Verifying a Trust






Verifying a Trust

Problem

You want to verify that a trust is working correctly. This is the first diagnostics step to take if users notify you that authentication to a remote domain appears to be failing.

Solution

Using a graphical user interface

For the Windows 2000 version of the Active Directory Domains and Trusts snap-in (domain.msc):

  1. In the left pane, right-click on the trusting domain and select Properties.

  2. Click the Trusts tab.

  3. Click the domain that is associated with the trust you want to verify.

  4. Click the Edit button.

  5. Click the Verify button.

For the Windows Server 2003 version of the Active Directory Domains and Trusts snap-in:

  1. In the left pane, right-click on the trusting domain and select Properties.

  2. Click the Trusts tab.

  3. Click the domain that is associated with the trust you want to verify.

  4. Click the Properties button.

  5. Click the Validate button.

Using a command-line interface
	> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose
	    [/UserO:<TrustingDomainUser> /PasswordO:*]
	    [/UserD:<TrustedDomainUser> /PasswordD:*]

Using VBScript
	' The following code lists all of the trusts for the
	' specified domain using the Trustmon WMI Provider.
	' The Trustmon WMI Provider is only supported on Windows Server 2003.
	' ------ SCRIPT CONFIGURATION ------
	strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com
	' ------ END CONFIGURATION ---------

	set objWMI = GetObject("winmgmts:\\" &  strDomain &  _
	                       "\root\MicrosoftActiveDirectory")
	set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus")
	for each objTrust in objTrusts
	    Wscript.Echo objTrust.TrustedDomain
	    Wscript.Echo " TrustedAttributes: " &  objTrust.TrustAttributes
	    Wscript.Echo " TrustedDCName: "     &  objTrust.TrustedDCName
	    Wscript.Echo " TrustedDirection: "  &  objTrust.TrustDirection
	    Wscript.Echo " TrustIsOk: "         &  objTrust.TrustIsOK
	    Wscript.Echo " TrustStatus: "       &  objTrust.TrustStatus
	    Wscript.Echo " TrustStatusString: " &  objTrust.TrustStatusString
	    Wscript.Echo " TrustType: "         &  objTrust.TrustType
	    Wscript.Echo ""
	next

	' This code shows how to search specifically for trusts
	' that have failed, which can be accomplished using a WQL query that
	' contains the query: TrustIsOk = False
	' ------ SCRIPT CONFIGURATION ------
	strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com
	' ------ END CONFIGURATION ---------

	set objWMI = GetObject("winmgmts:\\" &  strDomain &  _
	                       "\root\MicrosoftActiveDirectory")
	set objTrusts = objWMI.ExecQuery("select * " _
	                               &  " from Microsoft_DomainTrustStatus " _
	                               &  " where TrustIsOk = False ")
	if objTrusts.Count = 0 then
	   Wscript.Echo "There are no trust failures"
	else
	   WScript.Echo "Trust Failures:"
	   for each objTrust in objTrusts
	      Wscript.Echo " " &  objTrust.TrustedDomain &  " : " &  _
	                              objTrust.TrustStatusString
	      Wscript.Echo ""
	   next
	end if

Discussion

Verifying a trust consists of checking connectivity between the domains and determining if the shared secrets of a trust are synchronized between the two domains.

Using a graphical user interface

The Active Directory Domains and Trusts screens have changed somewhat between Windows 2000 and Windows Server 2003. The Verify button has been renamed Validate.

Using a command-line interface

If you want to verify a Kerberos trust, use the /Kerberos switch with the netdom command.

Using VBScript

The WMI TrustMon Provider is new to Windows Server 2003. It provides a nice interface for querying and checking the health of trusts. One of the benefits of using WMI to access this kind of data is that you can use WQL, the WMI Query Language, to perform complex queries to find trusts that have certain properties. WQL is a subset of SQL, which is commonly used to query databases. In the second VBScript example, we used WQL to find all trusts that have a problem. You could expand the query to include additional criteria, such as trust direction and trust type.

See Also

MSDN: TrustMon Provider



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows