Subscribe to Windows IT Pro
March 01, 1999 12:00 AM

NETDOM

Mark Minasi
Windows IT Pro
InstantDoc ID #4982
Rating: (4)
Command-line trust control

Anyone who manages a large network knows that although Windows NT provides a broad suite of administrative tools, the tools' GUIs can be a pain. The fact that User Manager for Domains is a GUI tool is wonderful for first-time administrators, because they can leverage skills they learned playing Solitaire when they maintain their network. But User Manager for Domains isn't fit for administering hundreds of user accounts because you can't automate the tool's functions.

One administrative function that has always been difficult to automate is fixing broken trusts. However, the NETDOM utility in Microsoft Windows NT Server 4.0 Resource Kit, Supplement Two can maintain trust relationships. NETDOM lets you build new trust relationships and reset existing trusts from the command line.

Think about how you build trust relationships without NETDOM. Suppose your network contains two domains—TRUSTED and TRUSTING—and you want to create a trust relationship that makes TRUSTING trust TRUSTED. To create this trust, you need an administrative account in the TRUSTING and TRUSTED domains. Log on to a TRUSTING domain controller with your TRUSTING administrative account, and log on to a TRUSTED domain controller with your TRUSTED administrative account. Then, fire up User Manager for Domains, point the tool at the TRUSTED domain, and tell User Manager for Domains that TRUSTING can trust TRUSTED. Refocus User Manager for Domains on the TRUSTING domain, and NT sets TRUSTING to trust TRUSTED. Whew!

wrench NETDOM's approach is easier. Like User Manager for Domains, NETDOM requires you to have two administrative accounts, one in TRUSTED and one in TRUSTING. NETDOM sometimes becomes confused if your username in TRUSTED is the same as your username in TRUSTING and the two accounts have different passwords. I recommend using different account names in the two domains or using accounts with identical names and identical passwords.

NETDOM accepts the username and password for your TRUSTING account but not for your TRUSTED account—I'm not sure why NETDOM has this discrepancy. However, you can use the old NET USE ... IPC$ trick to establish your credentials in the TRUSTED domain. Just type

net use \\<name_of_PDC_in_TRUSTED_domain>\IPC$ /user:TRUSTED\<your_username>

Or you can run NETDOM from a domain administrator account in TRUSTED, in which case you don't need to use NET USE to connect to the IPC$ share.

Suppose the name of your administrative account in TRUSTING is admin and the account's password is swordfish. If you're logged on as a TRUSTED administrator, you make TRUSTING trust TRUSTED by typing

netdom /domain:TRUSTING /user:TRUSTING\admin /password:swordfish master TRUSTED /trust

That's a long command line; it boils down to

netdom <info_about_the_trusting_domain> master <name_of_the_trusted_domain> /trust

You might be thinking, "So what? I rarely build trusts." Remember that you can run NETDOM to do more than just build trust relationships; you can use the utility to rebuild trust relationships. If you come to work one morning and find domain controllers complaining that they can't establish a link with a trusted domain, what do you do? Until now, your best option was to reboot the domain controller—not a great answer for a production server. Your worst option was to rebuild the trust relationship. Now, NETDOM offers a better solution than either of those: Run NETDOM /trust to rebuild an existing trust relationship in a flash. As a bonus, NETDOM breaks trust relationships, too. For example, type

netdom /domain:TRUSTING /user:TRUSTING\admin /password:swordfish master TRUSTED /delete

In a future column, I'll look at some of NETDOM's other functions. But don't wait to play around with NETDOM.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Hans
    4 years ago
    Aug 11, 2008

    I just figured out a problem I have been working on for over a day, and I just want to save everyone the trouble of having the same problem. I tried to setup a domain trust between Win 2K3 R2 Servers over a router and had every communication working fine, setup dns properly, not firewall rules blocking anything.

    But when I tried to setup a domain trust I had the problem that the command netdom trust would fail with the message

    "The specified domain either does not exist or could not be contacted"

    The reason for the problem was as simple as annoying:

    When the specified domain name is not a FQDN, e.g. "domain" instead of "domain.local", windows will only try fo find the DC via NetBios/WINS, and not even bother trying via DNS. This - and the fact that it had already worked for me before - (though I had not remembered that one server was multi-homed before) made me try for at least a day, not being able to solve the problem. Finally I used a network sniffer to see what was happening, and setup WINS to point to the other server and it worked for me...

  • Anonymous User
    7 years ago
    Aug 17, 2005

    Any ideas on how to use netdom to repair failed Trust on a workstation? We have about a hundred machines where this has happened (long story) and I'm looking for a simple fix.

  • Eric Kimminau
    8 years ago
    Jul 07, 2004

    Hi! I have a Win2000 to Win2003 (2000 compatability level not 2003 native) trust. My 2003 server was an eval which I upgraded (fresh install) to a release 2003 enterprise server. I cannot rebuild the trust because the 2000 server says it still exists. I have tried using netdom without success as follows:
    C:\\Documents and Settings\\Administrator>netdom trust 2003DOM /Domain:2000DOM
    /userD:Administrator /PasswordD:pword /UserO:Administrator /PasswordO:pword /remove /force
    The system cannot find the file specified.
    The command failed to complete successfully.

    C:\\Documents and Settings\\Administrator>netdom trust 2000DOM /Domain:2003DOM /userD:Administrator /PasswordD:pword /UserO:Administrator /PasswordO:pword /remove /force
    The system cannot find the file specified.
    The command failed to complete successfully.

    ANd then trying to create it I get:
    C:\\Documents and Settings\\Administrator>netdom trust 2000DOM /Domain:2003DOM /userD:Administrator /PasswordD:pword /UserO:Administrator /PasswordO:pword /add /twoway /force
    The specified domain either does not exist or could not be contacted.
    The command failed to complete successfully.

    I can ping, authenticate and map to the 2003domain from 2000domain and vs. vs. I just cant get a trust relationship built. So far the only solution I have been able to find is to now completely reload the 2000domain controller. ANyone else have other solutions? Where is all trust information stored? Can I navigate a file system or the registry and remove the info manually somehow? Thanks!

  • BangIntimex
    8 years ago
    Mar 14, 2004

    Now we have two server, we installs 01 server is domain: Intimex.com; 01 server is domain: Intimexse.com. We want use only one domain: Intimex.com. Help me!

  • Jorge
    9 years ago
    Nov 18, 2003

    How about including a download link to the tool mentioned in your article?

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.