Verifying and Resetting Trusts

Verifying a trust consists of checking connectivity between the domains, and determining if the shared secrets of a trust are synchronized between the two domains. Resetting a trust synchronizes the shared secrets (i.e., passwords) for the trust. The PDC role holder in both domains is used to synchronize the password so they must be reachable.

Using a graphical user interface
For the Windows 2000 version of the Active Directory Domains and Trusts snap-in:

  1. In the left pane, right-click on the trusting domain and select Properties.
  2. Click the Trusts tab.
  3. Click the domain that is associated with the trust you want to verify.
  4. Click the Edit button.
  5. Click the Verify button.
  6. If the validation function fails, you’ll be given an option to reset the trust.

For the Windows Server 2003 version of the Active Directory Domains and Trusts snap-in:

  1. In the left pane, right-click on the trusting domain and select Properties.
  2. Click the Trusts tab.
  3. Click the domain that is associated with the trust you want to verify.
  4. Click the Properties button.
  5. Click the Validate button.
  6. If the validation function fails, you’ll be given an option to reset the trust.

Using a command-line interface

The following command verifies a trust:

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose
   [/UserO:<TrustingDomainUser> /PasswordO:*]
   [/UserD:<TrustedDomainUser> /PasswordD:*]



The following command resets a trust:

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose
   [/UserO:<TrustingDomainUser> /PasswordO:*]
   [/UserD:<TrustedDomainUser> /PasswordD:*]
Using VBScript

' The following code lists all of the trusts for the
' specified domain using the Trustmon WMI Provider.
' The Trustmon WMI Provider is supported only on Windows Server 2003.
' ------ SCRIPT CONFIGURATION ------
strDomain = "<DomainDNSName>"  ' e.g., amer.rallencorp.com
' ------ END CONFIGURATION ---------
set objWMI = GetObject("winmgmts:\\" & strDomain & _
                       "\root\MicrosoftActiveDirectory")
set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus")
for each objTrust in objTrusts
    Wscript.Echo objTrust.TrustedDomain
    Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes
    Wscript.Echo " TrustedDCName: "     & objTrust.TrustedDCName
    Wscript.Echo " TrustedDirection: "  & objTrust.TrustDirection
    Wscript.Echo " TrustIsOk: "         & objTrust.TrustIsOK
    Wscript.Echo " TrustStatus: "       & objTrust.TrustStatus
    Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString
    Wscript.Echo " TrustType: "         & objTrust.TrustType
    Wscript.Echo ""
next

' This code shows how to search specifically for trusts
' that have failed, which can be accomplished using a WQL query that
' contains the query: TrustIsOk = False
' ------ SCRIPT CONFIGURATION ------
strDomain = "<DomainDNSName>"  ' e.g., amer.rallencorp.com
' ------ END CONFIGURATION ---------

set objWMI = GetObject("winmgmts:\\" & strDomain & _
                       "\root\MicrosoftActiveDirectory")
set objTrusts = objWMI.ExecQuery("select * " _
                               & " from Microsoft_DomainTrustStatus " _
                               & " where TrustIsOk = False ")
if objTrusts.Count = 0 then
   Wscript.Echo "There are no trust failures"
else
   WScript.Echo "Trust Failures:"
   for each objTrust in objTrusts
      Wscript.Echo " " & objTrust.TrustedDomain & " : " & _
                         objTrust.TrustStatusString
      Wscript.Echo ""
   next
end if

' This code resets the specified trust.
' ------ SCRIPT CONFIGURATION ------
' Set to the DNS or NetBIOS name for the Windows 2000,
' Windows NT domain or Kerberos realm you want to reset the trust for.
strTrustName = "<TrustToCheck>"

' Set to the DNS name of the source or trusting domain.
strDomain    = "<TrustingDomain>"
' ------ END CONFIGURATION ---------

' Enable SC_RESET during trust enumerations
set objTrustProv = GetObject("winmgmts:\\" & strDomain & _
              "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@")
objTrustProv.TrustCheckLevel = 3  ' Enumerate with SC_RESET
objTrustProv.Put_

' Query the trust and print status information
set objWMI = GetObject("winmgmts:\\" & strDomain & _
                       "\root\MicrosoftActiveDirectory")
set objTrusts = objWMI.ExecQuery("Select * " _
                        & " from Microsoft_DomainTrustStatus " _
                        & " where TrustedDomain = '" & strTrustName & "'" )
for each objTrust in objTrusts
    Wscript.Echo objTrust.TrustedDomain
    Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes
    Wscript.Echo " TrustedDCName: "     & objTrust.TrustedDCName
    Wscript.Echo " TrustedDirection: "  & objTrust.TrustDirection
    Wscript.Echo " TrustIsOk: "         & objTrust.TrustIsOK
    Wscript.Echo " TrustStatus: "       & objTrust.TrustStatus
    Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString
    Wscript.Echo " TrustType: "         & objTrust.TrustType
    Wscript.Echo ""
next