Lesson 3: Using Netdom in a Restructure Migration

The Netdom utility is a core tool for use in both intra- and inter-forest restructures. In this lesson, you'll learn how to obtain and use it.


After this lesson, you will be able to

  • Identify where to use the Netdom tool.
  • Identify the strengths and weaknesses of the tool.

Estimated lesson time: 30 minutes


Purpose of the Netdom Utility

Netdom is used from the command prompt to manage Windows domains and trusts. Netdom is supplied in the Support folder of the Windows 2000 Server CD-ROM. You installed these tools earlier in this chapter and they can now be opened from the Support Tools folder of the Programs folder on the Windows 2000 Start menu.

IMPORTANT


Don't confuse the Netdom version used here with the earlier version supplied with the Microsoft Windows NT Server Resource Kit.

You can use Netdom in a variety of situations. It can move computers—workstations, servers, and domain controllers—from one domain to another. You can also use it to test and set up trust relationships. The Netdom command has the following form:

 Netdom command [/d:domain] object [/options] 

Each of Netdom's commands are explained next.

Netdom Add Command

The Add command adds a workstation or server account to a domain. Later on, the machine can then be added to the domain manually, or it can be made part of the domain using the Netdom Join command. The syntax is shown here and explained in Table 9.2.

 netdom add machine /Domain:domain [/UserD:user]           [/PasswordD:[password | *]] [/Server:server] [/OU:ou path]           [/verbose] [/help] 

Table 9.2 Netdom Add Command Options

Parameter Function
Machine The NetBIOS name of the computer for which the account is to be created; for example,

Add migrate1

will create an account for the machine MIGRATE1.
/Domain:domain The name of the destination domain in which the machine account is to be created; for example,

/Domain:trainkit.microsoft.com

will create the machine account in the trainkit.microsoft.com domain.
/UserD: user The user name to be used in the destination domain to authenticate the add operation. It must have the appropriate rights in the domain; for example,

/UserD:Administrator

will use the Administrator user name to authorize the destination domain.
/PasswordD:password The password of the user name in the destination domain. If an asterisk (*) is entered, Netdom will prompt the user for a password.
/OU:Oupath The fully qualified path to the OU in which the account is to be created; for example,

/OU:"OU=press,DC=microsoft,DC=com"

denotes the Press OU in the microsoft.com domain. Note the use of double quotes to enclose the OU path.
/Server:server The name of the specific server in the domain to perform the operation; for example,

/Server:trainkit1

will use the TRAINKIT1 server to perform the transaction. If the /server option is omitted, any available server in the domain will be used.
/verbose Produces detailed output documenting each individual action as the command is carried out.
/help Outputs information about the syntax of the Add command, similar to the information shown in this table.

Nslookup can also help you interrogate the records entered into the DNS database and test entries in the forward and reverse lookup zones; however, Nslookup cannot tell you if records have been typed incorrectly.

Netdom Join Command

The Join command joins a computer to a domain. Its syntax is shown here and explained in Table 9.3.

 netdom join machine /Domain:domain [/OU:oupath] [/UserD:user]           [/PasswordD:[password | *]]           [/UserO:user] [/PasswordO:[password | *]]           [/REBoot[:Time in seconds]] 

The Join command will automatically create a computer account in the domain if required; in other words, there's no need to perform an Add command first.

Table 9.3 Netdom Join Command Options

Parameter Function
Machine The NetBIOS name of the machine to join the domain; for example,

Join trainkit1

/Domain:domain Same as the Netdom Add command.
/OU:Oupath Same as the Netdom Add command.
/UserD:user Same as the Netdom Add command.
/PasswordD:password Same as the Netdom Add command.
/UserO:user The user name on the machine to be used to perform the operation. It must have the appropriate rights.
/PasswordO:password The password of the machine user name. If an asterisk (*) is entered, the Netdom command will prompt for a password.
/REBoot:time The machine will be rebooted once it has joined the domain. Specifying /REB with no time specified will cause the machine to wait 20 seconds before rebooting. You can change the time before reboot by adding a time value in seconds; for example,

/REB:40

will reboot the machine 40 seconds after joining the domain. If the /REB command isn't used, the machine won't be rebooted.

The Netdom Join command also supports the /S:server, /Verbose, and /Help options. Note that you must enter two user name/password pairs: one for the machine itself and the other for the domain it's going to join.

If you use this command to join a downlevel (in other words, Windows NT) system to a domain, it's possible for the command to fail and leave the machine in an undetermined state (in other words, broken). When a Windows 2000 system is joined in this way, the operation will either succeed or be rolled back.

Netdom Move Command

The Move command moves a computer from one domain to another and uses the following syntax:

 netdom move machine /Domain:domain [/OU:oupath] [/UserD:user]           [/PasswordD:[password | *]]           [/UserO:user] [/PasswordO:[password | *]]           [/REBoot[:Time in seconds]] 

The syntax of the Move command is identical to the Join command. As with the Join command, if the move fails with a Windows NT system, the domain state of the system might be indeterminate.

If no machine account is in the destination domain, one is created automatically. The machine account in a source domain (in other words, the domain the machine was previously a member of) is not deleted. If the source domain is running Windows 2000, the machine account is disabled.

Netdom Remove Command

The Remove command removes a computer from a domain and uses the following syntax:

 netdom remove machine /Domain:domain [/UserD:user]           [/PasswordD:[password | *]]           [/UserO:user] [/PasswordO:[password | *]]           [/REBoot[:Time in seconds]] 

The syntax of the Remove command is identical to the Join command, except that the /OU parameter isn't used.

Netdom Query Command

The Query command allows you to obtain information about Windows 2000 domains. It uses the following syntax:

 netdom query /Domain:domain [/Server:server]           [UserD:user] [/PasswordD:[password | *]]           [/Verify] [/RESEt] [/Direct]           workstation | server | dc | ou | pdc | fsmo | trust 

The user names and passwords are the same as for previous Netdom commands. Table 9.4 explains the additional parameters.

Table 9.4 Netdom Query Command Options

Parameter Function
Query Specifies the query action
/Domain:domain Identifies the domain in which the query is to be executed
/Server:server Identifies the server on which the query is to be performed
/Verify Verifies that the trust between domains is working or that the secure channel for computers is operating properly
/Reset Resets the secure channel between the computer and the domain controller when the Server or Workstation parameter is given
/Direct Requests a list of only the direct trust links, leaving out domains indirectly trusted through transitive links, when the Trust parameter is given
Workstation Queries the domain for a list of workstations
Server Queries the domain for a list of servers
DC Queries the domain for a list of domain controllers
OU Queries the domain for a list of OUs under which the specified user can create machine objects
PDC Queries the domain for the current PDC
FSMO Queries the domain for a list of the servers playing each FSMO role
Trust Queries the domain for a list of its trusts

Netdom Rename Command

The Rename command is used to rename a Windows NT BDC in a domain. The new domain name is given:

 netdom rename machine [/Domain:domain] [/REBoot[:Time in seconds]] 

The parameters are the same as for the Add command, but only the parameters listed are needed. The Rename command applies only to Windows NT BDCs and allows the domain that they are a part of to be renamed.

Netdom Trust Command

The Trust command sets up or verifies trust relationships between domains. The syntax is shown here and explained in Table 9.5.

 netdom trust trusting_domain_name /Domain:trusted_domain_name           [/UserD:user] [/PasswordD:[password | *]] [/UserO:user]           [/PasswordO:[password | *]] [/Verify] [/RESEt]           [/PasswordT:new_realm_trust_password][/Add] [/REMove]           [/Twoway] [/Kerberos] [/Transitive[:{yes | no}]]           [/OneSide:{trusted | trusting}] [/Force] 

Table 9.5 Netdom Trust Command Options

Parameter Function
Trusting_domain_name The name of the trusting domain; for example,

migrate

would mean that the migrate domain is going to be configured as the trusting domain.
/Domain:trusted_domain_name Gives the name of the trusted domain; for example,

/Domain:trainkit

would mean that the trainkit domain is going to be trusted.
/UserD:user
/PasswordD:password
Specifies the user name and password pair inthe domain that is to be trusted, such as in the trainkit domain if the /Domain:trainkit example (from the two cells directly above this cell) is used.
/UserO:user
/PasswordO:password
Specifies the user name and password pair in the domain that is to be trusting, such as in the migrate domain if Trust migrate is used as in the above cell.
/verify Verifies that the trust is working correctly.
/PasswordT:password Specifies a new realm trust password, which is used to set up Windows NT trust relationships. When set- ting up the Trusting and Permitted To Trust relation- ships, the same password must be used on each side. If the trust is being set up only on one side (so that it can be added later on the other side), this option sets the password for setting up the trust and is valid only with the /ADD or /RESET options.
/Add Requests that the trust be added.
/Remove Requests that the trust be removed.
/Twoway Requests that the trust is set up to be bidirectional.
/Oneside:trusted
/Oneside:trusting
Can be set to either trusted or trusting. If set to trusted, only the trust entry in the trusted domain is set up. If set to trusting, only the trusting side is set up. The /Add and /PasswordT options are also required.
/Kerberos Requests that the trust be verified between the domains, or between the workstation and the domain. User names and passwords must be specified for the source and destination domains.
/Force If the /Remove option has been given, /Force causes the trust to be removed, even if the other domain isn't found or doesn't contain matching trust objects.

Netdom Reset Command

The Reset command resets the secure connection between two domains or between a workstation and a domain controller and uses this syntax:

 netdom reset machine /Domain:domain [/Server:server]           [UserO:user] [/PasswordO:[password | *]] 

Netdom Resetpwd Command

The Resetpwd command resets the machine account password for the machine on which it is run. Currently, there is no support for resetting the machine password of a remote machine. It uses the following syntax, which is explained in Table 9.6.

 netdom resetpwd /Server:server /UserD:user /PasswordD:[password | *] 

Table 9.6 Netdom Resetpwd Command Options

Parameter Function
/Server:server The server to be used to perform the reset operation. Note that this parameter is mandatory.
/UserD:user The user name in the domain that will be used to perform the change.
/PasswordD:password The password belonging to the user name in the domain. If an asterisk (*) is entered, the user will be prompted for the password.

Netdom Verify Command

The Verify command is used to verify the secure connection between a workstation and a domain. Its syntax is shown here and is explained in Table 9.7:

 netdom verify machine /Domain:domain [UserO:user]           [/PasswordO:[password | *]] 

Table 9.7 Netdom Verify Command Options

Parameter Function
/Domain:domain The domain with which the connection is to be verified.
/UserO:user The user name in the workstation that will be used to verify the connection.
/PasswordO:password The password of the user name in the workstation. If * is entered, the user will be prompted for the password.

Netdom Time Command

The Time command allows you verify or reset the time between a workstation and domain controller. Its syntax is shown here and is explained in Table 9.8.

 netdom time machine /Domain:domain [/UserD:user]           [/PasswordD:[[password | *]]] [UserO:user]           [/PasswordO:[password | *]] [/Verify] [/RESEt]           [workstation] [server] 

The user names and passwords are as for previous Netdom commands.

Table 9.8 Netdom Time Command Options

Parameter Function
machine Identifies the machine to have its time verified or reset
/Verify Verifies the time in the workstation against that in the domain controller
/RESEt Adjusts the time in the workstation to synchronize it with the domain controller
Workstation Synchronizes the time on all the workstations in the domain
Server Synchronizes the time on all the servers in the domain

When to Use Netdom

You can use Netdom to perform general housekeeping during the migration and also to automate tasks where large numbers of domains need to be moved, or where workstations need to be transferred from one domain to another. In summary, NetDom is useful when you need to do the following:

  • Join a workstation or member server to a domain
  • Manage member servers and workstations by querying and moving them between domains
  • Manage trusts between domains

Practice: Using Netdom

In this practice, you'll use Netdom to set up trust relationships between the TRAINKIT and MIGRATE domains. These steps are necessary to set up the network so that the later practices on inter-forest restructure using the ADMT and ClonePrincipal tools will work.

In the beginning of this practice, you first verify that no trust relationships exist in the TRAINKIT domain.

To prepare the systems for using the Netdom tool

  1. Log on to TRAINKIT1 as Administrator with the password secret.
  2. Open Active Directory Domains And Trusts from the Administrative Tools folder.
  3. Right-click trainkit.microsoft.com and select Properties from the shortcut menu.
  4. Click the Trusts tab and confirm that no trust relationships are established.
  5. Click OK to return to the Active Directory Domains And Trusts main screen, and then minimize it.

Now you'll use Netdom to create trust relationships. Type the commands exactly as shown. If you experience problems, see the tip.

To create trust relationships with Netdom

  1. Open a command prompt on TRAINKIT1 and type netdom query trust.

    You shouldn't see any trusts.

  2. Enter the following command line. Don't press Enter until you reach the end of this long, single command:

    Netdom trust migrate /domain:trainkit /UserD:Administrator       /PasswordD:secret /UserO:Administrator /PasswordO:secret       /add /PasswordT:secret /verbose 

    This command will create a trust relationship so that the MIGRATE domain trusts the TRAINKIT domain. Your screen should now display the following:

     Establishing a session with \\MIGRATE1 Reading LSA domain policy information Establishing a session with \\TRAINKIT1 Reading LSA domain policy information Trust information for domain MIGRATE written to domain trainkit.microsoft.com Creating secret G$$TRAINKIT Creating a trust with domain TRAINKIT Trust information for domain trainkit.microsoft.com written to domain MIGRATE Deleting the session with \\TRAINKIT1 Deleting the session with \\MIGRATE1 The command completed successfully. 

  3. Verify that the command has worked by typing netdom query trust.

    Now your screen should show the following trust relationship with MIGRATE:

     C:\>netdom query trust Direction Trusted\Trusting domain Via domain Status ========= ======================= ========== ====== <- MIGRATE The command completed successfully. 

  4. Enter the following command and remember to press Enter only at the very end:

     Netdom trust trainkit /domain:migrate /UserD:Administrator       /PasswordD:secret /UserO:Administrator /PasswordO:secret       /add /PasswordT:secret /verbose 

    This command will create a trust relationship so that the trainkit domain trusts the migrate domain. You should see the following listing on your screen:

     Establishing a session with \\TRAINKIT1 Reading LSA domain policy information Establishing a session with \\MIGRATE1 Reading LSA domain policy information Adding trust account for TRAINKIT$ Trust information for domain trainkit.microsoft.com written to domain MIGRATE Trust information for domain MIGRATE written to domain trainkit.microsoft.com Deleting the session with \\MIGRATE1 Deleting the session with \\TRAINKIT1 The command completed successfully. 

    Tip


    If you have a problem typing everything in, you can use the Usenetdom.bat batch file in the C:\Tools folder, which contains the lines from steps 2 and 4 in the previous listing and will create the trusts for you.

  5. Now type this query to list the trusts in force in the trainkit domain: netdom query trust.

    You should see that MIGRATE is a trusted and trusting domain, as shown here:

     C:\>netdom query trust Direction Trusted\Trusting domain Via domain Status ========= ======================= ========== ====== <-> MIGRATE The command completed successfully. 

    The bidirectional nature of the trust is indicated by the two arrows (<_>) to the left of MIGRATE.

  6. To verify the creation of the trust relationships, switch to Active Directory Domains And Trusts.
  7. Right-click trainkit.microsoft.com, select Properties from the shortcut menu, and then select the Trusts tab.

    You should now see two trust relationships created by the Netdom tool, as shown in Figure 9.3.

    Figure 9.3 Trust relationships established by Netdom

  8. Now experiment with the Netdom tool and add the computers MIGRATE2, TRAINKIT3, and TRAINKIT4 to the TRAINKIT domain using the Netdom Add command.
  9. Using the Netdom Add command, add MIGRATE3 and MIGRATE4 to the Europe OU. Verify your command worked properly by opening Active Directory Users And Computers and examining the Europe OU.

    Tip


    If you get stuck, have a look at the Netdomans.bat file in the C:\Tools folder for some help and some shortcuts.

  10. Now use the Netdom Query command to get more information about your domain. For example, find out which domain controllers hold the FSMO roles discussed later in Chapter 10, "Post-Migration Tasks," by typing netdom query fsmo.
  11. Observe what information is returned by these two commands:

     Netdom query server Netdom query pdc 

This practice demonstrates that the Netdom command is a useful tool for scripting domain configuration and obtaining diagnostic information about domains.

Lesson Summary

In this lesson, you learned how to use the Netdom utility to create trust relationships, add computers to a domain, and verify trust relationships. You learned about the comprehensive range of functions available to you with the Netdom command.



MCSE Training Kit (Exam 70-222. Migrating from Microsoft Windows NT 4. 0 to Microsoft Windows 2000)
MCSE Training Kit (Exam 70-222): Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 (MCSE Training Kits)
ISBN: 0735612390
EAN: 2147483647
Year: 2001
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net