کد:
http://technet.microsoft.com/en-us/library/cc835085%28WS.10%29.aspx#BKMK_examples
Netdom trust
Updated: March 11, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
Establishes, verifies, or resets a trust relationship between domains.
Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see
How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (
How to Administer Microsoft Windows Client and Server Computers Locally and Remotely).
To use
netdom, you must run the
netdom command from an elevated command prompt. To open an elevated command prompt, click
Start, right-click
Command Prompt, and then click
Run as administrator.
For examples of how to use this command
Syntax:
کد:
netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud: | /userd:}
[<Domain>\]<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] [{/po: |
/passwordo:}{<Password>|*}] [/verify] [/reset] [/passwordt:<NewRealmTrustPassword>] [/add
[/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED |
TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:<TrustName> [/togglesuffix:#]]
[/EnableSIDHistory] [/ForestTRANsitive] [/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN]
[/RemoveTLNEX][{/help | /?}]
Examples:
When used with the Trust operation, the
/d: parameter always refers to the trusted domain.
To set the Windows NT 4.0 resource domain USA-Chicago to trust the Windows NT 4.0 account domain Northamerica, type the following command at the command prompt:
کد:
netdom trust /d:Northamerica USA-Chicago /add /Ud:Northamerica\admin /Pd:* /Uo:USA-Chicago\admin /Po:*
When you press ENTER, you see the following prompt:
کد:
Password for Northamerica\admin:
Enter the password for Northamerica\admin. When you press ENTER, you see the following prompt:
کد:
Password for USA-Chicago\admin:
Type the password for USA-Chicago\admin, and then press ENTER.
The user must have credentials for both domains. You can use the
/pd parameter to specify the password for Northamerica\admin and the
/po parameter to specify the password for USA-Chicago\admin. If the user does not provide passwords at the command prompt, the user is prompted for both.
If you want to specify a two-way trust, type the following command at the command prompt
کد:
netdom trust /d:marketing.example.com engineering.example.com /add /twoway /Uo:admin@engineering.example.com /Ud:admin@marketing.example.com
To establish a one-way trust where Northamerica trusts the non-Windows, Kerberos realm ATHENA, type the following command at the command prompt:
کد:
netdom trust /d:ATHENA Northamerica /add /PT:password /realm
The
/d parameter specifies the trusted domain and the
/realm parameter indicates that this is a non-Windows, Kerberos realm. The order of the domains is not important. You can supply credentials to the Windows 2000 domain, if needed.
Note Verifying a specific trust relationship requires credentials unless the user has domain administrator privileges on both domains.
If you want to set the Kerberos realm ATHENA to trust the Northamerica domain, type the following command at the command prompt:
کد:
netdom trust /d:Northamerica ATHENA /add
Note To establish a two-way trust, you can specify the
/twoway parameter.
Non-Windows Kerberos trusts are created as non-transitive. If you want to change the trust from ATHENA to Northamerica as transitive, type the following command at the command prompt:
کد:
netdom trust Northamerica /d:ATHENA /trans:yes
To display the transitive state, type the following command at the command prompt:
کد:
netdom trust Northamerica /d:ATHENA /trans
The order of these two domains is not important. Either can be the non-Windows, Kerberos domain.
To undo the trust that USA-Chicago has for Northamerica, type the following command at the command prompt:
کد:
netdom trust /d:Northamerica USA-Chicago /remove
To break a two-way trust relationship, type the following command at the command prompt:
کد:
netdom trust /d:marketing.example.com Engineering.example.com /remove /twoway /Uo:admin@engineering.example.com /Ud:admin@marketing.example.com
To verify the one-way trust that USA-Chicago has for Northamerica, type the following command at the command prompt:
کد:
netdom trust /d:Northamerica USA-Chicago /verify
To verify a two-way trust between the Northamerica and Europe domains, type the following command at the command prompt:
کد:
netdom trust /d:Northamerica EUROPE /verify /twoway
The
/verify parameter checks that the appropriate shared secrets are synchronized between the two domains involved in the trust.
To reset the secure channel for the one-way trust between Northamerica and USA-Chicago, type the following command at the command prompt:
کد:
netdom trust /d:Northamerica USA-Chicago /Ud:Northamerica\admin /reset
The
/reset parameter synchronizes the appropriate shared secrets if they are not already synchronized.
To verify that Kerberos authentication occurs successfully between a workstation and a service that is located in the domain devgroup.example.com, type the following command at the command prompt:
کد:
netdom trust /d:devgroup.example.com /verify /KERBEROS
When you use the
netdom Trust operation with the
/verify /kerberos parameters, the trust operation searches for a session ticket for the Kerberos Admin service in the target domain. If the search operation is successful, you can conclude that all Kerberos operations, such as KDC referrals, operate correctly between the workstation and the target domain.
Note You cannot run this trust operation from a remote location. You must run the operation on the workstation that you want to test.
To list the routed name suffixes for the trust between myTestDomain and the trustpartnerdomain, type the following command at the command prompt:
کد:
netdom trust myTestDomain /namesuffixes:trustpartnerdomain
Note The
/d parameter is not needed for this operation which is an exception from other Trust operations.
This lists all the routed name suffixes for the trust relationship between myTestDomain and the trustpartnerdomain. The trust relationship must be either a Forest Trust relationship or a Non-Windows Realm trust with the
Forest Transitive attribute set.
The following is sample output:
کد:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /namesuffixes:powermatic
Name, Type, Status, Notes
1. *.flotsam.org, Name Suffix, Enabled
2. *.powermatic.nttest.contoso.com, Name Suffix, Enabled
3. *.jetsam.com, Name Suffix, Enabled
4. *.blah.com, Name Suffix, Conflicting, With shasandom2.nttest.contoso.com
5. unisaw.powermatic.nttest.contoso.com, Domain DNS name, Enabled
6. UNISAW, Domain NetBIOS name, Enabled, For unisaw.powermatic.nttest.contoso.
com
7. s-1-5-21-1550512861-723516995-420396236, Domain SID, Enabled, For unisaw.powe
rmatic.nttest.contoso.com
8. powermatic.nttest.contoso.com, Domain DNS name, Enabled
9. POWERMATIC, Domain NetBIOS name, Enabled, For powermatic.nttest.contoso.com
10. s-1-5-21-1390067357-1757981266-527237240, Domain SID, Enabled, For powermati
c.nttest.contoso.com
The command completed successfully.
To enable or disable the first routed name suffix in the list generated by the previous command, type the following command at the command prompt:
کد:
netdom trust myTestDomain /namesuffixes:foresttrustpartnerdomain /togglesuffix:1
Note You must use the
/ToggleSuffix parameter with the
/NameSuffixes parameter. Use
/NameSuffixes immediately before you use
/ToggleSuffix because the order in which the name suffixes are listed may change.
The following is sample output:
Note The output reflects the routed name suffix list after the Toggling operation.
کد:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:powermatic /ts:1
Name, Type, Status, Notes
1. *.flotsam.org, Name Suffix, Admin-Disabled
2. *.powermatic.nttest.contoso.com, Name Suffix, Enabled
3. *.jetsam.com, Name Suffix, Enabled
4. *.blah.com, Name Suffix, Conflicting, With shasandom2.nttest.contoso.com
5. unisaw.powermatic.nttest.contoso.com, Domain DNS name, Enabled
6. UNISAW, Domain NetBIOS name, Enabled, For unisaw.powermatic.nttest.contoso.
com
7. s-1-5-21-1550512861-723516995-420396236, Domain SID, Enabled, For unisaw.powermatic.nttest.contoso.com
8. powermatic.nttest.contoso.com, Domain DNS name, Enabled
9. POWERMATIC, Domain NetBIOS name, Enabled, For powermatic.nttest.contoso.com
10. s-1-5-21-1390067357-1757981266-527237240, Domain SID, Enabled, For powermatic.nttest.contoso.com
The command completed successfully.
To add the DNS name suffix contoso.com to the Forest Trust Info with trustpartnerdomain, type the following command at the command prompt:
کد:
Netdom trust myTestDomain /d:trustPartnerDomain /AddTln:contoso.com
Adding the DNS name suffix is only allowed for a trust with a Forest Transitive, Non-Windows Realm Trust. This is also true for the following commands:
- Netdom trust myTestDomain /d:trustPartnerDomain /RemoteTln:contoso.com
- Netdom trust myTestDomain /d:trustPartnerDomain /AddTLNEx:something.contoso.com
This must have a TLN entry present for the parent naming context, in this case, contoso.com, otherwise the operation is disallowed.) - Netdom trust myTestDomain /d:trustPartnerDomain /RemoveTLNEx:something.contoso.com
The following code lists the name suffixes on a Non-Windows Realm Trust:
کد:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:blah.mit.org
Name, Type, Status, Notes
1. *.bowwow.com, Name Suffix, Enabled
2. *.meow.com, Name Suffix, Enabled
The command completed successfully.
The following code adds another TLN:
کد:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:blah.mit.org /addtln:dude.com
The TLN or Exclusion was successfully added to the Forest Trust Info.
The command completed successfully.
The following code adds an invalid TLN exclusion:
کد:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:blah.mit.org /addtlnex:dude.com
The Forest Trust Info for the specified trust could not be stored.
The parameter is incorrect.
Try "netdom HELP" for more information.
The following code adds a valid TLN exclusion:
کد:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:blah.mit.org /addtlnex:cool.dude.com
The TLN or Exclusion was successfully added to the Forest Trust Info.
The command completed successfully.
The following code shows the result of previous operations:
کد:
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:blah.mit.org
Name, Type, Status, Notes
1. *.cool.dude.com, Exclusion
2. *.bowwow.com, Name Suffix, Enabled
3. *.meow.com, Name Suffix, Enabled
4. *.dude.com, Name Suffix, Enabled
The command completed successfully.