Windows Domain Manager is a command-line tool that has some unique features, such as moving computer accounts between domains, as well as joining computers to a domain and renaming domain controllers or computer accounts. The tool allows you to:
Retrieve diverse information about domains
Add, join, and move computers to a domain (these operations are "OU-aware"), as well as remove computers from a domain
Rename domain controllers and computers
Reset and verify computer secure channels
Verify, establish, reset, break, and change domain trusts (including Kerberos trusts)
Be careful, the documentation on this tool is slightly inconsistent. There are quite a few divergences between parameters' description in the Support Tools Help and the built-in help feature.
Windows .NET version of NetDom.exe cannot run on Windows 2000 systems.
Let us discuss some interesting features of NetDom.exe with some examples. To see detailed information on how an operation is performed, you may use the /Verbose parameter with any command. Many tool's commands accept the DNS name of computers and domains, but sometimes the NetBIOS names are preferable.
NetDom.exe is one of the tools that allow you to view FSMO roles' owners in the forest. For example, the following command shows that the server NETDC2 holds all roles in its domain, whereas all forest-wide roles are owned by the server NETDC4 in the root domain:
C:\>netdom QUERY /D:subdom.net.dom FSMO Schema owner netdc1.net.dom Domain role owner netdc1.net.dom PDC role netdc2.subdom.net.dom RID pool manager netdc2.subdom.net.dom Infrastructure owner netdc2.subdom.net.dom The command completed successfully.
The following command displays all domains that have direct trusts with the specified domain (the trusts may be also verified by using the netdom TRUST command; see later); notice that the net.dom and NT4DOM domains are connected with a one-way trust:
C:\>netdom QUERY /D:net.dom TRUST /Direct Direction Trusted\Trusting domain Trust type ========= ======================= ========== <-> subdom.net.dom Direct <- NT4DOM Direct <-> dotnet.dom Direct
The netdom QUERY command can also verify and/or reset (the /Reset parameter) domain trusts. The following command checks trusts between the parent (current) domain and a child (the command is executed in the parent domain; the credentials of the child's administrator must be provided):
C:\>netdom QUERY /D:subdom.net.dom TRUST /UD:administrator /PD:* /Verify Type the password associated with the domain user: Direction Trusted\Trusting domain Trust type Status ========= ======================= ========== ====== <-> net.dom Direct Verified The command completed successfully.
When you delegate control over some OUs to a user (jsmith is our example), you might want to quickly verify administrative power of that user (you must know the user password). The following command may help you to do this task:
C:\>netdom QUERY /D:net.dom OU /UD:jsmith /PD:* Type the password associated with the domain user: List of Organizational Units within which the specified user can create a machine account: OU=Staff, DC=net, DC=dom OU=Sales, OU=Marketing, DC=net, DC=dom The command completed successfully.
Compare this output with the results received for an administrative account.
The command shown below creates a computer account in the domain (but doesn't join a computer to the domain). Note that you can specify a target OU for that account. Remember that if you are working on a computer and join it to a domain using a newly created account, this account by default is added to the Computer container. You may use the command for pre-creating accounts in the necessary OUs (domains) before actually joining the computers to the forest.
C:\>netdom ADD compName /D:net.dom /OU:OU=Staff,DC=net,DC=dom The command completed successfully.
NetDom.exe can be used for migrating computer accounts from Windows NT resource domains to an AD-based domain or between AD-based domains. All commands - ADD, JOIN, MOVE, and REMOVE - are "OU-aware", so you can manipulate accounts according to the OU structure of your domains.
To move a computer (compName in the example) from the current domain to a destination domain (you must be logged on to the current domain as an administrator and provide an administrator's credentials in the destination domain), use a command similar to:
C:\>netdom MOVE compName /D:subdom.net.dom /OU:OU=Personnel, DC=subdom, DC=net, DC=dom /UD:administrator /PD:*
The computer being moved must be online and accessible, otherwise the command generates the "The network path was not found" error.
NetDom.exe can verify and reset the secure channels that exist between each computer in a domain and a domain controller. To verify that the computer COMP3 has an actual secure channel with its net.dom domain, it is possible to use the following command (the command's output is also shown):
C:\>netdom VERIFY comp3.net.dom /D:net.dom The secure channel from COMP3.NET.DOM to the domain NET.DOM has been verified. The connection is with the machine \\NETDC1.NET.DOM. The command completed successfully
The same operation can also be performed using the NLtest tool:
C:\>n1test /sc_query:net.dom /server:comp3.net.dom Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\netdc1.net.dom Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully
To reset the broken secure channel, use the following command
C:\>netdom RESET comp3.net.dom /D:net.dom The secure channel from COMP3.NET.DOM to the domain NET.DOM has been reset. The connection is with the machine \\NETDC1.NET.DOM. The command completed successfully
The NLtest tool can also be used for that purpose:
C:\>n1test /sc_reset:net.dom /server:comp3.net.dom Flags: 30 HAS_IP HAS_TIMESERV Trusted DC Name \\netdc1.net.dom Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully
NetDom.exe allows you to verify domain trusts issues (including those that use Kerberos v5 authentication protocol). For example, the following command checks the Kerberos trusts between two domains in the forest (both domain administrators' credentials must be specified!):
C:\>netdom TRUST subdom.net.dom /D:net.dom /Kerberos /UD:administrator /PD:* /UO:administrator /PO:* /Verify Type the password associated with the domain user: Type the password associated with the object user: The trust between subdom.net.dom and net.dom has been successfully verified The command completed successfully
To reset domain trusts, enter the command:
C:\>netdom TRUST subdom.net.dom /D:net.dom /UD:administrator /PD:* /UO:administrator /PO:* /Reset
Successful output should be similar to:
Resetting the trust passwords between subdom.net.dom and net.dom The trust between subdom.net.dom and net.dom has been successfully reset and verified The command completed successfully
If trust relationship issues exist, you can try to isolate the problem and use the netdom VERIFY or n1test /sc_query commands to check trusts between pairs of domain controllers.
For verifying and resetting trusts, the Active Directory Domains and Trusts snap-in (see Chapter 7, "Domain Manipulation Tools") can also be used.
NetDom.exe allows you to remove information (including cross reference and trusted domain objects) about a non-existing (defunct) domain, which doesn't contain domain controllers, from Active Directory. The netdom TRUST /Remove /Force command can be used for that purpose, for example:
netdom TRUST dotnet.dom /D:net.dom /Remove /Force