Recipe15.20.Creating and Removing a Trust

Recipe 15.20. Creating and Removing a Trust

Problem

You want to create or delete a trust from an AD domain to a Windows NT domain, Kerberos realm, or another AD domain.

Solution

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in.
In the left pane, right-click the domain you want to add a trust for and select Properties.
Click on the Trusts tab.
Click the New Trust button.
After the New Trust Wizard opens, click Next.
Complete the rest of the wizard steps. They will vary depending on the type of trust you create.

Using a command-line interface

> netdom trust <TargetDomainName> /Domain:<ADDomainName> /ADD          [/UserD:<ADDomainName>\ADUser> /PasswordD:*]          [/UserO:<TargetDomainName>\TargetUser> /PasswordO:*]          [/TwoWay]

For example, to create a trust from the NT4 domain RALLENCORP_NT4 to the AD domain RALLENCORP, use the following command:

> netdom trust RALLENCORP_NT4 /Domain:RALLENCORP /ADD          /UserD:RALLENCORP\administrator /PasswordD:*          /UserO:RALLENCORP_NT4\administrator /PasswordO:*

You can make the trust bidirectional, i.e., two-way, by adding a /TwoWay option to the example.

The following command deletes a trust:

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Remove /verbose     [/UserO:<TrustingDomainUser> /PasswordO:*]    [/UserD:<TrustedDomainUser> /PasswordD:*]

Using VBScript

None of the scripting interfaces support the capability to create a trust, but you can delete them as shown here:

' This code deletes a trust in the specified domain. ' ------ SCRIPT CONFIGURATION ------ ' Set to the DNS or NetBIOS name for the Windows 2000, ' Windows NT domain or Kerberos realm trust you want to delete. strTrustName = "<TrustName>" ' Set to the DNS name of the source or trusting domain strDomain    = "<DomainDNSName>" ' ------ END CONFIGURATION ---------     set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") set objTrust = GetObject("LDAP://cn=System," & _                          objRootDSE.Get("defaultNamingContext") ) objTrust.Delete "trustedDomain", "cn=" & strTrustName set objTrustUser = GetObject("LDAP://cn=Users," & _                          objRootDSE.Get("defaultNamingContext") ) objTrustUser.Delete "trustedDomain", "cn=" & strTrustName & "$" WScript.Echo "Successfully deleted trust for " & strTrustName

Discussion

It is common when migrating from a Windows NT environment to Active Directory to set up trusts to down-level master account domains or resource domains. This allows AD users to access resources in the NT domains without providing alternate credentials. Windows NT does not support transitive trusts and therefore your only option is to create a nontransitive trust. That means you'll need to set up individual trusts between the NT domain and every Active Directory domain that contains users that need to access the NT resources.

In Windows Server 2003, Active Directory introduced a new trust type called a forest trust. A forest trust allows you to create a single transitive trust between two forest root domains and have it apply to all subdomains. In Windows 2000 forests, you have to set up individual trusts between all the domains in one forest with all the domains in another.

Trusts are stored in Active Directory as two objects; a TRustedDomain object in the System container and a user object in the Users container. Both of these objects need to be removed when deleting a trust. The GUI and CLI solutions take care of that in one step, but in the VBScript example both objects needed to be explicitly deleted. It is also worth noting that each solution deleted only one side of the trust. If the trust was to a remote AD forest or NT 4.0 domain, you also need to delete the trust in that domain.