Windows Server 2008 : Using netdom

May 24, 2021

1. Identifying Operations Master Roles

There are many times when you need to know which server holds which operations master roles. You can get the answer from different graphical user interfaces. However, it’s much easier from the command line with the netdom tool (as netdom query fsmo). The following text shows the output within a domain named pearson.pub:

C:\> netdom query fsmo
Schema master               DC1.pearson.pub
Domain naming master        DC1.pearson.pub
PDC                         DC1.pearson.pub
RID pool manager            DC1.pearson.pub
Infrastructure master       DC1.pearson.pub
The command completed successfully.

Note

Operations master roles were previously called flexible single master operations (FSMO) roles.

2. Joining a Computer to a Domain

You can join a computer to a domain from the command prompt using the netdom join command. The following table shows the different switches available with the netdom join command. Each of these switches is used in the following command, which joins a computer named dc2 to a domain named pearson.pub:

C:\>netdom join dc2 /domain:pearson.pub
/userd:[email protected] /passwordd:*
/ou:"ou=sales,dc=pearson,dc=pub" /reboot:60
netdom Join Machine Switches Comments 
netdom join computername
C:\> netdom join dc2 . . .
C:\> netdom join %computername% . . .
 The computername identifies the name of the computer joining the domain. The %computername% variable uses the local computer name. 
/domain:domain
/domain:pearson.pub
 Specifies the domain the computer will join. 
/userd:username
/userd:administrator
 The user account used to make the connection with the domain specified by the /domain switch. 
/passwordd:{password | *}
/passwordd:P@ssw0rd
 The password of the user account specified by /userd. You can use an asterisk (*) and the command will prompt you to enter a password.

Note

The second “d” at the end of /passwordd looks like a typo, but it’s valid. It specifies that this is the password for the /domain component.

 
/ou:oudn
/ou:"ou=sales,dc=pearson,dc=pub"
 The organizational unit where you want the account created. You need to specify this as a distinguished name. The example specifies the Sales OU.

Tip

If you don’t use the /ou switch, the account will be created in the default location. This is the Computers container by default, but can be redirected to another location with the redircmp command .

 
/reboot  [:number-of-seconds-delay]
/reboot: 10
 Reboots the computer after it’s joined to the domain. The default delay is 30 seconds but you can change it. The example reboots the system 10 seconds after it joins the domain. 
/securepasswordprompt
 Uses a secure credentials popup to specify credentials. You can use this to supply smartcard credentials. This option is in effect only when the password value is supplied as *.

 

3. Verifying Trust Relationships

You can also use the netdom command to verify trust relationships. The basic syntax of the command is

netdom trust trusting_domain_name /domain:trusted_domain_name

 

Figure 1 shows the Active Directory Domains and Trusts console with a parent domain (pearson.pub) and a child domain (training.pearson.pub). There is a parent/child trust relationship between the two domains. Furthermore, the outgoing trust has been validated.

Figure 1. Verifying a trust with Active Directory Domains and Trusts


Note

There are two trusts between the domains. The parent trusts the child and the child trusts the domain. These trusts are displayed as an outgoing trust and an incoming trust in Figure 1.

 

You can perform the same check from the command line with the following command:

netdom trust training.pearson.pub /domain:pearson.pub

 

The concept of trusted and trusting domains and the terminology can be confusing. Figure 2 shows two domains with a one-way trust between them. Notice that the arrow is pointing to Domain B. When shown this way, it indicates that Domain A trusts Domain B, and users in Domain B can be granted access to resources in Domain A. In other words, Domain B is trusted by Domain A.

Figure 2. One-way trust relationship between two domains

 

The following table identifies many of the switches that can be used with the netdom trust command to validate a trust.

netdom Trust Switches Comments 
netdom trust trusting-domain
C:\>netdom training.pearson.pub
 Enter the name of the trusting domain first. In Figure 2, this is Domain A in the outgoing trust. 
/domain:domain
/domain:pearson.pub
 Specifies the name of the trusted domain or Non-Windows Realm.

Note

You can create trusts with UNIX Realms and test them with the netdom trust command.

 
/userd:username
/userd:administrator
 The user account used to make the connection with the domain specified by the /domain switch. 
/passwordd:{password | *}
/passwordd:P@ssw0rd
 The password of the user account specified by /userd. You can use an asterisk (*) and the command will prompt you to enter a password. 
/usero:username
/usero:administrator
 The user account for making the connection with the trusting domain.

Note

The “o” for /usero specifies that this is the user account for the other domain, or the trusting domain.

 
/passwordo:{password | *}
/passwordo:P@ssw0rd
 The password of the user account specified by /usero. You can use an asterisk (*) and the command will prompt you to enter a password. 
/verify
 Verifies that the trust is operating properly.
/quarantine[:yes | : no] This switch enables you to view, set, or disable the /quarantine attribute. When set to yes, only SIDs from the directly trusted domain are able to access resources, and other SIDS are filtered out. When set to no (the default), any accounts in the trusted domain are accepted.

Tip

This is relevant if the trusted domain includes migrated accounts. The migrated accounts are filtered if this is set to yes, and won’t be able to access resources in the trusting domain.

Specifying /quarantine without yes or no displays the current state.

 

Figure 3 shows the result of entering the following command using some of these switches:

C:\>netdom trust training.pearson.pub /domain:pearson.pub
/userd:administrator /passwordd:* /usero:administrator
/passwordo:* /verify

Figure 3. Verifying a trust with the netdom command
9780789747372_wo-1
3.12.11

 

If it’s a two-way trust, you can verify the trust from the other direction by swapping the trusted and trusting domains like the following command:

C:\>netdom trust pearson.pub /domain:training.pearson.pub
/userd:administrator /passwordd:* /usero:administrator
/passwordo:* /verify

4. Querying and Resetting Secure Channels with netdom

You can use the netdom command to query and verify secure channels between computers in the domain. When needed, you can use the netdom command to reset these channels.

Tip

Computers have passwords used to establish the secure channels. When the password kept on the system doesn’t match the password kept in the domain, the secure channel is broken. This can happen when the computer has been turned off for a long time, or after restoring Active Directory.



The basic command to query and verify the secure channel with computers in the domain is




netdom query server /verify






The following output shows the partial result of this command:




C:\> netdom query server /verify
Verifying secure channel setup for domain members:
Machine                     Status/Domain       Domain Controller
=======                     =============       =================
\\SALES73                   PEARSON           \\DC1.PEARSON.PUB
\\SALES74                   PEARSON           \\DC1.PEARSON.PUB
\\WIN7PCG                   ERROR!  ( The network path was not found. )
\\DC2                       PEARSON           \\DC1.PEARSON.PUB
\\PC-1                      PEARSON           \\DC1.PEARSON.PUB
\\SC1                       PEARSON           \\DC1.PEARSON.PUB
The command completed successfully.






Notice that the majority of these systems show the domain and the domain controller where the secure channel (trust relationship) has been verified. However, the \\win7pcg computer has a problem.






Note


Before resetting the trust, you should verify that the system is up and operational.






You can also check the channel with just a single computer using the following command:




netdom verify /d:domain computer-name






For example, the following listing shows how to verify the channel with a computer named dc2 in the pearson.pub domain, and the result:




C:\> netdom verify /d:pearson.pub dc2
The secure channel from DC2 to the domain PEARSON.PUB has been
verified. The connection is with the machine \\DC1.PEARSON.PUB.

The command completed successfully.






If the command fails, you can reset the secure channel between the domain and the computer with the following command:




netdom reset /d:domain computer-name






The following listing shows how to reset the secure channel with the computer named dc2 in the pearson.pub domain:




C:\> netdom reset /d:pearson.pub dc2
The secure channel from DC2 to the domain PEARSON.PUB has been reset.
The connection is with the machine \\DC1.PEARSON.PUB.

The command completed successfully.