Alexander’s Blog

February 6, 2010

NetDom Examples

by Zubair Alexander @ 8:59 am. Filed under Active Directory, Scripting, Tips & Tricks, Windows 2003, Windows 2008

NetDom is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use NetDom, you must run the NetDom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

You can use NetDom to:

- Join a computer that runs Windows XP Professional or Windows Vista to a Windows Server 2008 or Windows Server 2003 or Windows 2000 or Windows NT 4.0 domain.

- Provide an option to specify the organizational unit (OU) for the computer account.

- Generate a random computer password for an initial Join operation.

- Manage computer accounts for domain member workstations and member servers. Management operations include:

- Add, Remove, Query.

- An option to specify the OU for the computer account.

- An option to move an existing computer account for a member workstation from one domain to another while maintaining the security descriptor on the computer account.

- Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:

- From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows NT 4.0 domain.

- From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain in another enterprise.

- Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains in an enterprise (a shortcut trust).

- The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos protocol realm.

- Verify or reset the secure channel for the following configurations:

- Member workstations and servers.

- Backup domain controllers (BDCs) in a Windows NT 4.0 domain.

- Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas.

- Manage trust relationships between domains, including the following operations:

- Enumerate trust relationships (direct and indirect).

- View and change some attributes on a trust.

NetDom Commands

Here are the NetDom commands.

Command

Description

Netdom add Adds a workstation or server account to the domain.
Netdom computername Manages the primary and alternate names for a computer. This command can safely rename Active Directory domain controllers as well as member servers.
Netdom join Joins a workstation or member server to a domain. The act of joining a computer to a domain creates an account for the computer on the domain, if it does not already exist.
Netdom move Moves a workstation or member server to a new domain. The act of moving a computer to a new domain creates an account for the computer on the domain, if it does not already exist.
Netdom query Queries the domain for information such as membership and trust.
Netdom remove Removes a workstation or server from the domain.
Netdom movent4bdc Renames a Windows NT 4.0 backup domain controller to reflect a domain name change. This can assist in Windows NT 4.0 domain renaming efforts.
Netdom renamecomputer Renames a domain computer and its corresponding domain account. Use this command to rename domain workstations and member servers only. To rename domain controllers, use the netdom computername command.
Netdom reset Resets the secure connection between a workstation and a domain controller.
Netdom resetpwd Resets the computer account password for a domain controller.
Netdom trust Establishes, verifies, or resets a trust relationship between domains.
Netdom verify Verifies the secure connection between a workstation and a domain controller.

Microsoft has listed lots of examples on TechNet here. Here are some of them.

NetDom Examples

NOTE: The following examples apply to at least Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1 and Windows Server 2003 with SP2.

Example 1: Add a Workstation or Member Server to a Windows NT 4.0 Domain

To add the workstation mywksta to the Windows NT 4.0 domainreskita, type the following at the command line:

netdom add /d:reskita mywksta /ud:mydomain\admin /pd:password

Example 2: Add a Workstation or Member Server to a Windows Server 2003 Domain

To add the workstation mywksta to the Windows Server 2003 domain devgroup.example.com in the organizational unit (OU) Dsys/workstations, type the following at the command prompt:

netdom add/d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com

Note

Example 3: Move a Windows NT 4.0 BDC to a new domain

To join myBDC to the Windows NT 4.0 domain reskita type the following at the command prompt:

netdom mybdc moveNT4BDC /domain:reskita

Example 4: Add an alternate name for a Windows Server 2003 domain controller

To give an alternate name for the domain controller DC in the example.com domain, use the following syntax:

netdom computername dc /add:altDC.example.com

A name must first exist as an alternate before it can be made the primary name of a computer.

Example 5: Rename a domain controller in a Windows Server 2003 domain

To rename the domain controller DC to altDC in the example.com domain use the following syntax:

netdom computername dc /makeprimary:altdc.example.com

To rename a member server you must choose one of the existing alternate names for the computer and make it the new primary name.

Example 6: Rename a Member Server

To rename the member server member to member1, type the following at the command prompt:

netdom renamecomputer member /newname:member1.example.com /userd:administrator

Example 7: Join a Workstation or Member Server to a Domain

To join mywksta to the devgroup.example.com domain in the Dsys/workstations organizational unit, type the following at the command prompt:

netdom join /d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com

Besides adding the computer account to the domain, the workstation is modified to contain the appropriate shared secret to complete the join operation.

Example 8: Remove a Workstation or Member Server from a Domain

To remove mywksta from the mydomain domain and make the workstation a part of a workgroup, type the following at the command prompt:

netdom remove /d:mydomain mywksta /ud:mydomain\admin /pd:password

Example 9: Move a Workstation or Member Server from One Domain to Another

To move mywksta from its current domain into the mydomain domain, type the following at the command prompt:

netdom move /d:mydomain mywksta /ud:mydomain\admin /pd:password

If the destination is a Windows 2000 domain, the Security ID history (SIDHistory) for the workstation is updated, retaining the security permissions that the computer account had previously.

Example 10: Reset the secure channel for a workstation, member server, or Windows NT 4.0 BDC

To reset the secure channel secret maintained between mywksta and devgroup.example.com (regardless of OU), type the following at the command prompt:

netdom reset /d:devgroup.example.com mywksta

To reset the secure channel between the Windows NT 4.0 PDC for Northamerica and the backup domain controller NABDC, type the following at the command prompt:

netdom reset /d:Northamerica NABDC

Example 11: Force a Secure Channel Session Between a Member and a Specific Domain Controller

Members often establish secure channel sessions with non-local domain controllers. To force a secure channel session between a member and a specific domain controller by using the /server parameter with the reset operation, type the following at the command prompt:

netdom reset /d:devgroup.example.com mywksta /Server:mylocalbdc

Example 12: Verify a Workstation or Member Server Secure Channel

To verify the secure channel secret is maintained between mywksta and devgroup.example.com, type the following at the command prompt:

netdom verify /d:devgroup.example.com mywksta

Example 13: Establish a One-Way Trust Relationship

When used with the trust operation, the /d:Domain parameter always refers to the trusted domain.

To set the Windows NT 4.0 resource domain USA-Chicago to trust the Windows NT 4.0 account domain Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /add /Ud:Northamerica\admin /Pd:* /Uo:USA-Chicago\admin /Po:*

Press Enter and the following prompt is displayed:

Password for Northamerica\admin:

Enter the password for Northamerica\admin and press Enter. The following prompt is displayed:

Password for USA-Chicago\admin:

Enter the password for USA-Chicago\admin and press Enter.

The user must have credentials for both domains. The /pd parameter can be used to specify the password for Northamerica\admin and the /po parameter can be used to specify the password for USA-Chicago\admin. If passwords are not provided on the command line, the user is prompted for both.

If you then want to specify a two-way trust, type the following at the command prompt

netdom trust /d:marketing.example.com engineering.example.com /add /twoway /Uo:admin@engineering.example.com /Ud:admin@marketing.example.com:

Example 14: Establish a One-Way Trust Relationship from a Windows Domain to a Non-Windows Kerberos Realm

To establish a one-way trust where Northamerica trusts the non-Windows Kerberos realm ATHENA, type the following at the command prompt:

netdom trust /d:ATHENA Northamerica /add /PT:password /realm

The /d parameter specifies the trusted domain and the /realm parameter indicates that this is a non-Windows Kerberos realm. The order of the domains is not important. Credentials to the Windows 2000 domain can be supplied if needed.

Note

If you want to set the Kerberos realm ATHENA to trust the Northamerica domain, type the following at the command prompt:

netdom trust /d:Northamerica ATHENA /add

Note

Non-Windows Kerberos trusts are created as non-transitive. If you want to change the trust from ATHENA to Northamerica as transitive, type the following at the command prompt:

netdom trust Northamerica /d:ATHENA /trans:yes

To display the transitive state, type the following at the command prompt:

netdom trust Northamerica /d:ATHENA /trans

The order of the two domains above is not important. Either can be the non-Windows Kerberos domain.

Example 15: Break a One-Way Trust Relationship

To undo the trust that USA-Chicago has for Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /remove

Example 16: Break a Two-Way Trust Relationship

To break a two-way trust relationship, type the following at the command prompt:

netdom trust /d:marketing.example.com Engineering.example.com /remove /twoway /Uo:admin@engineering.example.com /Ud:admin@marketing.example.com

Example 17: Verify a Specific Trust Relationship

To verify the one-way trust that USA-Chicago has for Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /verify

To verify a two-way trust between the Northamerica and Europe domains, type the following at the command prompt:

netdom trust /d:Northamerica EUROPE /verify /twoway

The /verify parameter checks that the appropriate shared secrets are synchronized between the two items involved in the trust.

Example 18: Reset a Specific Trust Relationship

To reset the secure channel for the one-way trust between Northamerica and USA-Chicago, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /Ud:Northamerica\admin /reset

The /reset parameter synchronizes the appropriate shared secrets if they are not already synchronized.

Example 19: Verify Kerberos Functionality

To verify Kerberos authentication between a workstation and a service located in the domain devgroup.example.com, type the following at the command prompt:

netdom trust /d:devgroup.example.com /verify /KERBEROS

When you use the NetDom trust operation with the /verify /kerberos parameters, it seeks a session ticket for the Kerberos Admin service in the target domain. If successful, you can conclude that all Kerberos operations (for example KDC referrals) are operating correctly between the workstation and the target domain.

Note

Example 20: View All Workstation Members in a Domain

To list all the workstations in the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica WORKSTATION

Example 21: View All Server Members in a Domain

To list all of the servers in Northamerica, type the following at the command prompt:

netdom query /d:Northamerica SERVER

Example 22: View All Domain Controller Members in a Domain

To list all the domain controllers in the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica DC

Example 23: View All Organizational Unit Members in a Domain

To list all of the OUs in devgroup.example.com, type the following at the command prompt:

netdom query /d:devgroup.example.com OU

Example 24: List the Primary Domain Controller Member in a Domain

To list the PDC for Northamerica, type the following at the command prompt:

netdom query /d:Northamerica PDC

Example 25: List the Primary Domain Controller Emulator in a Domain

To list the current PDC emulator for devgroup.example.com, type the following at the command prompt:

netdom query /d:devgroup.example.com FSMO

NOTE: There are more examples on TechNet here.

December 15, 2009

Group Policy Settings Reference for Windows Server 2003/2008/Vista

by Zubair Alexander @ 1:08 pm. Filed under Active Directory, Tools/Utils, Windows 2003, Windows 2008, Windows 7, Windows Vista

Microsoft offers several spreadsheets that contain all the settings for group policies. These spreadsheets list the policy settings for computer and user configurations included in the Administrative template files delivered with the Windows operating systems specified. You can configure these policy settings when you edit Group Policy objects (GPOs).

Using column filters, you can filter the information in these spreadsheets by operating system, component, or computer or user configuration. You can also search for information by using text or keywords.

These spreadsheets include the following categories of security policy settings: Account Policies (Password Policy, Account Lockout Policy, and Kerberos Policy), Local Policies (Audit Policy, User Rights Assignment, and Security Options), Event Log, Restricted Groups, System Services, Registry, and File System policy settings. These spreadsheets do not include security settings that exist outside of the Security Settings extension (scecli.dll), such as Wireless Network extension, Public Key Policies, or Software Restriction Policies.

Supported Operating Systems:
- Windows 2000; Windows 2000 Server; Windows 7; Windows Server 2003; Windows Server 2008; Windows Server 2008 R2; Windows Vista; Windows XP
- Microsoft Excel or Excel Viewer

    Click here to download the spreadsheets.

    September 15, 2009

    Why is KRBTGT account in Windows Sever 2003 disabled?

    by Zubair Alexander @ 1:17 pm. Filed under Active Directory, Tips & Tricks, Windows 2000, Windows 2003

    The reason that the KRBTGT account is disabled in Windows 2000/2003 Server is that there is no reason or need for someone to be logging in with the KRBTGT domain account. Therefore, it cannot be enabled. Because it is a built-in account, you cannot enable or rename KRBTGT account. If  you try to rename the account you will get the error:

    One of the names could not be changed due to the following problem:
    Cannot perform this operation on built-in accounts.
    Please try again.

    If you try to enable the account you will get the error:

    Krbtgt could not be enabled due to the following problem:
    Cannot perform this operation on built-in accounts.

    Kerberos is the default authentication protocol in Windows 2000/2003. The KRBTGT account is used for Kerberos Ticket Granting Ticket (TGT). TGT  is a ticket that must be presented to the Kerberos service when a session request is made. The TGT is enciphered with a key that is derived from the password of the KRBTGT account, which is known only to the Kerberos service. As administrators we don’t need to mess with this account.

    August 10, 2009

    Windows Server 2000/2003/2008 Group Memberships

    by Zubair Alexander @ 2:21 pm. Filed under Active Directory, Tips & Tricks, Training, Windows 2000, Windows 2003, Windows 2008

    Group nesting and membership can get confusing, especially when you are dealing with multiple domains and different types of groups in Windows Server 2000/2003/2008. I have created a table (color-coded to make it more readable) that you may find helpful whether you are designing or troubleshooting group membership, or preparing to take a Microsoft exam.

    groupmembership

    Here’s how you can read this table. Keep in mind that I have tried to cover both the bases by listing: “Can contain from” and “Can be a member of.” I will use Global Group as an example.

    - A Global Group can contain User Accounts from the same domain.

    - A Global Group can be a member of Local Groups in the same domain as well as Local Groups in the other domains.

    - A Global Group can contain a Global Group from the same domain and a Global Group can be a member of a Global Group in the same domain.

    July 10, 2009

    What are GlobalNames Zones in Windows Server 2008?

    by Zubair Alexander @ 4:12 pm. Filed under Active Directory, Articles, Tips & Tricks, Windows 2008

    It is much more convenient to access servers in a Windows network by simply using single-label names, which are far easier to remember than the traditional fully qualified domain names (FQDNs) that are part of the default naming convention for Domain Name System (DNS). Before Windows Server 2008, network administrators used Windows Internet Name Service (WINS) technology to utilize single-label names. WINS is an alternative to DNS for name resolution. Because WINS depends on NetBIOS over TCP/IP (NetBT), and WINS and NetBT do not support IPv6 protocols, administrators can now use GlobalNames zones in Windows Server 2008 to take advantage of single-label names. WINS has been pretty much on its way out for the past few years and the new GlobalNames zone capability in Windows Server 2008 pushes it further out the door.

    The GlobalNames zones in Windows Server 2008 are new zones that allow network administrators to completely migrate to DNS for all their name resolution needs. Keep in mind that GlobalNames zones are not meant to be a complete replacement for WINS because, unlike WINS, they do not support dynamically registered records. GlobalNames zones are ideal for static, global records with single-label names where you do not need to rely on WINS.

    One of the more common usages of GlobalNames zone could be to put all the Windows Server 2008 servers on your network that are using static IP addresses in GlobalNames zone. In a pure IPv6 environment, which is not supported by WINS, you can use GlobalNames zones to provide all the DNS resolution. Your goal should be to get rid of WINS, migrate to WS08 environment, deploy GlobalNames zone and run IPv6 on your network. As a best practice, make sure that the GlobalNames zones are integrated with Active Directory Domain Services. The integration offers several benefits, such as security, better management, and future scalability.

    When to Deploy GlobalNames Zone

    Here are a few good reasons for deploying a GlobalNames zone on your network.
    1. You want to use single-label name resolution for your statically registered servers, or Web sites. You cannot register host names that are registered dynamically in a GlobalNames zone.
    2. You are planning to get rid of WINS, or you are switching to a pure IPv6 environment that won’t use IPv4. With GlobalNames zone you will be able to completely depend on DNS for all your DNS name resolution needs.
    3. You have a pure Windows Server 2008 environment where all the DNS servers are authoritative for the zones and serve client query requests. In such a pure environment (with no pre-Windows Server 2008 servers) all DNS servers must either be configured with a local copy of the GlobalNames zone, or they must be able to connect to other DNS servers that are configured for GlobalNames zone.
    4. Your domains are not centrally managed and therefore there is no guarantee that the host names will be unique. Although you can use the suffix search lists on your client computers for single-label name resolution, if you have too many target domains then using suffix search lists may not be feasible.

    Configuring GlobalNames Zone

    A GlobalNames zone is essentially just another forward lookup zone that is called GlobalNames. However, when you create a new GlobalNames zone, you need to ensure that you explicitly enable support for this zone on every authoritative DNS server in your forest. Until you enable this support, your GlobalNames zone will not  be able to function properly. Frankly, it just won’t provide any name resolution to the DNS clients.

    Use the following command on each and every authoritative DNS server in your forest to enable support for GlobalNames zones.

    dnscmd <ServerName> /config /enableglobalnamessupport 1

    where ServerName is the DNS name or IP address of the DNS server that hosts the GlobalNames zone. If you want to enable support on a local computer, simply replace the ServerName parameter with a period.

    dnscmd . /config /enableglobalnamessupport 1

    Once you have enabled the support, the next step is to replicate the GlobalNames zone to all the Domain Controllers in the forest. Finally, for each server that will be providing single-label name resolution, add a CNAME (alias) resource record to the GlobalNames zone.

    Copyright ©2009 Zubair Alexander. All rights reserved.

    « Previous Entries

    Contact E-mail | Terms of Use | Privacy Policy

    Copyright ©2009 Zubair Alexander. All rights reserved.

    Internal Links

    Categories

    Search Blog

    Archives

    March 2010
    M T W T F S S
    « Feb    
    1234567
    891011121314
    15161718192021
    22232425262728
    293031  

    RSS Feeds

    TechGalaxy Visitors

    23 queries. 1.189 seconds