Recipe15.22.Verifying and Resetting Trusts

Previous page
Table of content
Next page

Recipe 15.22. Verifying and Resetting Trusts

Problem

You want to verify that a trust is working correctly. This is the first diagnostic step to take if users notify you that authentication to a remote domain appears to be failing. If you've determined a trust is broken, you need to reset it, which will allow users to authenticate across it again.

Solution

Using a graphical user interface

For the Windows 2000 version of the Active Directory Domains and Trusts snap-in:

  1. In the left pane, right-click on the trusting domain and select Properties.

  2. Click the Trusts tab.

  3. Click the domain that is associated with the trust you want to verify.

  4. Click the Edit button.

  5. Click the Verify button.

  6. If the validation function fails, you'll be given an option to reset the trust.

For the Windows Server 2003 version of the Active Directory Domains and Trusts snap-in:

  1. In the left pane, right-click on the trusting domain and select Properties.

  2. Click the Trusts tab.

  3. Click the domain that is associated with the trust you want to verify.

  4. Click the Properties button.

  5. Click the Validate button.

  6. If the validation function fails, you'll be given an option to reset the trust.

Using a command-line interface

The following command verifies a trust:

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose     [/UserO:<TrustingDomainUser> /PasswordO:*]    [/UserD:<TrustedDomainUser> /PasswordD:*]

The following command resets a trust:

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Reset /verbose    [/UserO:<TrustingDomainUser> /PasswordO:*]    [/UserD:<TrustedDomainUser> /PasswordD:*]

Using VBScript
' The following code lists all of the trusts for the ' specified domain using the Trustmon WMI Provider. ' The Trustmon WMI Provider is supported only on Windows Server 2003. ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName>"  ' e.g., amer.rallencorp.com ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strDomain & _                        "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus") for each objTrust in objTrusts     Wscript.Echo objTrust.TrustedDomain     Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes     Wscript.Echo " TrustedDCName: "     & objTrust.TrustedDCName     Wscript.Echo " TrustedDirection: "  & objTrust.TrustDirection     Wscript.Echo " TrustIsOk: "         & objTrust.TrustIsOK     Wscript.Echo " TrustStatus: "       & objTrust.TrustStatus     Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString     Wscript.Echo " TrustType: "         & objTrust.TrustType     Wscript.Echo "" next ' This code shows how to search specifically for trusts ' that have failed, which can be accomplished using a WQL query that ' contains the query: TrustIsOk = False ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName>"  ' e.g., amer.rallencorp.com ' ------ END CONFIGURATION ---------     set objWMI = GetObject("winmgmts:\\" & strDomain & _                        "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("select * " _                                & " from Microsoft_DomainTrustStatus " _                                & " where TrustIsOk = False ") if objTrusts.Count = 0 then    Wscript.Echo "There are no trust failures" else     WScript.Echo "Trust Failures:"    for each objTrust in objTrusts       Wscript.Echo " " & objTrust.TrustedDomain & " : " & _                          objTrust.TrustStatusString       Wscript.Echo ""    next end if ' This code resets the specified trust. ' ------ SCRIPT CONFIGURATION ------ ' Set to the DNS or NetBIOS name for the Windows 2000, ' Windows NT domain or Kerberos realm you want to reset the trust for. strTrustName = "<TrustToCheck>"     ' Set to the DNS name of the source or trusting domain. strDomain    = "<TrustingDomain>" ' ------ END CONFIGURATION ---------     ' Enable SC_RESET during trust enumerations set objTrustProv = GetObject("winmgmts:\\" & strDomain & _               "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@") objTrustProv.TrustCheckLevel = 3  ' Enumerate with SC_RESET objTrustProv.Put_     ' Query the trust and print status information set objWMI = GetObject("winmgmts:\\" & strDomain & _                        "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("Select * " _                         & " from Microsoft_DomainTrustStatus " _                         & " where TrustedDomain = '" & strTrustName & "'" ) for each objTrust in objTrusts     Wscript.Echo objTrust.TrustedDomain     Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes     Wscript.Echo " TrustedDCName: "     & objTrust.TrustedDCName     Wscript.Echo " TrustedDirection: "  & objTrust.TrustDirection     Wscript.Echo " TrustIsOk: "         & objTrust.TrustIsOK     Wscript.Echo " TrustStatus: "       & objTrust.TrustStatus     Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString     Wscript.Echo " TrustType: "         & objTrust.TrustType     Wscript.Echo "" next

Discussion

Verifying a trust consists of checking connectivity between the domains, and determining if the shared secrets of a trust are synchronized between the two domains. Resetting a trust synchronizes the shared secrets (i.e., passwords) for the trust. The PDC role holder in both domains is used to synchronize the password so they must be reachable.

Using a graphical user interface

The Active Directory Domains and Trusts screens have changed somewhat between Windows 2000 and Windows Server 2003. The Verify button has been renamed Validate.

Using a command-line interface

If you want to verify a Kerberos trust, use the /Kerberos option with the netdom command. If you are resetting a Kerberos realm trust, you'll need to specify the /PasswordT option.

Using VBScript

The WMI Trustmon Provider is new to Windows Server 2003. It provides a nice interface for querying and checking the health of trusts. One of the benefits of using WMI to access this kind of data is that you can use WQL, the WMI Query Language, to perform complex queries to find trusts with certain properties. WQL is a subset of the Structured Query Language (SQL) commonly used to query databases. In the second VBScript example, I used WQL to find all trusts that have a problem. You could expand the query to include additional criteria, such as trust direction, trust type, and so on.

See Also

MSDN: Trustmon Provider


Previous page
Table of content
Next page
Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Microsoft VBScript Professional Projects
What is Lean Six Sigma
Programming .Net Windows Applications
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy