Monitoring Trusts






Monitoring Trusts

New to Windows Server 2003 is the Trustmon WMI provider. The Trustmon provider allows you to query the list of trusts supported on a domain controller and determine if they are working correctly. The Trustmon provider consists of three classes, but the primary one is the Microsoft_DomainTrustStatus class, which represents each trust the domain controller knows about. The Trustmon provider is contained under the root\MicrosoftActiveDirectory namespace. Note that this namespace is different than for the Active Directory provider, which is contained under root\directory\ldap.

Figure provides a list of the property methods available to this class.

Microsoft_DomainTrustStatus properties

Property

Description

Flatname

NetBIOS name for the domain.

SID

SID for the domain.

TRustAttributes

Flag indicating special properties of the trust. Can be any combination of the following:

  • 0x1 (nontransitive)

  • 0x2 (uplevel clients only)

  • 0x40000 (tree parent)

  • 0x80000 (tree root)

TRustDCName

Name of the domain controller the trust is set up with.

trustDirection

Integer representing direction of the trust. Valid values include:

  • 1 (inbound)

  • 2 (outbound)

  • 3 (bidirectional)

trustedDomain

Naming of trusted domain.

trustIsOK

Boolean indicating whether the trust is functioning properly.

TRustStatus

Integer representing the status for the trust. 0 indicates no failure.

trustStatusString

Textual description of status for the trust.

trustType

Integer representing the type of trust. Valid values include:

  • 1 (downlevel)

  • 2 (uplevel)

  • 3 (Kerberos realm)

  • 4 (DCE)


As you can see from Figure, the Microsoft_DomainTrustStatus class provides just about all the information you'd want to know concerning a trust. The following example shows how easy it is to enumerate all the trusts using this class:

strComputer = "."

Set objWMI = GetObject("winmgmts:\\" & strComputer & _
                       "\root\MicrosoftActiveDirectory")
Set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus")

For Each objTrust In objTrusts
    WScript.Echo objTrust.TrustedDomain
    WScript.Echo " TrustedAttributes: " & objTrust.TrustAttributes
    WScript.Echo " TrustedDCName: "     & objTrust.TrustedDCName
    WScript.Echo " TrustedDirection: "  & objTrust.TrustDirection
    WScript.Echo " TrustIsOk: "         & objTrust.TrustIsOK
    WScript.Echo " TrustStatus: "       & objTrust.TrustStatus
    WScript.Echo " TrustStatusString: " & objTrust.TrustStatusString
    WScript.Echo " TrustType: "         & objTrust.TrustType
    WScript.Echo ""
Next
WScript.Echo "The script has completed successfully."

Next, let's illustrate a script that finds any trust that has some kind of failure. All we need to do is modify the WQL query in the previous example to include a whereTrustIsOk = False clause. We then print out the trustStatusString property, which will return a description of the failure:

strComputer = "."

Set objWMI = GetObject("winmgmts:\\" & strComputer & _
                       "\root\MicrosoftActiveDirectory")
Set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus " & _
                                 "where TrustIsOk = False ")

If objTrusts.Count = 0 Then
   WScript.Echo "There are no trust failures"
Else
    For Each objTrust In objTrusts
       WScript.Echo objTrust.TrustedDomain & " - " & objTrust.TrustStatusString
       WScript.Echo ""
   Next
End If
WScript.Echo "The script has completed successfully."

One of the neat features of the Trustmon provider is that it is configurable. Through WMI, you can modify what type of checks it does to determine trust failures and also how long to cache information it retrieves. All of this is done with the Microsoft_TrustProvider class. Figure contains a list of all property methods for this class.

Microsoft_TrustProvider properties

Property

Description

trustListLifetime

Number of minutes to cache the last trust enumeration (20 is the default).

trustStatusLifetime

Number of minutes to cache the last trust status request (3 is the default).

TRustCheckLevel

Number representing the type of check to perform against each trust during enumeration (2 is the default). Valid values include:

  • 0 (enumerate only)

  • 1 (enumerate with SC_QUERY)

  • 2 (enumerate with password check)

  • 3 (enumerate with SC_RESET)

ReturnAll

Boolean indicating whether both trusting and trusted domains are enumerated. True is the default, which indicates to check both trusting and trusted domains.


Now we will show a simple script that changes the default settings for the Trustmon provider. In the following example, we set the trustListLifetime to 15 minutes, the trustStatusLifetime to five minutes, and the TRustCheckLevel to 1:

strComputer = "."

Set objTrustProv = GetObject("winmgmts:\\" & strComputer & _
                       "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@")

objTrustProv.TrustListLifetime   = 15   ` 15 minutes
objTrustProv.TrustStatusLifetime = 5    ` 5 minutes
objTrustProv.TrustCheckLevel     = 1    ` Enumerate with SC_QUERY
objTrustProv.Put_
WScript.Echo "The script has completed successfully."

The Trustmon provider is a great example of how to utilize WMI in the Active Directory space. What previously could only have been done with command-line utilities or MMC snap-ins can now be done programmatically very easily.



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows