[ Team LiB ] |
Recipe 2.21 Resetting a Trust2.21.1 ProblemYou want to reset a trust password. If you've determined a trust is broken, you need to reset it, which will allow users to authenticate across it again. 2.21.2 Solution2.21.2.1 Using a graphical user interfaceFollow the same directions as Recipe 2.20. The option to reset the trust will only be presented if the Verify/Validate did not succeed. 2.21.2.2 Using a command-line interface> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Reset /verbose[RETURN] [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN] [/UserD:<TrustedDomainUser> /PasswordD:*] 2.21.2.3 Using VBScript' This code resets the specified trust. ' ------ SCRIPT CONFIGURATION ------ ' Set to the DNS or NetBIOS name for the Windows 2000, ' Windows NT domain or Kerberos realm you want to reset the trust for. strTrustName = "<TrustToCheck>" ' Set to the DNS name of the source or trusting domain. strDomain = "<TrustingDomain>" ' ------ END CONFIGURATION --------- ' Enable SC_RESET during trust enumerations set objTrustProv = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@") objTrustProv.TrustCheckLevel = 3 ' Enumerate with SC_RESET objTrustProv.Put_ ' Query the trust and print status information set objWMI = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("Select * " _ & " from Microsoft_DomainTrustStatus " _ & " where TrustedDomain = '" & strTrustName & "'" ) for each objTrust in objTrusts Wscript.Echo objTrust.TrustedDomain Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes Wscript.Echo " TrustedDCName: " & objTrust.TrustedDCName Wscript.Echo " TrustedDirection: " & objTrust.TrustDirection Wscript.Echo " TrustIsOk: " & objTrust.TrustIsOK Wscript.Echo " TrustStatus: " & objTrust.TrustStatus Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString Wscript.Echo " TrustType: " & objTrust.TrustType Wscript.Echo "" next 2.21.3 DiscussionResetting a trust synchronizes the shared secrets (i.e., passwords) for the trust. The PDC in both domains is used to synchronize the password so they must be reachable. 2.21.3.1 Using a command-line interfaceIf you are resetting a Kerberos realm trust, you'll need to specify the /PasswordT option with netdom. 2.21.4 See AlsoRecipe 2.20 for verifying a trust |
[ Team LiB ] |