Windows Tools

NetDom Examples

Overview | Notes | Syntax | Examples | Related Tools Open Command Prompt

Workstation or member server sample usage

Add a workstation or member server to a domain

To add the workstation mywksta to the Windows NT 4.0 domain reskita, type the following at the command line:

netdom add /d:reskita mywksta /ud:mydomain\admin /pd:password

To add the workstation mywksta to the Windows 2000 domain devgroup.microsoft.com in the organizational unit (OU) Dsys/workstations, type the following at the command prompt:

netdom add/d:devgroup.microsoft.commywksta/OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com

Note

Join a workstation or member server to a domain

To join mywksta to the devgroup.microsoft.com domain in the Dsys/workstations organizational unit, type the following at the command prompt:

netdom join/d:devgroup.microsoft.commywksta/OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com

Besides adding the computer account to the domain, the workstation is modified to contain the appropriate shared secret to complete the join operation.

Remove a workstation or member server from a domain

To remove mywksta from the mydomain domain and make the workstation a part of a workgroup, type the following at the command prompt:

netdom remove /d:mydomain mywksta /ud:mydomain\admin /pd:password

Move a workstation or member server from one domain to another

To move mywksta from its current domain into the mydomain domain, type the following at the command prompt:

netdom move /d:mydomain mywksta /ud:mydomain\admin /pd:password

If the destination is a Windows 2000 domain, the Security ID history (SIDHistory) for the workstation is updated, retaining the security permissions that the computer account had previously.

Reset the secure channel for a workstation, member server, or Windows NT 4.0 BDC

To reset the secure channel secret maintained between mywksta and devgroup.microsoft.com (regardless of OU), type the following at the command prompt:

netdom reset /d:devgroup.microsoft.com mywksta

To reset the secure channel between the Windows NT 4.0 PDC for Northamerica and the backup domain controller NABDC:

netdom reset /d:Northamerica NABDC

Force a secure channel session between a member and a specific domain controller

Members often establish secure channel sessions with nonlocal domain controllers. To force a secure channel session between a member and a specific domain controller, use the /server parameter with the reset operation:

netdom reset /d:devgroup.microsoft.com mywksta /Server:mylocalbdc

Verify a workstation or member server secure channel

To verify the secure channel secret maintained between mywksta and devgroup.microsoft.com, type the following at the command prompt:

netdom verify /d:devgroup.microsoft.com mywksta

Domain trust sample usage

Establish a trust relationship

When used with the trust operation, the /d: Domain parameter always refers to the trusted domain.

To set the Windows NT 4.0 resource domain USA-Chicago to trust the Windows NT 4.0 account domain Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /add /Ud:Northamerica\admin /Pd:* /Uo:USA-Chicago\admin /Po:*
>Password for Northamerica\admin: xxxx

>Password for USA-Chicago\admin:yyyy

The user must have credentials for both domains. The /pd parameter can be used to specify the password for Northamerica\admin and the /po parameter can be used to specify the password for USA-Chicago\admin. If passwords are not provided on the command line, the user is prompted for both.

To use the /twoway parameter to specify a two-way trust, type the following at the command prompt:

netdom trust /d:marketing.microsoft.com engineering.microsoft.com /add /twoway /Uo:admin@engineering.microsoft.com /Ud:admin@marketing.microsoft.com

Establish a trust relationship with a non-Windows Kerberos realm

To establish a one-way trust where Northamerica trusts the non-Windows Kerberos realm ATHENA, type the following at the command prompt:

netdom trust /d:ATHENA Northamerica /add /PT:password /realm

The /d parameter specifies the trusted domain and the /realm parameter indicates that this is a non-Windows Kerberos realm. The order of the domains is not important. Credentials to the Windows 2000 domain can be supplied if needed. Note that verifying a specific trust relationship usually requires credentials, unless the user has domain administrator privileges on both domains.

To set the Kerberos realm ATHENA to trust the Northamerica domain, type the following at the command prompt:

netdom trust /d:Northamerica ATHENA /add

To make the trust two-way, you can specify the /twoway parameter.

To change the trust from ATHENA to Northamerica to transitive (non-Windows Kerberos trusts are created nontransitive), type the following at the command prompt:

netdom trust Northamerica /d:ATHENA /trans:yes

To display the transitive state, type the following at the command prompt:

netdom trust Northamerica /d:ATHENA /trans

The order of the two domains above is not important. Either can be the non-Windows Kerberos domain.

Break a trust relationship

To undo the trust that USA-Chicago has for Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /remove

To break a two-way trust relationship, type the following at the command prompt:

netdom trust /d:marketing.microsoft.com Engineering.microsoft.com /remove /twoway /Uo:admin@engineering.microsoft.com /Ud:admin@marketing.microsoft.com

Verify a specific trust relationship

To verify the one-way trust that USA-Chicago has for Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /verify

To verify a two-way trust between the Northamerica and Europe domains, type the following at the command prompt:

netdom trust /d:Northamerica EUROPE /verify /twoway

The /verify parameter checks that the appropriate shared secrets are synchronized between the two items involved in the trust.

Reset a specific trust relationship

To reset the secure channel for the one-way trust between Northamerica and USA-Chicago, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /Ud:Northamerica\admin /reset

The /reset parameter synchronizes the appropriate shared secrets if they are not already synchronized.

Verify Kerberos functionality

To verify Kerberos authentication between a workstation and a service located in the domain devgroup.microsoft.com, type the following at the command prompt:

netdom trust /d:devgroup.microsoft.com /verify /KERBEROS

When you use the netdom trust operation with the /verify /kerberos parameters, it seeks a session ticket for the Kerberos Admin service in the target domain. If successful, you can conclude that all Kerberos operations (for example KDC referrals) are operating correctly between the workstation and the target domain.

Note

Domain Query Sample Usage

View domain membership

To list all the workstations in the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica WORKSTATION

To list all of the servers in Northamerica, type the following at the command prompt:

netdom query /d:Northamerica SERVER

To list all the domain controllers in the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica DC

To list all of the OUs in devgroup.microsoft.com, type the following at the command prompt:

netdom query /d:devgroup.microsoft.com OU

To list the PDC for Northamerica, type the following at the command prompt:

netdom query /d:Northamerica PDC

To list the current PDC emulator for devgroup.microsoft.com, type the following at the command prompt:

netdom query /d:devgroup.microsoft.com FSMO

Secure channel batch repair

You can use the query operation with the /verify and /reset parameters to perform these operations all together. The output of the query operation can be piped to the netdom verify or netdom reset operation.

To list all servers and verify secure channel secret, type the following at the command prompt:

netdom query /d:Northamerica SERVER /verify

To list all workstations and reset any unsynchronized secure channel secrets, type the following at the command prompt:

netdom query /d:Northamerica WORKSTATION /reset

View domain trusts

To view all the direct trust relationships for the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica /Ud:Northamerica\admin DOMAIN /Direct

To view all the direct and indirect trust relationships for the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica /Ud:Northamerica\admin DOMAIN

To view all trust relationships and check their status, type the following at the command prompt:

netdom query /d:devgroup.microsoft.com DOMAIN /verify

Domain Time Sample Usage

View domain controller time status

To verify the current time for all domain controllers in devgroup.microsoft.com, type the following at the command prompt:

netdom TIME /d:devgroup.microsoft.com

To verify the time for a specific server, type the following at the command prompt:

netdom TIME /d:devgroup.microsoft.com dc1.devgroup.microsoft.com

Synchronize time

To resynchronize a specified domain controller or all domain controllers that are out of synch, type the following at the command prompt:

netdom TIME /d:devgroup.microsoft.com /synch

To specify a domain controller, type the following at the command prompt:

netdom TIME /d:devgroup.microsoft.com dc1.devgroup.microsoft.com /synch

Rename the domain name for a Windows NT 4.0 BDC

Changing the name of a Windows NT 4.0 domain requires a series of complex processes:

  1. Rename the domain name on the Windows NT 4.0 PDC.
  2. Modify all Windows NT4.0 BDCs.
  3. Rejoin all members (workstations and servers).
  4. Delete and re-establish all trusts.

The following NetDom syntax is provided to support the modifications necessary to rejoin a BDC to the renamed domain (step 2 above):

netdom rename /d: NewDomainName BDCServer