Recipe 2.21 Resetting a Trust

2.21.1 Problem

You want to reset a trust password. If you've determined a trust is broken, you need to reset it, which will allow users to authenticate across it again.

2.21.2 Solution

2.21.2.1 Using a graphical user interface

Follow the same directions as Recipe 2.20. The option to reset the trust will only be presented if the Verify/Validate did not succeed.

2.21.2.2 Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Reset /verbose[RETURN]
   [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]
   [/UserD:<TrustedDomainUser> /PasswordD:*]
2.21.2.3 Using VBScript
' This code resets the specified trust.
' ------ SCRIPT CONFIGURATION ------
' Set to the DNS or NetBIOS name for the Windows 2000,
' Windows NT domain or Kerberos realm you want to reset the trust for.
strTrustName = "<TrustToCheck>"

' Set to the DNS name of the source or trusting domain.
strDomain    = "<TrustingDomain>"
' ------ END CONFIGURATION ---------

' Enable SC_RESET during trust enumerations
set objTrustProv = GetObject("winmgmts:\\" & strDomain & _
              "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@")
objTrustProv.TrustCheckLevel = 3  ' Enumerate with SC_RESET
objTrustProv.Put_

' Query the trust and print status information
set objWMI = GetObject("winmgmts:\\" & strDomain & _
                       "\root\MicrosoftActiveDirectory")
set objTrusts = objWMI.ExecQuery("Select * " _
                        & " from Microsoft_DomainTrustStatus " _
                        & " where TrustedDomain = '" & strTrustName & "'" )
for each objTrust in objTrusts
    Wscript.Echo objTrust.TrustedDomain
    Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes
    Wscript.Echo " TrustedDCName: "     & objTrust.TrustedDCName
    Wscript.Echo " TrustedDirection: "  & objTrust.TrustDirection
    Wscript.Echo " TrustIsOk: "         & objTrust.TrustIsOK
    Wscript.Echo " TrustStatus: "       & objTrust.TrustStatus
    Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString
    Wscript.Echo " TrustType: "         & objTrust.TrustType
    Wscript.Echo ""
next

2.21.3 Discussion

Resetting a trust synchronizes the shared secrets (i.e., passwords) for the trust. The PDC in both domains is used to synchronize the password so they must be reachable.

2.21.3.1 Using a command-line interface

If you are resetting a Kerberos realm trust, you'll need to specify the /PasswordT option with netdom.

2.21.4 See Also

Recipe 2.20 for verifying a trust



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List