Windows Domain Manager (NetDom.exe) (ST)

Windows Domain Manager is a command-line tool that has some unique features, such as moving computer accounts between domains, as well as joining computers to a domain and renaming domain controllers or computer accounts. The tool allows you to:

Retrieve diverse information about domains
Add, join, and move computers to a domain (these operations are "OU-aware"), as well as remove computers from a domain
Rename domain controllers and computers
Reset and verify computer secure channels
Verify, establish, reset, break, and change domain trusts (including Kerberos trusts)

Caution

Be careful, the documentation on this tool is slightly inconsistent. There are quite a few divergences between parameters' description in the Support Tools Help and the built-in help feature.

Windows .NET version of NetDom.exe cannot run on Windows 2000 systems.

Let us discuss some interesting features of NetDom.exe with some examples. To see detailed information on how an operation is performed, you may use the /Verbose parameter with any command. Many tool's commands accept the DNS name of computers and domains, but sometimes the NetBIOS names are preferable.

Querying Domains

NetDom.exe is one of the tools that allow you to view FSMO roles' owners in the forest. For example, the following command shows that the server NETDC2 holds all roles in its domain, whereas all forest-wide roles are owned by the server NETDC4 in the root domain:

 C:\>netdom QUERY /D:subdom.net.dom FSMO Schema owner netdc1.net.dom Domain role owner   netdc1.net.dom PDC role netdc2.subdom.net.dom RID pool manager   netdc2.subdom.net.dom Infrastructure owner netdc2.subdom.net.dom The command   completed successfully.

The following command displays all domains that have direct trusts with the specified domain (the trusts may be also verified by using the netdom TRUST command; see later); notice that the net.dom and NT4DOM domains are connected with a one-way trust:

 C:\>netdom QUERY /D:net.dom TRUST   /Direct Direction Trusted\Trusting domain Trust type =========   ======================= ========== <-> subdom.net.dom Direct <- NT4DOM   Direct <-> dotnet.dom Direct

The netdom QUERY command can also verify and/or reset (the /Reset parameter) domain trusts. The following command checks trusts between the parent (current) domain and a child (the command is executed in the parent domain; the credentials of the child's administrator must be provided):

   C:\>netdom QUERY /D:subdom.net.dom   TRUST /UD:administrator /PD:*   /Verify Type the password associated with the   domain user: Direction Trusted\Trusting domain Trust type Status =========   ======================= ========== ====== <-> net.dom Direct Verified The   command completed successfully.

When you delegate control over some OUs to a user (jsmith is our example), you might want to quickly verify administrative power of that user (you must know the user password). The following command may help you to do this task:

   C:\>netdom QUERY /D:net.dom   OU /UD:jsmith /PD:* Type the password   associated with the domain user: List of Organizational Units within which the   specified user can create a machine account: OU=Staff, DC=net, DC=dom OU=Sales,   OU=Marketing, DC=net, DC=dom The command completed successfully.

Compare this output with the results received for an administrative account.

Managing Computer Accounts

The command shown below creates a computer account in the domain (but doesn't join a computer to the domain). Note that you can specify a target OU for that account. Remember that if you are working on a computer and join it to a domain using a newly created account, this account by default is added to the Computer container. You may use the command for pre-creating accounts in the necessary OUs (domains) before actually joining the computers to the forest.

   C:\>netdom ADD compName /D:net.dom   /OU:OU=Staff,DC=net,DC=dom The command completed successfully.

NetDom.exe can be used for migrating computer accounts from Windows NT resource domains to an AD-based domain or between AD-based domains. All commands - ADD, JOIN, MOVE, and REMOVE - are "OU-aware", so you can manipulate accounts according to the OU structure of your domains.

To move a computer (compName in the example) from the current domain to a destination domain (you must be logged on to the current domain as an administrator and provide an administrator's credentials in the destination domain), use a command similar to:

   C:\>netdom MOVE compName /D:subdom.net.dom   /OU:OU=Personnel, DC=subdom, DC=net, DC=dom /UD:administrator /PD:*

Caution

The computer being moved must be online and accessible, otherwise the command generates the "The network path was not found" error.

Verifying and Resetting Secure Channels

NetDom.exe can verify and reset the secure channels that exist between each computer in a domain and a domain controller. To verify that the computer COMP3 has an actual secure channel with its net.dom domain, it is possible to use the following command (the command's output is also shown):

   C:\>netdom VERIFY comp3.net.dom /D:net.dom   The secure channel from COMP3.NET.DOM to the domain NET.DOM has been verified.   The connection is with the machine \\NETDC1.NET.DOM. The command completed   successfully

The same operation can also be performed using the NLtest tool:

 C:\>n1test /sc_query:net.dom   /server:comp3.net.dom Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name   \\netdc1.net.dom Trusted DC Connection Status Status = 0 0x0 NERR_Success The   command completed successfully

To reset the broken secure channel, use the following command

   C:\>netdom RESET comp3.net.dom /D:net.dom   The secure channel from COMP3.NET.DOM to the domain NET.DOM has been reset. The   connection is with the machine \\NETDC1.NET.DOM. The command completed   successfully

The NLtest tool can also be used for that purpose:

 C:\>n1test /sc_reset:net.dom /server:comp3.net.dom Flags: 30 HAS_IP HAS_TIMESERV   Trusted DC Name \\netdc1.net.dom Trusted DC Connection Status Status = 0 0x0   NERR_Success The command completed successfully

Managing Domain Trusts

NetDom.exe allows you to verify domain trusts issues (including those that use Kerberos v5 authentication protocol). For example, the following command checks the Kerberos trusts between two domains in the forest (both domain administrators' credentials must be specified!):

   C:\>netdom TRUST subdom.net.dom /D:net.dom   /Kerberos /UD:administrator /PD:*   /UO:administrator /PO:* /Verify Type the password associated with the domain user:   Type the password associated with the object user: The trust between   subdom.net.dom and net.dom has been successfully verified The command completed   successfully

To reset domain trusts, enter the command:

   C:\>netdom TRUST subdom.net.dom /D:net.dom   /UD:administrator /PD:* /UO:administrator   /PO:* /Reset

Successful output should be similar to:

 Resetting the   trust passwords between subdom.net.dom and net.dom The trust between   subdom.net.dom and net.dom has been successfully reset and verified The command   completed successfully

If trust relationship issues exist, you can try to isolate the problem and use the netdom VERIFY or n1test /sc_query commands to check trusts between pairs of domain controllers.

Note

For verifying and resetting trusts, the Active Directory Domains and Trusts snap-in (see Chapter 7, "Domain Manipulation Tools") can also be used.

NetDom.exe allows you to remove information (including cross reference and trusted domain objects) about a non-existing (defunct) domain, which doesn't contain domain controllers, from Active Directory. The netdom TRUST /Remove /Force command can be used for that purpose, for example:

 netdom   TRUST dotnet.dom /D:net.dom   /Remove /Force