Recipe 2.21 Resetting a Trust

2.21.1 Problem

You want to reset a trust password. If you've determined a trust is broken, you need to reset it, which will allow users to authenticate across it again.

2.21.2 Solution

2.21.2.1 Using a graphical user interface

Follow the same directions as Recipe 2.20. The option to reset the trust will only be presented if the Verify/Validate did not succeed.

2.21.2.2 Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Reset /verbose[RETURN]    [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]    [/UserD:<TrustedDomainUser> /PasswordD:*]
2.21.2.3 Using VBScript
' This code resets the specified trust. ' ------ SCRIPT CONFIGURATION ------ ' Set to the DNS or NetBIOS name for the Windows 2000, ' Windows NT domain or Kerberos realm you want to reset the trust for. strTrustName = "<TrustToCheck>" ' Set to the DNS name of the source or trusting domain. strDomain    = "<TrustingDomain>" ' ------ END CONFIGURATION --------- ' Enable SC_RESET during trust enumerations set objTrustProv = GetObject("winmgmts:\\" & strDomain & _               "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@") objTrustProv.TrustCheckLevel = 3  ' Enumerate with SC_RESET objTrustProv.Put_ ' Query the trust and print status information set objWMI = GetObject("winmgmts:\\" & strDomain & _                        "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("Select * " _                         & " from Microsoft_DomainTrustStatus " _                         & " where TrustedDomain = '" & strTrustName & "'" ) for each objTrust in objTrusts     Wscript.Echo objTrust.TrustedDomain     Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes     Wscript.Echo " TrustedDCName: "     & objTrust.TrustedDCName     Wscript.Echo " TrustedDirection: "  & objTrust.TrustDirection     Wscript.Echo " TrustIsOk: "         & objTrust.TrustIsOK     Wscript.Echo " TrustStatus: "       & objTrust.TrustStatus     Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString     Wscript.Echo " TrustType: "         & objTrust.TrustType     Wscript.Echo "" next

2.21.3 Discussion

Resetting a trust synchronizes the shared secrets (i.e., passwords) for the trust. The PDC in both domains is used to synchronize the password so they must be reachable.

2.21.3.1 Using a command-line interface

If you are resetting a Kerberos realm trust, you'll need to specify the /PasswordT option with netdom.

2.21.4 See Also

Recipe 2.20 for verifying a trust



Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net