NetDom Examples

To add the workstation mywksta to the Windows NT 4.0 domain reskita, type the following at the command line:

To add the workstation mywksta to the Windows 2000 domain devgroup.microsoft.com in the organizational unit (OU) Dsys/workstations, type the following at the command prompt:

Note

• If the /ou parameter is not specified, the account is created in the Computers container.

To join mywksta to the devgroup.microsoft.com domain in the Dsys/workstations organizational unit, type the following at the command prompt:

Besides adding the computer account to the domain, the workstation is modified to contain the appropriate shared secret to complete the join operation.

To remove mywksta from the mydomain domain and make the workstation a part of a workgroup, type the following at the command prompt:

To move mywksta from its current domain into the mydomain domain, type the following at the command prompt:

If the destination is a Windows 2000 domain, the Security ID history (SIDHistory) for the workstation is updated, retaining the security permissions that the computer account had previously.

To reset the secure channel secret maintained between mywksta and devgroup.microsoft.com (regardless of OU), type the following at the command prompt:

To reset the secure channel between the Windows NT 4.0 PDC for Northamerica and the backup domain controller NABDC:

Members often establish secure channel sessions with nonlocal domain controllers. To force a secure channel session between a member and a specific domain controller, use the /server parameter with the reset operation:

To verify the secure channel secret maintained between mywksta and devgroup.microsoft.com, type the following at the command prompt:

When used with the trust operation, the /d: Domain parameter always refers to the trusted domain.

To set the Windows NT 4.0 resource domain USA-Chicago to trust the Windows NT 4.0 account domain Northamerica, type the following at the command prompt:

>Password for Northamerica\admin: xxxx

>Password for USA-Chicago\admin:yyyy

The user must have credentials for both domains. The /pd parameter can be used to specify the password for Northamerica\admin and the /po parameter can be used to specify the password for USA-Chicago\admin. If passwords are not provided on the command line, the user is prompted for both.

To use the /twoway parameter to specify a two-way trust, type the following at the command prompt:

To establish a one-way trust where Northamerica trusts the non-Windows Kerberos realm ATHENA, type the following at the command prompt:

The /d parameter specifies the trusted domain and the /realm parameter indicates that this is a non-Windows Kerberos realm. The order of the domains is not important. Credentials to the Windows 2000 domain can be supplied if needed. Note that verifying a specific trust relationship usually requires credentials, unless the user has domain administrator privileges on both domains.

To set the Kerberos realm ATHENA to trust the Northamerica domain, type the following at the command prompt:

To make the trust two-way, you can specify the /twoway parameter.

To change the trust from ATHENA to Northamerica to transitive (non-Windows Kerberos trusts are created nontransitive), type the following at the command prompt:

To display the transitive state, type the following at the command prompt:

The order of the two domains above is not important. Either can be the non-Windows Kerberos domain.

To undo the trust that USA-Chicago has for Northamerica, type the following at the command prompt:

To break a two-way trust relationship, type the following at the command prompt:

To verify the one-way trust that USA-Chicago has for Northamerica, type the following at the command prompt:

To verify a two-way trust between the Northamerica and Europe domains, type the following at the command prompt:

The /verify parameter checks that the appropriate shared secrets are synchronized between the two items involved in the trust.

To reset the secure channel for the one-way trust between Northamerica and USA-Chicago, type the following at the command prompt:

The /reset parameter synchronizes the appropriate shared secrets if they are not already synchronized.

To verify Kerberos authentication between a workstation and a service located in the domain devgroup.microsoft.com, type the following at the command prompt:

When you use the netdom trust operation with the /verify /kerberos parameters, it seeks a session ticket for the Kerberos Admin service in the target domain. If successful, you can conclude that all Kerberos operations (for example KDC referrals) are operating correctly between the workstation and the target domain.

Note

• The operation cannot be executed remotely. It must be run on the workstation being tested.

To list all the workstations in the domain Northamerica, type the following at the command prompt:

To list all of the servers in Northamerica, type the following at the command prompt:

To list all the domain controllers in the domain Northamerica, type the following at the command prompt:

To list all of the OUs in devgroup.microsoft.com, type the following at the command prompt:

To list the PDC for Northamerica, type the following at the command prompt:

To list the current PDC emulator for devgroup.microsoft.com, type the following at the command prompt:

You can use the query operation with the /verify and /reset parameters to perform these operations all together. The output of the query operation can be piped to the netdom verify or netdom reset operation.

To list all servers and verify secure channel secret, type the following at the command prompt:

To list all workstations and reset any unsynchronized secure channel secrets, type the following at the command prompt:

To view all the direct trust relationships for the domain Northamerica, type the following at the command prompt:

To view all the direct and indirect trust relationships for the domain Northamerica, type the following at the command prompt:

To view all trust relationships and check their status, type the following at the command prompt:

To verify the current time for all domain controllers in devgroup.microsoft.com, type the following at the command prompt:

To verify the time for a specific server, type the following at the command prompt:

To resynchronize a specified domain controller or all domain controllers that are out of synch, type the following at the command prompt:

To specify a domain controller, type the following at the command prompt:

Changing the name of a Windows NT 4.0 domain requires a series of complex processes:

1. Rename the domain name on the Windows NT 4.0 PDC.
2. Modify all Windows NT4.0 BDCs.
3. Rejoin all members (workstations and servers).
4. Delete and re-establish all trusts.

The following NetDom syntax is provided to support the modifications necessary to rejoin a BDC to the renamed domain (step 2 above):

netdom rename /d: NewDomainName BDCServer