You want to verify that a trust is working correctly. This is the first diagnostics step to take if users notify you that authentication to a remote domain appears to be failing.
For the Windows 2000 version of the Active Directory Domains and Trusts snap-in:
In the left pane, right-click on the trusting domain and select Properties.
Click the Trusts tab.
Click the domain that is associated with the trust you want to verify.
Click the Edit button.
Click the Verify button.
For the Windows Server 2003 version of the Active Directory Domains and Trusts snap-in:
In the left pane, right-click on the trusting domain and select Properties.
Click the Trusts tab.
Click the domain that is associated with the trust you want to verify.
Click the Properties button.
Click the Validate button.
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose[RETURN] [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN] [/UserD:<TrustedDomainUser> /PasswordD:*]
' The following code lists all of the trusts for the ' specified domain using the Trustmon WMI Provider. ' The Trustmon WMI Provider is only supported on Windows Server 2003. ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus") for each objTrust in objTrusts Wscript.Echo objTrust.TrustedDomain Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes Wscript.Echo " TrustedDCName: " & objTrust.TrustedDCName Wscript.Echo " TrustedDirection: " & objTrust.TrustDirection Wscript.Echo " TrustIsOk: " & objTrust.TrustIsOK Wscript.Echo " TrustStatus: " & objTrust.TrustStatus Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString Wscript.Echo " TrustType: " & objTrust.TrustType Wscript.Echo "" next ' This code shows how to search specifically for trusts ' that have failed, which can be accomplished using a WQL query that ' contains the query: TrustIsOk = False ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("select * " _ & " from Microsoft_DomainTrustStatus " _ & " where TrustIsOk = False ") if objTrusts.Count = 0 then Wscript.Echo "There are no trust failures" else WScript.Echo "Trust Failures:" for each objTrust in objTrusts Wscript.Echo " " & objTrust.TrustedDomain & " : " & _ objTrust.TrustStatusString Wscript.Echo "" next end if
Verifying a trust consists of checking connectivity between the domains, and determining if the shared secrets of a trust are synchronized between the two domains.
The Active Directory Domains and Trusts screens have changed somewhat between Windows 2000 and Windows Server 2003. The Verify button has been renamed Validate.
If you want to verify a Kerberos trust, use the /Kerberos switch with the netdom command.
The WMI Trustmon Provider is new to Windows Server 2003. It provides a nice interface for querying and checking the health of trusts. One of the benefits of using WMI to access this kind of data is that you can use WQL, the WMI Query Language, to perform complex queries to find trusts that have certain properties. WQL is a subset of the Structured Query Language (SQL) commonly used to query databases. In the second VBScript example, I used WQL to find all trusts that have a problem. You could expand the query to include additional criteria, such as trust direction, and trust type.
MSDN: Trustmon Provider