Recipe 15.22. Verifying and Resetting TrustsProblemYou want to verify that a trust is working correctly. This is the first diagnostic step to take if users notify you that authentication to a remote domain appears to be failing. If you've determined a trust is broken, you need to reset it, which will allow users to authenticate across it again. SolutionUsing a graphical user interfaceFor the Windows 2000 version of the Active Directory Domains and Trusts snap-in:
For the Windows Server 2003 version of the Active Directory Domains and Trusts snap-in:
Using a command-line interfaceThe following command verifies a trust: > netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose [/UserO:<TrustingDomainUser> /PasswordO:*] [/UserD:<TrustedDomainUser> /PasswordD:*] The following command resets a trust: > netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Reset /verbose [/UserO:<TrustingDomainUser> /PasswordO:*] [/UserD:<TrustedDomainUser> /PasswordD:*] Using VBScript' The following code lists all of the trusts for the ' specified domain using the Trustmon WMI Provider. ' The Trustmon WMI Provider is supported only on Windows Server 2003. ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName>" ' e.g., amer.rallencorp.com ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus") for each objTrust in objTrusts Wscript.Echo objTrust.TrustedDomain Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes Wscript.Echo " TrustedDCName: " & objTrust.TrustedDCName Wscript.Echo " TrustedDirection: " & objTrust.TrustDirection Wscript.Echo " TrustIsOk: " & objTrust.TrustIsOK Wscript.Echo " TrustStatus: " & objTrust.TrustStatus Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString Wscript.Echo " TrustType: " & objTrust.TrustType Wscript.Echo "" next ' This code shows how to search specifically for trusts ' that have failed, which can be accomplished using a WQL query that ' contains the query: TrustIsOk = False ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName>" ' e.g., amer.rallencorp.com ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("select * " _ & " from Microsoft_DomainTrustStatus " _ & " where TrustIsOk = False ") if objTrusts.Count = 0 then Wscript.Echo "There are no trust failures" else WScript.Echo "Trust Failures:" for each objTrust in objTrusts Wscript.Echo " " & objTrust.TrustedDomain & " : " & _ objTrust.TrustStatusString Wscript.Echo "" next end if ' This code resets the specified trust. ' ------ SCRIPT CONFIGURATION ------ ' Set to the DNS or NetBIOS name for the Windows 2000, ' Windows NT domain or Kerberos realm you want to reset the trust for. strTrustName = "<TrustToCheck>" ' Set to the DNS name of the source or trusting domain. strDomain = "<TrustingDomain>" ' ------ END CONFIGURATION --------- ' Enable SC_RESET during trust enumerations set objTrustProv = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@") objTrustProv.TrustCheckLevel = 3 ' Enumerate with SC_RESET objTrustProv.Put_ ' Query the trust and print status information set objWMI = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("Select * " _ & " from Microsoft_DomainTrustStatus " _ & " where TrustedDomain = '" & strTrustName & "'" ) for each objTrust in objTrusts Wscript.Echo objTrust.TrustedDomain Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes Wscript.Echo " TrustedDCName: " & objTrust.TrustedDCName Wscript.Echo " TrustedDirection: " & objTrust.TrustDirection Wscript.Echo " TrustIsOk: " & objTrust.TrustIsOK Wscript.Echo " TrustStatus: " & objTrust.TrustStatus Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString Wscript.Echo " TrustType: " & objTrust.TrustType Wscript.Echo "" next DiscussionVerifying a trust consists of checking connectivity between the domains, and determining if the shared secrets of a trust are synchronized between the two domains. Resetting a trust synchronizes the shared secrets (i.e., passwords) for the trust. The PDC role holder in both domains is used to synchronize the password so they must be reachable. Using a graphical user interfaceThe Active Directory Domains and Trusts screens have changed somewhat between Windows 2000 and Windows Server 2003. The Verify button has been renamed Validate. Using a command-line interfaceIf you want to verify a Kerberos trust, use the /Kerberos option with the netdom command. If you are resetting a Kerberos realm trust, you'll need to specify the /PasswordT option. Using VBScriptThe WMI Trustmon Provider is new to Windows Server 2003. It provides a nice interface for querying and checking the health of trusts. One of the benefits of using WMI to access this kind of data is that you can use WQL, the WMI Query Language, to perform complex queries to find trusts with certain properties. WQL is a subset of the Structured Query Language (SQL) commonly used to query databases. In the second VBScript example, I used WQL to find all trusts that have a problem. You could expand the query to include additional criteria, such as trust direction, trust type, and so on. See AlsoMSDN: Trustmon Provider |