NETDOM Trust (Windows Server 2003/2008/R2/2012 + Windows 7/8)

Manage or verify the trust relationship between domains.

Syntax
      NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name
         [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]]
            [/Verify] [/RESEt] [/PasswordT:new_realm_trust_password]
               [/Add] [/REMove] [/Twoway] [/REAlm] [/Kerberos] 
                  [/Transitive[:{yes | no}]]
                     [/OneSide:{trusted | trusting}] [/Force] [/Quarantine[:{yes | no}]]
                        [/NameSuffixes:trust_name [/ToggleSuffix:#]]
                           [/EnableSIDHistory[:{yes | no}]]
                              [/ForestTRANsitive[:{yes | no}]]
                                 [/CrossORGanization[:{yes | no}]]
                                    [/AddTLN:TopLevelName] [/AddTLNEX:TopLevelNameExclusion]
                                       [/RemoveTLN:TopLevelName] [/RemoveTLNEX:TopLevelNameExclusion]
                                          [/SecurePasswordPrompt]

Key:

   trusting_domain_name 
              The name of the trusting domain

   /Domain     The name of the trusted domain or Non-Windows Realm.

   /UserD      User account used to make the connection with the Domain
               specified by the /Domain argument

   /PasswordD  Password of the user account specified By /UserD.
               Specifying a * will prompt for the password.

   /UserO      User account used to make the connection with the trusting domain.

   /PasswordO  Password of the user account specified By /UserO.
               Specifying a * will prompt for the password.

   /Verify     Verify that the trust is operating properly

   /RESEt      Reset the trust passwords between two domains. The 
               domains can be named in any order. Reset is not valid 
               on a trust to a Kerberos realm unless the /PasswordT 
               parameter is included.

   /PasswordT  New trust password, valid only with the /Add or /RESEt 
               options and only if one of the domains specified is a 
               non-Windows Kerberos realm. The trust password is set on 
               the Windows domain only and thus credentials are not 
               needed for the non-Windows domain.

   /Add        Create a trust.

   /REMove     Remove a trust.

   /Twoway     Specifies that a trust relationship should be bidirectional

   /OneSide    Indicates that the trust be created for or removed from 
               only one of the domains in the trust.
               Use the keyword "trusted" to create or remove the trust
               from the trusted domain (the domain named with the /D parameter).
               Use the keyword "trusting" to create or remove the trust from the
               trusting domain. This command is valid only with the /Add and
               /REMove options and requires the /PasswordT command when used
               with the /Add option.

   /REAlm      Indicates that the trust is to be created to a non-Windows
               Kerberos realm. Valid only with the /Add option.
               The /PasswordT option is required.

   /TRANSitive Valid only for a non-Windows Kerberos realm. Specifying 
               "yes" sets it to a transitive trust. Specifying "no" sets
               it to a non-transitive trust. If neither is specified, 
               then the current transitivity state will be displayed.

   /Kerberos   Verify the Kerberos authentication protocol between a domain
               or workstation and a target domain; You must supply user
               accounts and passwords for both the object and target domain.

   /Force      Forces the removal of the trust (and cross-ref) objects on one
               domain even if the other domain is not found or does not contain
               matching trust objects. You must use the full DNS name to specify 
               the domain.  Valid with the /REMove option. 

               CAUTION: this option will completely remove a child domain.

   /Quarantine Valid only on an existing direct, outbound trust. Set or clear
               the domain quarantine attribute. Default is "no".
               When "yes" is specified, then only SIDs from the directly trusted
               domain will be accepted for authorization data returned during
               authentication. SIDS from any other domains will be removed.
               Specifying /Quarantine without yes or no will display the current state.

   /NameSuffixes       Valid only for a forest trust or a Forest Transitive 
               Non-Windows Realm Trust . Lists the routed name suffixes 
               for trust_name on the domain named by trusting_domain_name.
               The /UserO and /PasswordO values can be used for 
               authentication. The /Domain parameter is not needed.

   /ToggleSuffix       Use with /NameSuffixes to change the status of a name 
               suffix. The number of the name entry, as listed by a 
               preceding call to /NameSuffixes, must be provided to 
               indicate which name will have its status changed. Names 
               that are in conflict cannot have their status changed 
               until the name in the conflicting trust is disabled. Always
               precede this command with a /NameSuffixes command because 
               LSA will not always return the names in the same order.

   /EnableSIDHistory   Valid only for an outbound, forest trust. Specifying "yes" 
               allows users migrated to the trusted forest from any other 
               forest, to use SID history to access resources in this 
               forest. This should be done only if the trusted forest 
               administrators can be trusted enough to specify SIDs of 
               this forest in the SID history attribute of their users 
               appropriately. Specifying "no" would disable the ability of
               the migrated users in the trusted forest to use SID history
               to access resources in this forest. Specifying /EnableSIDHistory
               without yes or no will display the current state.
                    
   /ForestTRANsitive   Valid only for Non-Windows Realm Trusts and can only be 
               performed on the root domain for a forest.
               Specifying "yes" marks this trust as Forest Transitive.
               Specifying "no" marks this trust as Not Forest Transitive.
               Specifying /ForestTRANsitive without yes or no will 
               display the current state of this trust attribute.
                    
   /SelectiveAUTH   Valid only on outbound Forest and External trusts.
               Specifying "yes" enables selective authentication across 
               this trust.
               Specifying "no" disables selective authentication across
               this trust.
               Specifying /SelectiveAUTH without yes or no will display
               the current state of this trust attribute.
                    
   /AddTLN     Valid only for a Forest Transitive Non-Windows Realm Trust
               and can only be performed on the root domain for a forest.
               Adds the specified Top Level Name (DNS Name Suffix) to the 
               Forest Trust Info for the specified trust.
               Also see the /NameSuffixes operation to list name suffixes.
                    
   /AddTLNEX   Valid only for a Forest Transitive Non-Windows Realm Trust
               and can only be performed on the root domain for a forest.
               Adds the specified Top Level Name Exclusion (DNS Name 
               Suffix)to the Forest Trust Info for the specified trust.
               Also see the /NameSuffixes operation to list name suffixes.                    
                    
   /RemoveTLN  Valid only for a Forest Transitive Non-Windows Realm Trust
               and can only be performed on the root domain for a forest.
               Removes the specified Top Level Name (DNS Name Suffix) from
               the Forest Trust Info from the specified trust.
               Also see the /NameSuffixes operation to list name suffixes.                    
                    
   /RemoveTLNEX    Valid only for a Forest Transitive Non-Windows Realm Trust
               and can only be performed on the root domain for a forest.
               Removes the specified Top Level Name Exclusion (DNS Name 
               Suffix)from the Forest Trust Info from the specified trust.
               Also see the /NameSuffixes operation to list name suffixes.                    

   /SecurePasswordPrompt 
               Use secure credentials popup to specify credentials. This
               option should be used when smartcard credentials need to be
               specified. This option is only in effect when the password 
               value is supplied as *

Netdom options can be abbreviated to just the UPPER case letters, e.g. /PasswordD can be supplied as just /PD

“He who does not trust enough, Will not be trusted” ~ Lao Tzu

Related:

NETDOM MOVE - Move a workstation or member server to a new domain
NETDOM VERIFY - Verify the secure connection between a workstation and a DC


© Copyright SS64.com 1999-2014
Some rights reserved