The Netdom utility is a core tool for use in both intra- and inter-forest restructures. In this lesson, you'll learn how to obtain and use it.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
Netdom is used from the command prompt to manage Windows domains and trusts. Netdom is supplied in the Support folder of the Windows 2000 Server CD-ROM. You installed these tools earlier in this chapter and they can now be opened from the Support Tools folder of the Programs folder on the Windows 2000 Start menu.
IMPORTANT
Don't confuse the Netdom version used here with the earlier version supplied with the Microsoft Windows NT Server Resource Kit.
You can use Netdom in a variety of situations. It can move computers—workstations, servers, and domain controllers—from one domain to another. You can also use it to test and set up trust relationships. The Netdom command has the following form:
Netdom command [/d:domain] object [/options]
Each of Netdom's commands are explained next.
The Add command adds a workstation or server account to a domain. Later on, the machine can then be added to the domain manually, or it can be made part of the domain using the Netdom Join command. The syntax is shown here and explained in Table 9.2.
netdom add machine /Domain:domain [/UserD:user] [/PasswordD:[password | *]] [/Server:server] [/OU:ou path] [/verbose] [/help]
Table 9.2 Netdom Add Command Options
Parameter | Function |
---|---|
Machine | The NetBIOS name of the computer for which the account is to be created; for example,
Add migrate1will create an account for the machine MIGRATE1. |
/Domain:domain | The name of the destination domain in which the machine account is to be created; for example,
/Domain:trainkit.microsoft.comwill create the machine account in the trainkit.microsoft.com domain. |
/UserD: user | The user name to be used in the destination domain to authenticate the add operation. It must have the appropriate rights in the domain; for example,
/UserD:Administratorwill use the Administrator user name to authorize the destination domain. |
/PasswordD:password | The password of the user name in the destination domain. If an asterisk (*) is entered, Netdom will prompt the user for a password. |
/OU:Oupath | The fully qualified path to the OU in which the account is to be created; for example,
/OU:"OU=press,DC=microsoft,DC=com"denotes the Press OU in the microsoft.com domain. Note the use of double quotes to enclose the OU path. |
/Server:server | The name of the specific server in the domain to perform the operation; for example,
/Server:trainkit1will use the TRAINKIT1 server to perform the transaction. If the /server option is omitted, any available server in the domain will be used. |
/verbose | Produces detailed output documenting each individual action as the command is carried out. |
/help | Outputs information about the syntax of the Add command, similar to the information shown in this table. |
Nslookup can also help you interrogate the records entered into the DNS database and test entries in the forward and reverse lookup zones; however, Nslookup cannot tell you if records have been typed incorrectly.
The Join command joins a computer to a domain. Its syntax is shown here and explained in Table 9.3.
netdom join machine /Domain:domain [/OU:oupath] [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]] [/REBoot[:Time in seconds]]
The Join command will automatically create a computer account in the domain if required; in other words, there's no need to perform an Add command first.
Table 9.3 Netdom Join Command Options
Parameter | Function |
---|---|
Machine | The NetBIOS name of the machine to join the domain; for example,
Join trainkit1 |
/Domain:domain | Same as the Netdom Add command. |
/OU:Oupath | Same as the Netdom Add command. |
/UserD:user | Same as the Netdom Add command. |
/PasswordD:password | Same as the Netdom Add command. |
/UserO:user | The user name on the machine to be used to perform the operation. It must have the appropriate rights. |
/PasswordO:password | The password of the machine user name. If an asterisk (*) is entered, the Netdom command will prompt for a password. |
/REBoot:time | The machine will be rebooted once it has joined the domain. Specifying /REB with no time specified will cause the machine to wait 20 seconds before rebooting. You can change the time before reboot by adding a time value in seconds; for example,
/REB:40will reboot the machine 40 seconds after joining the domain. If the /REB command isn't used, the machine won't be rebooted. |
The Netdom Join command also supports the /S:server, /Verbose, and /Help options. Note that you must enter two user name/password pairs: one for the machine itself and the other for the domain it's going to join.
If you use this command to join a downlevel (in other words, Windows NT) system to a domain, it's possible for the command to fail and leave the machine in an undetermined state (in other words, broken). When a Windows 2000 system is joined in this way, the operation will either succeed or be rolled back.
The Move command moves a computer from one domain to another and uses the following syntax:
netdom move machine /Domain:domain [/OU:oupath] [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]] [/REBoot[:Time in seconds]]
The syntax of the Move command is identical to the Join command. As with the Join command, if the move fails with a Windows NT system, the domain state of the system might be indeterminate.
If no machine account is in the destination domain, one is created automatically. The machine account in a source domain (in other words, the domain the machine was previously a member of) is not deleted. If the source domain is running Windows 2000, the machine account is disabled.
The Remove command removes a computer from a domain and uses the following syntax:
netdom remove machine /Domain:domain [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]] [/REBoot[:Time in seconds]]
The syntax of the Remove command is identical to the Join command, except that the /OU parameter isn't used.
The Query command allows you to obtain information about Windows 2000 domains. It uses the following syntax:
netdom query /Domain:domain [/Server:server] [UserD:user] [/PasswordD:[password | *]] [/Verify] [/RESEt] [/Direct] workstation | server | dc | ou | pdc | fsmo | trust
The user names and passwords are the same as for previous Netdom commands. Table 9.4 explains the additional parameters.
Table 9.4 Netdom Query Command Options
Parameter | Function |
---|---|
Query | Specifies the query action |
/Domain:domain | Identifies the domain in which the query is to be executed |
/Server:server | Identifies the server on which the query is to be performed |
/Verify | Verifies that the trust between domains is working or that the secure channel for computers is operating properly |
/Reset | Resets the secure channel between the computer and the domain controller when the Server or Workstation parameter is given |
/Direct | Requests a list of only the direct trust links, leaving out domains indirectly trusted through transitive links, when the Trust parameter is given |
Workstation | Queries the domain for a list of workstations |
Server | Queries the domain for a list of servers |
DC | Queries the domain for a list of domain controllers |
OU | Queries the domain for a list of OUs under which the specified user can create machine objects |
PDC | Queries the domain for the current PDC |
FSMO | Queries the domain for a list of the servers playing each FSMO role |
Trust | Queries the domain for a list of its trusts |
The Rename command is used to rename a Windows NT BDC in a domain. The new domain name is given:
netdom rename machine [/Domain:domain] [/REBoot[:Time in seconds]]
The parameters are the same as for the Add command, but only the parameters listed are needed. The Rename command applies only to Windows NT BDCs and allows the domain that they are a part of to be renamed.
The Trust command sets up or verifies trust relationships between domains. The syntax is shown here and explained in Table 9.5.
netdom trust trusting_domain_name /Domain:trusted_domain_name [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]] [/Verify] [/RESEt] [/PasswordT:new_realm_trust_password][/Add] [/REMove] [/Twoway] [/Kerberos] [/Transitive[:{yes | no}]] [/OneSide:{trusted | trusting}] [/Force]
Table 9.5 Netdom Trust Command Options
Parameter | Function |
---|---|
Trusting_domain_name | The name of the trusting domain; for example,
migratewould mean that the migrate domain is going to be configured as the trusting domain. |
/Domain:trusted_domain_name | Gives the name of the trusted domain; for example,
/Domain:trainkitwould mean that the trainkit domain is going to be trusted. |
/UserD:user /PasswordD:password | Specifies the user name and password pair inthe domain that is to be trusted, such as in the trainkit domain if the /Domain:trainkit example (from the two cells directly above this cell) is used. |
/UserO:user /PasswordO:password | Specifies the user name and password pair in the domain that is to be trusting, such as in the migrate domain if Trust migrate is used as in the above cell. |
/verify | Verifies that the trust is working correctly. |
/PasswordT:password | Specifies a new realm trust password, which is used to set up Windows NT trust relationships. When set- ting up the Trusting and Permitted To Trust relation- ships, the same password must be used on each side. If the trust is being set up only on one side (so that it can be added later on the other side), this option sets the password for setting up the trust and is valid only with the /ADD or /RESET options. |
/Add | Requests that the trust be added. |
/Remove | Requests that the trust be removed. |
/Twoway | Requests that the trust is set up to be bidirectional. |
/Oneside:trusted /Oneside:trusting | Can be set to either trusted or trusting. If set to trusted, only the trust entry in the trusted domain is set up. If set to trusting, only the trusting side is set up. The /Add and /PasswordT options are also required. |
/Kerberos | Requests that the trust be verified between the domains, or between the workstation and the domain. User names and passwords must be specified for the source and destination domains. |
/Force | If the /Remove option has been given, /Force causes the trust to be removed, even if the other domain isn't found or doesn't contain matching trust objects. |
The Reset command resets the secure connection between two domains or between a workstation and a domain controller and uses this syntax:
netdom reset machine /Domain:domain [/Server:server] [UserO:user] [/PasswordO:[password | *]]
The Resetpwd command resets the machine account password for the machine on which it is run. Currently, there is no support for resetting the machine password of a remote machine. It uses the following syntax, which is explained in Table 9.6.
netdom resetpwd /Server:server /UserD:user /PasswordD:[password | *]
Table 9.6 Netdom Resetpwd Command Options
Parameter | Function |
---|---|
/Server:server | The server to be used to perform the reset operation. Note that this parameter is mandatory. |
/UserD:user | The user name in the domain that will be used to perform the change. |
/PasswordD:password | The password belonging to the user name in the domain. If an asterisk (*) is entered, the user will be prompted for the password. |
The Verify command is used to verify the secure connection between a workstation and a domain. Its syntax is shown here and is explained in Table 9.7:
netdom verify machine /Domain:domain [UserO:user] [/PasswordO:[password | *]]
Table 9.7 Netdom Verify Command Options
Parameter | Function |
---|---|
/Domain:domain | The domain with which the connection is to be verified. |
/UserO:user | The user name in the workstation that will be used to verify the connection. |
/PasswordO:password | The password of the user name in the workstation. If * is entered, the user will be prompted for the password. |
The Time command allows you verify or reset the time between a workstation and domain controller. Its syntax is shown here and is explained in Table 9.8.
netdom time machine /Domain:domain [/UserD:user] [/PasswordD:[[password | *]]] [UserO:user] [/PasswordO:[password | *]] [/Verify] [/RESEt] [workstation] [server]
The user names and passwords are as for previous Netdom commands.
Table 9.8 Netdom Time Command Options
Parameter | Function |
---|---|
machine | Identifies the machine to have its time verified or reset |
/Verify | Verifies the time in the workstation against that in the domain controller |
/RESEt | Adjusts the time in the workstation to synchronize it with the domain controller |
Workstation | Synchronizes the time on all the workstations in the domain |
Server | Synchronizes the time on all the servers in the domain |
You can use Netdom to perform general housekeeping during the migration and also to automate tasks where large numbers of domains need to be moved, or where workstations need to be transferred from one domain to another. In summary, NetDom is useful when you need to do the following:
In this practice, you'll use Netdom to set up trust relationships between the TRAINKIT and MIGRATE domains. These steps are necessary to set up the network so that the later practices on inter-forest restructure using the ADMT and ClonePrincipal tools will work.
In the beginning of this practice, you first verify that no trust relationships exist in the TRAINKIT domain.
To prepare the systems for using the Netdom tool
Now you'll use Netdom to create trust relationships. Type the commands exactly as shown. If you experience problems, see the tip.
To create trust relationships with Netdom
You shouldn't see any trusts.
Netdom trust migrate /domain:trainkit /UserD:Administrator /PasswordD:secret /UserO:Administrator /PasswordO:secret /add /PasswordT:secret /verbose
This command will create a trust relationship so that the MIGRATE domain trusts the TRAINKIT domain. Your screen should now display the following:
Establishing a session with \\MIGRATE1 Reading LSA domain policy information Establishing a session with \\TRAINKIT1 Reading LSA domain policy information Trust information for domain MIGRATE written to domain trainkit.microsoft.com Creating secret G$$TRAINKIT Creating a trust with domain TRAINKIT Trust information for domain trainkit.microsoft.com written to domain MIGRATE Deleting the session with \\TRAINKIT1 Deleting the session with \\MIGRATE1 The command completed successfully.
Now your screen should show the following trust relationship with MIGRATE:
C:\>netdom query trust Direction Trusted\Trusting domain Via domain Status ========= ======================= ========== ====== <- MIGRATE The command completed successfully.
Netdom trust trainkit /domain:migrate /UserD:Administrator /PasswordD:secret /UserO:Administrator /PasswordO:secret /add /PasswordT:secret /verbose
This command will create a trust relationship so that the trainkit domain trusts the migrate domain. You should see the following listing on your screen:
Establishing a session with \\TRAINKIT1 Reading LSA domain policy information Establishing a session with \\MIGRATE1 Reading LSA domain policy information Adding trust account for TRAINKIT$ Trust information for domain trainkit.microsoft.com written to domain MIGRATE Trust information for domain MIGRATE written to domain trainkit.microsoft.com Deleting the session with \\MIGRATE1 Deleting the session with \\TRAINKIT1 The command completed successfully.
Tip
If you have a problem typing everything in, you can use the Usenetdom.bat batch file in the C:\Tools folder, which contains the lines from steps 2 and 4 in the previous listing and will create the trusts for you.
You should see that MIGRATE is a trusted and trusting domain, as shown here:
C:\>netdom query trust Direction Trusted\Trusting domain Via domain Status ========= ======================= ========== ====== <-> MIGRATE The command completed successfully.
The bidirectional nature of the trust is indicated by the two arrows (<_>) to the left of MIGRATE.
You should now see two trust relationships created by the Netdom tool, as shown in Figure 9.3.
Figure 9.3 Trust relationships established by Netdom
Tip
If you get stuck, have a look at the Netdomans.bat file in the C:\Tools folder for some help and some shortcuts.
Netdom query server Netdom query pdc
This practice demonstrates that the Netdom command is a useful tool for scripting domain configuration and obtaining diagnostic information about domains.
In this lesson, you learned how to use the Netdom utility to create trust relationships, add computers to a domain, and verify trust relationships. You learned about the comprehensive range of functions available to you with the Netdom command.