15.20. Creating and Removing a Trust

Problem

You want to create or delete a trust from an AD domain to a Windows NT domain, Kerberos realm, or another AD domain.

Solution

Using a graphical user interface

  1. Open the Active Directory Domains and Trusts snap-in.

  2. In the left pane, right-click the domain you want to add a trust for and select Properties.

  3. Click on the Trusts tab.

  4. Click the New Trust button.

  5. After the New Trust Wizard opens, click Next.

  6. Complete the rest of the wizard steps. They will vary depending on the type of trust you create.

Using a command-line interface

> netdom trust <TargetDomainName> /Domain:<ADDomainName> /ADD
         [/UserD:<ADDomainName>\ADUser> /PasswordD:*]
         [/UserO:<TargetDomainName>\TargetUser> /PasswordO:*]
         [/TwoWay]

For example, to create a trust from the NT4 domain RALLENCORP_NT4 to the AD domain RALLENCORP, use the following command:

> netdom trust RALLENCORP_NT4 /Domain:RALLENCORP /ADD
         /UserD:RALLENCORP\administrator /PasswordD:*
         /UserO:RALLENCORP_NT4\administrator /PasswordO:*

You can make the trust bidirectional, i.e., two-way, by adding a /TwoWay option to the example.

The following command deletes a trust:

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Remove /verbose 
   [/UserO:<TrustingDomainUser> /PasswordO:*]
   [/UserD:<TrustedDomainUser> /PasswordD:*]

Using VBScript

None of the scripting interfaces support the capability to create a trust, but you can delete them as shown here:

' This code deletes a trust in the specified domain. ' ------ SCRIPT CONFIGURATION ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.