51
2.18.2.2 Using a command-line interface
> netdom trust <ADDomainDNSName> /Domain:<KerberosRealmDNSName>[RETURN]
/Realm /ADD /PasswordT:<TrustPassword>[RETURN]
[/UserO:<ADDomainAdminUser> /PasswordO:*]
The <TrustPassword> has to match what was set on the Kerberos side. To create a realm trust
from the rallencorp.com domain to the Kerberos realm called kerb.rallencorp.com, use the
following command:
> netdom trust rallencorp.com /Domain:kerb.rallencorp.com[RETURN]
/Realm /ADD /PasswordT:MyKerbRealmPassword[RETURN]
/UserO: /PasswordO:*
2.18.3 Discussion
You can create a Kerberos realm trust between an Active Directory domain and a non-Windows
Kerberos v5 realm. A realm trust can be used to allow clients from the non-Windows Kerberos
realm to access resources in Active Directory, and vice versa. See Recipe 18.7 for more
information on MIT Kerberos interoperability with Active Directory.
2.18.4 See Also
MS KB 260123 (Information on the Transitivity of a Kerberos Realm Trust) and MS KB 266080
(Answers to Frequently Asked Kerberos Questions)
Recipe 2.19 Viewing the Trusts for a Domain
2.19.1 Problem
You want to view the trusts for a domain.
2.19.2 Solution
2.19.2.1 Using a graphical user interface
1. Open the Active Directory Domains and Trusts snap-in.
2. In the left pane, right-click the domain you want to view and select Properties.
3. Click on the Trusts tab.
2.19.2.2 Using a command-line interface
> netdom query trust /Domain:<DomainDNSName>
2.19.2.3 Using VBScript

' This code prints the trusts for the specified domain.
' SCRIPT CONFIGURATION
strDomain = "<DomainDNSName>" ' e.g. rallencorp.com
' END CONFIGURATION

52

' Trust Direction Constants taken from NTSecAPI.h
set objTrustDirectionHash = CreateObject("Scripting.Dictionary")
objTrustDirectionHash.Add "DIRECTION_DISABLED", 0
objTrustDirectionHash.Add "DIRECTION_INBOUND", 1
objTrustDirectionHash.Add "DIRECTION_OUTBOUND", 2
objTrustDirectionHash.Add "DIRECTION_BIDIRECTIONAL", 3

' Trust Type Constants - taken from NTSecAPI.h
set objTrustTypeHash = CreateObject("Scripting.Dictionary")
objTrustTypeHash.Add "TYPE_DOWNLEVEL", 1
objTrustTypeHash.Add "TYPE_UPLEVEL", 2
objTrustTypeHash.Add "TYPE_MIT", 3
objTrustTypeHash.Add "TYPE_DCE", 4

' Trust Attribute Constants - taken from NTSecAPI.h
set objTrustAttrHash = CreateObject("Scripting.Dictionary")
objTrustAttrHash.Add "ATTRIBUTES_NON_TRANSITIVE", 1
objTrustAttrHash.Add "ATTRIBUTES_UPLEVEL_ONLY", 2
objTrustAttrHash.Add "ATTRIBUTES_QUARANTINED_DOMAIN", 4
objTrustAttrHash.Add "ATTRIBUTES_FOREST_TRANSITIVE", 8
objTrustAttrHash.Add "ATTRIBUTES_CROSS_ORGANIZATION", 16
objTrustAttrHash.Add "ATTRIBUTES_WITHIN_FOREST", 32
objTrustAttrHash.Add "ATTRIBUTES_TREAT_AS_EXTERNAL", 64


set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objTrusts = GetObject("LDAP://cn=System," & _
objRootDSE.Get("defaultNamingContext") )
objTrusts.Filter = Array("trustedDomain")
Wscript.Echo "Trusts for " & strDomain & ":"

for each objTrust in objTrusts
for each strFlag In objTrustDirectionHash.Keys
if objTrustDirectionHash(strFlag) = objTrust.Get("trustDirection") then
strTrustInfo = strTrustInfo & strFlag & " "
end If
next

for each strFlag In objTrustTypeHash.Keys
if objTrustTypeHash(strFlag) = objTrust.Get("trustType") then
strTrustInfo = strTrustInfo & strFlag & " "
end If
next

for each strFlag In objTrustAttrHash.Keys
if objTrustAttrHash(strFlag) = objTrust.Get("trustAttributes") then
strTrustInfo = strTrustInfo & strFlag & " "
end If
next

WScript.Echo " " & objTrust.Get("trustPartner") & " : " & strTrustInfo
strTrustInfo = ""
next


53
2.19.3 Discussion
2.19.3.1 Using a graphical user interface
You can view the properties of a particular trust by clicking on a trust and clicking the Properties
button.
2.19.3.2 Using a command-line interface
You can include the /Direct switch if you want to view only direct-trust relationships. If you
don't use /Direct, implicit trusts that occur due to transitive-trust relationships will also be listed.
2.19.3.3 Using VBScript
This script uses dictionary objects to ease the mapping of the various integer values for attributes,
such as trustType and trustDirection, to descriptive names. A dictionary object in VBScript
is analogous to a hash or associative array in other programming languages. The Add method
accepts a key and value pair to add to the dictionary. The Keys method returns the keys of the
dictionary as a collection. To access a value of the dictionary, you simply pass the key name as a
parameter to the dictionary object, such as objDictionary( strKey ).
Another option to query trusts programmatically is with the Trustmon WMI Provider. The
Trustmon Provider is new to Windows Server 2003. See Recipe 2.20 for an example.
2.19.4 See Also
The Introduction at the beginning of this chapter for attributes of trustedDomain objects, Recipe
2.20 for another way to query trusts programmatically, MS KB 228477 (HOW TO: Determine
Trust Relationship Configurations), and MSDN: TRUSTED_DOMAIN_INFORMATION_EX
Recipe 2.20 Verifying a Trust
2.20.1 Problem
You want to verify that a trust is working correctly. This is the first diagnostics step to take if
users notify you that authentication to a remote domain appears to be failing.
2.20.2 Solution
2.20.2.1 Using a graphical user interface
For the Windows 2000 version of the Active Directory Domains and Trusts snap-in:
1. In the left pane, right-click on the trusting domain and select Properties.
2. Click the Trusts tab.


54
3. Click the domain that is associated with the trust you want to verify.
4. Click the Edit button.
5. Click the Verify button.
For the Windows Server 2003 version of the Active Directory Domains and Trusts snap-in:
1. In the left pane, right-click on the trusting domain and select Properties.
2. Click the Trusts tab.
3. Click the domain that is associated with the trust you want to verify.
4. Click the Properties button.
5. Click the Validate button.
2.20.2.2 Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify
/verbose[RETURN]
[/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]
[/UserD:<TrustedDomainUser> /PasswordD:*]
2.20.2.3 Using VBScript
' The following code lists all of the trusts for the
' specified domain using the Trustmon WMI Provider.
' The Trustmon WMI Provider is only supported on Windows Server 2003.
' SCRIPT CONFIGURATION
strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com
' END CONFIGURATION

set objWMI = GetObject("winmgmts:\\" & strDomain & _
"\root\MicrosoftActiveDirectory")
set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus")
for each objTrust in objTrusts
Wscript.Echo objTrust.TrustedDomain
Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes

Wscript.Echo " TrustedDCName: " & objTrust.TrustedDCName
Wscript.Echo " TrustedDirection: " & objTrust.TrustDirection
Wscript.Echo " TrustIsOk: " & objTrust.TrustIsOK
Wscript.Echo " TrustStatus: " & objTrust.TrustStatus
Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString
Wscript.Echo " TrustType: " & objTrust.TrustType
Wscript.Echo ""
next

' This code shows how to search specifically for trusts
' that have failed, which can be accomplished using a WQL query that
' contains the query: TrustIsOk = False
' SCRIPT CONFIGURATION
strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com
' END CONFIGURATION

set objWMI = GetObject("winmgmts:\\" & strDomain & _
"\root\MicrosoftActiveDirectory")
set objTrusts = objWMI.ExecQuery("select * " _
& " from Microsoft_DomainTrustStatus " _
& " where TrustIsOk = False ")

55
if objTrusts.Count = 0 then
Wscript.Echo "There are no trust failures"
else
WScript.Echo "Trust Failures:"
for each objTrust in objTrusts
Wscript.Echo " " & objTrust.TrustedDomain & " : " & _
objTrust.TrustStatusString

Wscript.Echo ""
next
end if
2.20.3 Discussion
Verifying a trust consists of checking connectivity between the domains, and determining if the
shared secrets of a trust are synchronized between the two domains.
2.20.3.1 Using a graphical user interface
The Active Directory Domains and Trusts screens have changed somewhat between Windows
2000 and Windows Server 2003. The Verify button has been renamed Validate.
2.20.3.2 Using a command-line interface
If you want to verify a Kerberos trust, use the /Kerberos switch with the netdom command.
2.20.3.3 Using VBScript
The WMI Trustmon Provider is new to Windows Server 2003. It provides a nice interface for
querying and checking the health of trusts. One of the benefits of using WMI to access this kind
of data is that you can use WQL, the WMI Query Language, to perform complex queries to find
trusts that have certain properties. WQL is a subset of the Structured Query Language (SQL)
commonly used to query databases. In the second VBScript example, I used WQL to find all
trusts that have a problem. You could expand the query to include additional criteria, such as
trust direction, and trust type.
2.20.4 See Also
MSDN: Trustmon Provider
Recipe 2.21 Resetting a Trust
2.21.1 Problem
You want to reset a trust password. If you've determined a trust is broken, you need to reset it,
which will allow users to authenticate across it again.

56
2.21.2 Solution
2.21.2.1 Using a graphical user interface
Follow the same directions as Recipe 2.20

. The option to reset the trust will only be presented if
the Verify/Validate did not succeed.
2.21.2.2 Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Reset
/verbose[RETURN]
[/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]
[/UserD:<TrustedDomainUser> /PasswordD:*]
2.21.2.3 Using VBScript
' This code resets the specified trust.
' SCRIPT CONFIGURATION
' Set to the DNS or NetBIOS name for the Windows 2000,
' Windows NT domain or Kerberos realm you want to reset the trust for.
strTrustName = "<TrustToCheck>"

' Set to the DNS name of the source or trusting domain.
strDomain = "<TrustingDomain>"
' END CONFIGURATION

' Enable SC_RESET during trust enumerations
set objTrustProv = GetObject("winmgmts:\\" & strDomain & _
"\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@")
objTrustProv.TrustCheckLevel = 3 ' Enumerate with SC_RESET
objTrustProv.Put_

' Query the trust and print status information
set objWMI = GetObject("winmgmts:\\" & strDomain & _
"\root\MicrosoftActiveDirectory")
set objTrusts = objWMI.ExecQuery("Select * " _
& " from Microsoft_DomainTrustStatus " _
& " where TrustedDomain = '" & strTrustName & "'" )

for each objTrust in objTrusts
Wscript.Echo objTrust.TrustedDomain
Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes
Wscript.Echo " TrustedDCName: " & objTrust.TrustedDCName
Wscript.Echo " TrustedDirection: " & objTrust.TrustDirection
Wscript.Echo " TrustIsOk: " & objTrust.TrustIsOK
Wscript.Echo " TrustStatus: " & objTrust.TrustStatus
Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString
Wscript.Echo " TrustType: " & objTrust.TrustType
Wscript.Echo ""
next
2.21.3 Discussion
Resetting a trust synchronizes the shared secrets (i.e., passwords) for the trust. The PDC in both
domains is used to synchronize the password so they must be reachable.

57
2.21.3.1 Using a command-line interface
If you are resetting a Kerberos realm trust, you'll need to specify the /PasswordT option with
netdom.
2.21.4 See Also
Recipe 2.20 for verifying a trust
Recipe 2.22 Removing a Trust
2.22.1 Problem
You want to remove a trust. This is commonly done when the remote domain has been
decommissioned or access to it is no longer required.
2.22.2 Solution
2.22.2.1 Using a graphical user interface
1. Open the Active Directory Domains and Trusts snap-in.
2. In the left pane, right-click on the trusting domain and select Properties.
3. Click the Trusts tab.

4. Click on the domain that is associated with the trust you want to remove.
5. Click the Remove button.
6. Click OK.
2.22.2.2 Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Remove
/verbose[RETURN]
[/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]
[/UserD:<TrustedDomainUser> /PasswordD:*]
2.22.2.3 Using VBScript
' This code deletes a trust in the specified domain.
' SCRIPT CONFIGURATION
' Set to the DNS or NetBIOS name for the Windows 2000,
' Windows NT domain or Kerberos realm trust you want to delete.
strTrustName = "<TrustName>"
' Set to the DNS name of the source or trusting domain
strDomain = "<DomainDNSName>"
' END CONFIGURATION

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objTrust = GetObject("LDAP://cn=System," & _
objRootDSE.Get("defaultNamingContext") )
objTrust.Delete "trustedDomain", "cn=" & strTrustName
set objTrustUser = GetObject("LDAP://cn=Users," & _
objRootDSE.Get("defaultNamingContext") )

58
objTrustUser.Delete "trustedDomain", "cn=" & strTrustName & "$"
WScript.Echo "Successfully deleted trust for " & strTrustName
2.22.3 Discussion
Trusts are stored in Active Directory as two objects; a trustedDomain object in the System

container and a user object in the Users container. Both of these objects need to be removed
when deleting a trust. The GUI and CLI solutions take care of that in one step, but in the
VBScript example both objects needed to be explicitly deleted. It is also worth noting that each
solution only deleted one side of the trust. If the trust was to a remote AD forest or NT 4.0
domain, you also need to delete the trust in that domain.
Recipe 2.23 Enabling SID Filtering for a Trust
2.23.1 Problem
You want to enable Security Identifier (SID) filtering for a trust. By enabling SID filtering you
can keep a hacker from spoofing a SID across a trust.
2.23.2 Solution
2.23.2.1 Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Quarantine
Yes[RETURN]
[/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]
[/UserD:<TrustedDomainUser> /PasswordD:*]
2.23.3 Discussion
A security vulnerability exists with the use of SID history, which is described in detail in MS KB
289243. An administrator in a trusted domain can modify the SID history for a user, which could
grant her elevated privileges in the trusting domain. The risk of this exploit is relatively low due
to the complexity in forging a SID, but nevertheless, you should be aware of it. To prevent this
from happening you can enable SID Filtering for a trust. When SID filtering is enabled, the only
SIDs that are used as part of a user's token are from the trusted domain itself. SIDs from other
trusting domains are not included. SID filtering makes things more secure, but prevents the use
of SID history and can cause problems with transitive trusts.
2.23.4 See Also
MS KB 289243 (MS02-001: Forged SID Could Result in Elevated Privileges in Windows 2000)

59
Recipe 2.24 Finding Duplicate SIDs in a Domain
2.24.1 Problem

You want to find any duplicate SIDs in a domain. Generally, you should never find duplicate
SIDs in a domain, but it is possible in some situations, such as when the relative identifier (RID)
FSMO role owner has to be seized or you are migrating users from Windows NT domains.
2.24.2 Solution
2.24.2.1 Using a command-line interface
To find duplicate SIDs run the following command, replacing
<DomainControllerName> with a
domain controller or domain name:
> ntdsutil "sec acc man" "co to se <DomainControllerName>" "check dup sid" q
q
The following message will be returned:
Duplicate SID check completed successfully. Check dupsid.log for any
duplicates
The dupsid.log file will be in the directory where you started ntdsutil.
If you want to delete any objects that have duplicate SIDs, you can use the following command:
> ntdsutil "sec acc man" "co to se <DomainControllerName>" "clean dup sid" q
q
Like the check command, the clean command will generate a message like the following upon
completion:
Duplicate SID cleanup completed successfully. Check dupsid.log for any
duplicate
2.24.3 Discussion
All security principals in Active Directory have a SID, which is used to uniquely identify the
object in the Windows security system. There are two parts of a SID, the domain identifier and
the RID. Domain controllers are allocated a RID pool from the RID FSMO for the domain.
When a new security principal (user, group, or computer) is created, the domain controller takes
a RID from its pool to generate a SID for the account.
In some rare circumstances, such as when the RID master role is seized, overlapping RID pools
can be allocated, which can ultimately lead to duplicate SIDs. Having duplicate SIDs is a


60
potentially hazardous problem because a user, group, or computer could gain access to sensitive
data they were never intended to have access to.
2.24.4 See Also
MS KB 315062 (HOW TO: Find and Clean Up Duplicate Security Identifiers with Ntdsutil in
Windows 2000)