access resources in this forest. Specifying /EnableSIDHistory without yes or no will display the current state. |
/ForestTRANsitive |
Specifying yes marks this trust as forest transitive. Specifying no marks this trust as not forest transitive. Specifying /ForestTRANsitive without yes or no will display the current state of this trust attribute. Valid only for non-Windows realm trusts and can only be performed on the root domain for a forest. |
/SelectiveAUTH |
Specifying no disables selective authentification across this trust. Specifying /SelectiveAUTH without yes or no displays the currrent state of this trust attribute. Specifying yes enables selective authentification across this trust. Valid only on outbound forest and external trusts. |
/AddTLN |
Adds the specified top level name (DNS name suffix) to the forest trust info for the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes. |
/AddTLNEX |
Adds the specified top level name exclusion(DNS name suffix) to the forest trust info for the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes. |
/RemoveTLN |
Removes the specified top level name (DNS name suffix) from the forest trust info from the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes. |
/RemoveTLNEX |
Removes the specified top level name exclusion (DNS Name Suffix) from the forest trust info from the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes. |
/SecurePasswordPrompt |
Use secure credentials popup to specify credentials. This option should be used when smart card credentials are required. This option is only in effect when the password valued is supplied as *. |
/EnableTgtDelegation |
Set to no to disable Kerberos full delegation on outbound forest trusts. This prevents services in the other forests from receiving forwarded TGTs. Warning: By setting EnableTgtDelegation to No, services in the other forests with “Trust this computer/user for delegation to any service” configured will not be able to use Kerberos full delegation with any account in this forest to any service. |
{/help | /?} |
Displays help at the command prompt. |
Examples
When used with the Trust operation, the /d: parameter always refers to the trusted domain.
To set the Windows NT 4.0 resource domain USA-Chicago to trust the Windows NT 4.0 account domain Northamerica, type the following command at the command prompt:
netdom trust /d:Northamerica USA-Chicago /add /Ud:Northamerica\admin /Pd:* /Uo:USA-Chicago\admin /Po:*
When you press ENTER, you see the following prompt:
Password for Northamerica\admin:
Enter the password for Northamerica\admin. When you press ENTER, you see the following prompt:
Password for USA-Chicago\admin:
Type the password for USA-Chicago\admin, and then press ENTER.
The user must have credentials for both domains. You can use the /pd parameter to specify the password for Northamerica\admin and the /po parameter to specify the password for USA-Chicago\admin. If the user does not provide passwords at the command prompt, the user is prompted for both.
If you want to specify a two-way trust, type the following command at the command prompt
netdom trust /d:marketing.contoso.com engineering.contoso.com /add /twoway /Uo:admin@engineering.contoso.com /Ud:admin@marketing.contoso.com
To establish a one-way trust where Northamerica trusts the non-Windows, Kerberos realm ATHENA, type the following command at the command prompt:
netdom trust /d:ATHENA Northamerica /add /PT:password /realm
The /d parameter specifies the trusted domain and the /realm parameter indicates that this is a non-Windows, Kerberos realm. The order of the domains is not important. You can supply credentials to the Windows 2000 domain, if needed.
Note
Verifying a specific trust relationship requires credentials unless the user has domain administrator privileges on both domains.
If you want to set the Kerberos realm ATHENA to trust the Northamerica domain, type the following command at the command prompt:
netdom trust /d:Northamerica ATHENA /add
Note
To establish a two-way trust, you can specify the /twoway parameter.
Non-Windows Kerberos trusts are created as non-transitive. If you want to change the trust from ATHENA to Northamerica as transitive, type the following command at the command prompt:
netdom trust Northamerica /d:ATHENA /trans:yes
To display the transitive state, type the following command at the command prompt:
netdom trust Northamerica /d:ATHENA /trans
The order of these two domains is not important. Either can be the non-Windows, Kerberos domain.
To undo the trust that USA-Chicago has for Northamerica, type the following command at the command prompt:
netdom trust /d:Northamerica USA-Chicago /remove
To break a two-way trust relationship, type the following command at the command prompt:
netdom trust /d:marketing.contoso.com Engineering.contoso.com /remove /twoway /Uo:admin@engineering.contoso.com /Ud:admin@marketing.contoso.com
To verify the one-way trust that USA-Chicago has for Northamerica, type the following command at the command prompt:
netdom trust /d:Northamerica USA-Chicago /verify
To verify a two-way trust between the Northamerica and Europe domains, type the following command at the command prompt:
netdom trust /d:Northamerica EUROPE /verify /twoway
The /verify parameter checks that the appropriate shared secrets are synchronized between the two domains involved in the trust.
To reset the secure channel for the one-way trust between Northamerica and USA-Chicago, type the following command at the command prompt:
netdom trust /d:Northamerica USA-Chicago /Ud:Northamerica\admin /reset
The /reset parameter synchronizes the appropriate shared secrets if they are not already synchronized.
To verify that Kerberos authentication occurs successfully between a workstation and a service that is located in the domain devgroup.example.com, type the following command at the command prompt:
netdom trust /d:devgroup.example.com /verify /KERBEROS
When you use the netdom Trust operation with the /verify /kerberos parameters, the trust operation searches for a session ticket for the Kerberos Admin service in the target domain. If the search operation is successful, you can conclude that all Kerberos operations, such as KDC referrals, operate correctly between the workstation and the target domain.
Note
You cannot run this trust operation from a remote location. You must run the operation on the workstation that you want to test.
To list the routed name suffixes for the trust between contoso and the trustpartnerdomain, type the following command at the command prompt:
netdom trust contoso /namesuffixes:trustpartnerdomain
Note
The /d parameter is not needed for this operation which is an exception from other Trust operations.
This lists all the routed name suffixes for the trust relationship between contoso and the trustpartnerdomain. The trust relationship must be either a Forest Trust relationship or a Non-Windows Realm trust with the Forest Transitive attribute set.
The following is sample output:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /namesuffixes:powermatic
Name, Type, Status, Notes
1. *.treyresearch.net, Name Suffix, Enabled
2. *.powermatic.nttest.contoso.com, Name Suffix, Enabled
3. *.adatum.com, Name Suffix, Enabled
4. *.cpandl.com, Name Suffix, Conflicting, With shasandom2.nttest.contoso.com
5. unisaw.powermatic.nttest.contoso.com, Domain DNS name, Enabled
6. UNISAW, Domain NetBIOS name, Enabled, For unisaw.powermatic.nttest.contoso.
com
7. s-1-5-21-1550512861-723516995-420396236, Domain SID, Enabled, For unisaw.powermatic.nttest.contoso.com
8. powermatic.nttest.contoso.com, Domain DNS name, Enabled
9. POWERMATIC, Domain NetBIOS name, Enabled, For powermatic.nttest.contoso.com
10. s-1-5-21-1390067357-1757981266-527237240, Domain SID, Enabled, For powermati
c.nttest.contoso.com
The command completed successfully.
To enable or disable the first routed name suffix in the list generated by the previous command, type the following command at the command prompt:
netdom trust myTestDomain /namesuffixes:foresttrustpartnerdomain /togglesuffix:1
Note
You must use the /ToggleSuffix parameter with the /NameSuffixes parameter. Use /NameSuffixes immediately before you use /ToggleSuffix because the order in which the name suffixes are listed may change.
The following is sample output:
Note
The output reflects the routed name suffix list after the Toggling operation.
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:powermatic /ts:1
Name, Type, Status, Notes
1. *. Treyresearch.net, Name Suffix, Admin-Disabled
2. *.powermatic.nttest.contoso.com, Name Suffix, Enabled
3. *. adatum.com, Name Suffix, Enabled
4. *. cpandl.com, Name Suffix, Conflicting, With shasandom2.nttest.contoso.com
5. unisaw.powermatic.nttest.contoso.com, Domain DNS name, Enabled
6. UNISAW, Domain NetBIOS name, Enabled, For unisaw.powermatic.nttest.contoso.
com
7. s-1-5-21-1550512861-723516995-420396236, Domain SID, Enabled, For unisaw.powermatic.nttest.contoso.com
8. powermatic.nttest.contoso.com, Domain DNS name, Enabled
9. POWERMATIC, Domain NetBIOS name, Enabled, For powermatic.nttest.contoso.com
10. s-1-5-21-1390067357-1757981266-527237240, Domain SID, Enabled, For powermatic.nttest.contoso.com
The command completed successfully.
To add the DNS name suffix contoso.com to the Forest Trust Info with trustpartnerdomain, type the following command at the command prompt:
Netdom trust myTestDomain /d:trustPartnerDomain /AddTln:contoso.com
Adding the DNS name suffix is only allowed for a trust with a Forest Transitive, Non-Windows Realm Trust. This is also true for the following commands:
Netdom trust myTestDomain /d:trustPartnerDomain /RemoteTln:contoso.com
Netdom trust myTestDomain /d:trustPartnerDomain /AddTLNEx:something.contoso.com
This must have a TLN entry present for the parent naming context, in this case, contoso.com, otherwise the operation is disallowed.)
Netdom trust myTestDomain /d:trustPartnerDomain /RemoveTLNEx:something.contoso.com
The following code lists the name suffixes on a Non-Windows Realm Trust:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:server.mit.org
Name, Type, Status, Notes
1. *.cpandl.com, Name Suffix, Enabled
2. *.adatum.com, Name Suffix, Enabled
The command completed successfully.
The following code adds another TLN:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:domain.mit.org /addtln:dude.com
The TLN or Exclusion was successfully added to the Forest Trust Info.
The command completed successfully.
The following code adds an invalid TLN exclusion:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:domain.mit.org /addtlnex:dude.com
The Forest Trust Info for the specified trust could not be stored.
The parameter is incorrect.
Try "netdom HELP" for more information.
The following code adds a valid TLN exclusion:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:domain.mit.org /addtlnex:child.contoso.com
The TLN or Exclusion was successfully added to the Forest Trust Info.
The command completed successfully.
The following code shows the result of previous operations:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:server.mit.org
Name, Type, Status, Notes
1. *.child.contoso.com, Exclusion
2. *.cpandl.com, Name Suffix, Enabled
3. *.adatum.com, Name Suffix, Enabled
4. *.contoso.com, Name Suffix, Enabled
The command completed successfully.
The following examples show how to enable and disable the /EnableTgtDelegation option:
C:\> Netdom trustedDomain /d: trustingdomain /EnableTgtDelegation
TGT Delegation is disabled.
C:\> Netdom trustedDomain /d: trustingdomain /EnableTgtDelegation: no
Disabling TGT Delegation.
C:\> Netdom trustedDomain /d: trustingdomain /EnableTgtDelegation: no
TGT Delegation is already disabled.
C:\> Netdom trustedDomain /d: trustingdomain /EnableTgtDelegation: yes
Enabling TGT Delegation
C:\> Netdom trustedDomain /d: trustingdomain /EnableTgtDelegation: yes
TGT Delegation is already enabled
C:\> Netdom trustedDomain /d: trustingdomain /EnableTgtDelegation
TGT Delegation is enabled.