3. Verifying Trust Relationships
You can also use the netdom command to verify trust relationships. The basic syntax of the command is
netdom trust trusting_domain_name /domain:trusted_domain_name
Figure 1
shows the Active Directory Domains and Trusts console with a parent
domain (pearson.pub) and a child domain (training.pearson.pub). There
is a parent/child trust relationship between the two domains.
Furthermore, the outgoing trust has been validated.
Note
There are two trusts between the domains. The parent
trusts the child and the child trusts the domain. These trusts are
displayed as an outgoing trust and an incoming trust in Figure 1.
You can perform the same check from the command line with the following command:
netdom trust training.pearson.pub /domain:pearson.pub
The concept of trusted and trusting domains and the terminology can be confusing. Figure 2
shows two domains with a one-way trust between them. Notice that the
arrow is pointing to Domain B. When shown this way, it indicates that
Domain A trusts Domain B, and users in Domain B can be granted access
to resources in Domain A. In other words, Domain B is trusted by Domain
A.
The following table identifies many of the switches that can be used with the netdom trust command to validate a trust.
| netdom Trust Switches | Comments |
|---|
netdom trust trusting-domain
C:\>netdom training.pearson.pub
| Enter the name of the trusting domain first. In Figure 2, this is Domain A in the outgoing trust. |
/domain:domain
/domain:pearson.pub
| Specifies the name of the trusted domain or Non-Windows Realm.
Note
You can create trusts with UNIX Realms and test them with the netdom trust command.
|
/userd:username
/userd:administrator
| The user account used to make the connection with the domain specified by the /domain switch. |
/passwordd:{password | *}
/passwordd:P@ssw0rd
| The password of the user account specified by /userd. You can use an asterisk (*) and the command will prompt you to enter a password. |
/usero:username
/usero:administrator
| The user account for making the connection with the trusting domain.
Note
The “o” for /usero specifies that this is the user account for the other domain, or the trusting domain.
|
/passwordo:{password | *}
/passwordo:P@ssw0rd
| The password of the user account specified by /usero. You can use an asterisk (*) and the command will prompt you to enter a password. |
| Verifies that the trust is operating properly. |
| /quarantine[:yes | : no] | This switch enables you to view, set, or disable the /quarantine
attribute. When set to yes, only SIDs from the directly trusted domain
are able to access resources, and other SIDS are filtered out. When set
to no (the default), any accounts in the trusted domain are accepted.
Tip This
is relevant if the trusted domain includes migrated accounts. The
migrated accounts are filtered if this is set to yes, and won’t be able
to access resources in the trusting domain.
Specifying /quarantine without yes or no displays the current state. |
Figure 3 shows the result of entering the following command using some of these switches:
C:\>netdom trust training.pearson.pub /domain:pearson.pub
/userd:administrator /passwordd:* /usero:administrator
/passwordo:* /verify
If it’s a two-way trust, you can verify the trust
from the other direction by swapping the trusted and trusting domains
like the following command:
C:\>netdom trust pearson.pub /domain:training.pearson.pub
/userd:administrator /passwordd:* /usero:administrator
/passwordo:* /verify
