EPFL > VPSI > IT > EXAPP - Site d'information: WinAD (Windows Active Directory)
 

  Affiche tous les articles

 Mode d'emploi du moteur de recherche  Rechercher : 
Moteur de recherche
Home page
Accréditation
Activation MS
AD c'est quoi ?
AD PowerShell
Authentifications
Autorisations DHCP
bugs
Conseils AD
DCs Sécurité
Délégations OUs
Domaine SC
Gaspar
GPO
Grp-Staff
KMS
Migrations
Outils
Procès verbaux
Profiles Itinérants
PWAD
Règles de nommage
Restaurations DC Fac
ServerAD2003
ServerAD2008
Seven
Students
synchro
toto1
Trucs et Astuces
· SSL/TLS Alert Protocol & the Alert Codes
· Intégration d'un serveur et Workstation Linux dans AD
· How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows
· Remove Windows.old From a Server
· Erreur slui.exe résoudre l'activation MS
· Enable the Disk Cleanup tool 2012R2
· Sysprep échoue Windows 10
· Échec d'ouverture de session par le service Service de profil utilisateur. Impossible de charger le profil utilisateur
· Installer la version UEFI de Windows 7 ou 8/10
· Check Secure Channel d'une machine
· Rearming Sysprep
· Windows 10 / 8 / 7 Search Indexer
· Comment supprimer un service orphelin proprement
· Rejoindre une machine qui a perdu sa relation d'approbation au domaine
· Changer le profil réseau sur 2012R2
· Comment utiliser l’Enregistreur d’actions utilisateur
· Impossible d'installer/supprimer un programme
· Nettoyer le dossier "WinSxS"
· MBR ou GPT ???
· Couches de transition IPV4-IPV6
· Un profil temporaire est chargé à la place du profil local ou itinérant
· Enregistrement des événements de diagnostic d'Active Directory
· Windows 2008 et 7 « God Mode »
· AD Users & Computers : afficher l'onglet "additional account info" sur OS 64 bits
· Compter les objets d'AD
· DNS Devolution
· Profil temporaire impossible de créer un nouveau !
· Account Lockout and Management Tools
· Les smilies au clavier
· Vérifier le Secure Channel pour une machine dans l'AD
· Faire une query AD en GUI sur Vista sans ouvrir une console dsa
· CheckblockerVistaSp1-XPsp3-IE8
· Failure code kerberos
· Afficher l'appartenance des groupes universels multi domaine pour un utilisateur
· checkIE7Blocker
· Les Groupes...!
· Ajout d'un ordinateur Macintosh dans un domaine AD
· Ouvrir une invité de commande à partir d'un dossier
· Déléguer la gestion des services
· Voir les périphériques cachés dans le Device Manager
· ProblèmesMulti-CartesRéseauxSurUnSrvDCouNonDC
Win 8.1
WinAD
Windows 10
Windows 8
Windows Server
Wins
Work Shop
  Afficher une version imprimable de ce document dans une nouvelle fenêtre
 
Check Secure Channel d'une machine
 
L'événement 5722 est enregistré dans les scénarios suivants :
Ce message n'est pas enregistré si un ordinateur met à jour son propre mot de passe de compte d'ordinateur.

Pour résoudre les problèmes qui sont liés aux doublons des noms d'ordinateurs, rejoignez l'ordinateur d'origine au domaine.

Vous pouvez ignorer l'événement 5722 lorsqu' est deux les conditions suivantes rempli :
Si la date, l'heure d'événement 5722, la date décodée et l'heure correspondent.
Un canal sécurisé valide est établi entre l'ordinateur et les contrôleurs de domaine.
  
 
Sinon
Quand vous rattachez un ordinateur à un domaine en utilisant un nom qui est déjà en cours d'utilisation par un autre ordinateur ou quand un compte d'ordinateur existant est réinitialisé. (Un compte d'ordinateur existant peut être réinitialisé par l'utilisation d'Utilisateurs et ordinateurs Active Directory ou utiliser Netdom.exe.)

Dans ce scénario le mot de passe du compte de l'ordinateur ne correspond pas au mot de passe sur le contrôleur de domaine et vous ne pouvez pas établir un canal sécurisé de l'ordinateur d'origine vers le contrôleur de domaine.
  
Avec l'aide de NLTEST vous pouvez checker si le SC est valide:
  
/server Nltest : /sc_query Nom ordinateur : Nom domaine

Si l'ordinateur de problème est équipé d'un canal sécurisé valide être établi avec un contrôleur de domaine, vous recevez le message suivant :

C:\>Nltest /server:machine /sc_query:Nom domaine
HAS_IP HAS_TIMESERV
Trusted DC Name \\homenode1.myhouse.comTrusted DC Connection Status Status = 0 0x0 NERR_SuccessThe command completed successfully.

Si l'ordinateur de problème ne possède pas un canal sécurisé valide établi avec un contrôleur de domaine, vous recevez le message suivant :

C:\>nltest /server:machine /sc_query:Nom domaine
Trusted DC Name
Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIEDThe command completed successfully.
 
 
             

			
			
nltest /sc_reset:<domain>\<domain controller>
			

nltest.exe can be used to check the channel and attempt to reset i

nltest.exe /sc_verify:<fully.qualified.domain.name.here>

If that does not do it, you can restart the netlogon service (I mainly use PowerShell, so I'll give an example of that).

Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here>

I ran the nltest command after restarting the service to validate that the secure channel was back in operation.

If you've made some network changes (IP Addresses, changing hardware, virtualizing, etc..)

you might want to flush your dns cache and clear your arp table before running the above commands.

ipconfig /flushdns
arp -d *
Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here 
				

 

			

Netdom Examples

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

NetDom Examples

Example 1: Add a Workstation or Member Server to a Windows NT 4.0 Domain

To add the workstation mywksta to the Windows NT 4.0 domainreskita, type the following at the command line:

netdom add /d:reskita mywksta /ud:mydomain\admin /pd:password

Example 2: Add a Workstation or Member Server to a Windows Server 2003 Domain

To add the workstation mywksta to the Windows Server 2003 domain devgroup.example.com in the organizational unit (OU) Dsys/workstations, type the following at the command prompt:

netdom add/d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com

Note If the /ou parameter is not specified, the account is created in the Computers container.

Example 3: Move a Windows NT 4.0 BDC to a new domain

To join myBDC to the Windows NT 4.0 domain reskita type the following at the command prompt:

netdom mybdc moveNT4BDC /domain:reskita

Example 4: Add an alternate name for a Windows Server 2003 domain controller

To give an alternate name for the domain controller DC in the example.com domain, use the following syntax:

netdom computername dc /add:altDC.example.com

A name must first exist as an alternate before it can be made the primary name of a computer.

Example 5: Rename a domain controller in a Windows Server 2003 domain

To rename the domain controller DC to altDC in the example.com domain use the following syntax:

netdom computername dc /makeprimary:altdc.example.com

To rename a member server you must choose one of the existing alternate names for the computer and make it the new primary name.

Example 6: Rename a Member Server

To rename the member server member to member1, type the following at the command prompt:

netdom renamecomputer member /newname:member1.example.com /userd:administrator

Example 7: Join a Workstation or Member Server to a Domain

To join mywksta to the devgroup.example.com domain in the Dsys/workstations organizational unit, type the following at the command prompt:

netdom join /d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com

Besides adding the computer account to the domain, the workstation is modified to contain the appropriate shared secret to complete the join operation.

Example 8: Remove a Workstation or Member Server from a Domain

To remove mywksta from the mydomain domain and make the workstation a part of a workgroup, type the following at the command prompt:

netdom remove /d:mydomain mywksta /ud:mydomain\admin /pd:password

Example 9: Move a Workstation or Member Server from One Domain to Another

To move mywksta from its current domain into the mydomain domain, type the following at the command prompt:

netdom move /d:mydomain mywksta /ud:mydomain\admin /pd:password

If the destination is a Windows 2000 domain, the Security ID history (SIDHistory) for the workstation is updated, retaining the security permissions that the computer account had previously.

Example 10: Reset the secure channel for a workstation, member server, or Windows NT 4.0 BDC

To reset the secure channel secret maintained between mywksta and devgroup.example.com (regardless of OU), type the following at the command prompt:

netdom reset /d:devgroup.example.com mywksta

To reset the secure channel between the Windows NT 4.0 PDC for Northamerica and the backup domain controller NABDC, type the following at the command prompt:

netdom reset /d:Northamerica NABDC

Example 11: Force a Secure Channel Session Between a Member and a Specific Domain Controller

Members often establish secure channel sessions with non-local domain controllers. To force a secure channel session between a member and a specific domain controller by using the /server parameter with the reset operation, type the following at the command prompt:

netdom reset /d:devgroup.example.com mywksta /Server:mylocalbdc

Example 12: Verify a Workstation or Member Server Secure Channel

To verify the secure channel secret is maintained between mywksta and devgroup.example.com, type the following at the command prompt:

netdom verify /d:devgroup.example.com mywksta

Example 13: Establish a One-Way Trust Relationship

When used with the trust operation, the /d:Domain parameter always refers to the trusted domain.

To set the Windows NT 4.0 resource domain USA-Chicago to trust the Windows NT 4.0 account domain Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /add /Ud:Northamerica\admin /Pd:* /Uo:USA-Chicago\admin /Po:*

Press Enter and the following prompt is displayed:

Password for Northamerica\admin:

Enter the password for Northamerica\admin and press Enter. The following prompt is displayed:

Password for USA-Chicago\admin:

Enter the password for USA-Chicago\admin and press Enter.

The user must have credentials for both domains. The /pd parameter can be used to specify the password for Northamerica\admin and the /po parameter can be used to specify the password for USA-Chicago\admin. If passwords are not provided on the command line, the user is prompted for both.

If you then want to specify a two-way trust, type the following at the command prompt

netdom trust /d:marketing.example.com engineering.example.com /add /twoway /Uo:admin@engineering.example.com /Ud:admin@marketing.example.com:

Example 14: Establish a One-Way Trust Relationship from a Windows Domain to a Non-Windows Kerberos Realm

To establish a one-way trust where Northamerica trusts the non-Windows Kerberos realm ATHENA, type the following at the command prompt:

netdom trust /d:ATHENA Northamerica /add /PT:password /realm

The /d parameter specifies the trusted domain and the /realm parameter indicates that this is a non-Windows Kerberos realm. The order of the domains is not important. Credentials to the Windows 2000 domain can be supplied if needed.

Note

  • Verifying a specific trust relationship requires credentials unless the user has domain administrator privileges on both domains.

If you want to set the Kerberos realm ATHENA to trust the Northamerica domain, type the following at the command prompt:

netdom trust /d:Northamerica ATHENA /add

Note

  • To make the trust two-way, you can specify the /twoway parameter.

Non-Windows Kerberos trusts are created as non-transitive. If you want to change the trust from ATHENA to Northamerica as transitive, type the following at the command prompt:

netdom trust Northamerica /d:ATHENA /trans:yes

To display the transitive state, type the following at the command prompt:

netdom trust Northamerica /d:ATHENA /trans

The order of the two domains above is not important. Either can be the non-Windows Kerberos domain.

Example 15: Break a One-Way Trust Relationship

To undo the trust that USA-Chicago has for Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /remove

Example 16: Break a Two-Way Trust Relationship

To break a two-way trust relationship, type the following at the command prompt:

netdom trust /d:marketing.example.com Engineering.example.com /remove /twoway /Uo:admin@engineering.example.com /Ud:admin@marketing.example.com

Example 17: Verify a Specific Trust Relationship

To verify the one-way trust that USA-Chicago has for Northamerica, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /verify

To verify a two-way trust between the Northamerica and Europe domains, type the following at the command prompt:

netdom trust /d:Northamerica EUROPE /verify /twoway

The /verify parameter checks that the appropriate shared secrets are synchronized between the two items involved in the trust.

Example 18: Reset a Specific Trust Relationship

To reset the secure channel for the one-way trust between Northamerica and USA-Chicago, type the following at the command prompt:

netdom trust /d:Northamerica USA-Chicago /Ud:Northamerica\admin /reset

The /reset parameter synchronizes the appropriate shared secrets if they are not already synchronized.

Example 19: Verify Kerberos Functionality

To verify Kerberos authentication between a workstation and a service located in the domain devgroup.example.com, type the following at the command prompt:

netdom trust /d:devgroup.example.com /verify /KERBEROS

When you use the NetDom trust operation with the /verify /kerberos parameters, it seeks a session ticket for the Kerberos Admin service in the target domain. If successful, you can conclude that all Kerberos operations (for example KDC referrals) are operating correctly between the workstation and the target domain.

Note

  • This operation cannot be executed remotely. It must be run on the workstation being tested.

Example 20: View All Workstation Members in a Domain

To list all the workstations in the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica WORKSTATION

Example 21: View All Server Members in a Domain

To list all of the servers in Northamerica, type the following at the command prompt:

netdom query /d:Northamerica SERVER

Example 22: View All Domain Controller Members in a Domain

To list all the domain controllers in the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica DC

Example 23: View All Organizational Unit Members in a Domain

To list all of the OUs in devgroup.example.com, type the following at the command prompt:

netdom query /d:devgroup.example.com OU

Example 24: List the Primary Domain Controller Member in a Domain

To list the PDC for Northamerica, type the following at the command prompt:

netdom query /d:Northamerica PDC

Example 25: List the Primary Domain Controller Emulator in a Domain

To list the current PDC emulator for devgroup.example.com, type the following at the command prompt:

netdom query /d:devgroup.example.com FSMO

Example 26: Perform Secure Channel Batch Repair

You can use the query operation with the /verify and /reset parameters to perform these operations together. You can pipe the output of the query operation to the NetDom verify or NetDom reset operation.

To list all servers and verify secure channel secret, type the following at the command prompt:

netdom query /d:Northamerica SERVER /verify

To list all workstations and reset any unsynchronized secure channel secrets, type the following at the command prompt:

netdom query /d:Northamerica WORKSTATION /reset

Example 27: View Domain Trusts

To view all the direct trust relationships for the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica /Ud:Northamerica\admin DOMAIN /Direct

To view all the direct and indirect trust relationships for the domain Northamerica, type the following at the command prompt:

netdom query /d:Northamerica /Ud:Northamerica\admin DOMAIN

To view all trust relationships and check their status, type the following at the command prompt:

netdom query /d:devgroup.example.com DOMAIN /verify

Example 28: List the routed name suffixes for the trust between my TestDomain and the trustpartnerdomain

Note

  • The /d parameter is not needed for this operation which is an exception from other trust operations.

To list the routed name suffixes for the trust between my TestDomain abd the trustpartnerdomain, type the following at the command prompt:

netdom trust myTestDomain /namesuffixes:trustpartnerdomain

This will list out all the routed name suffixes for the trust between myTestDomain and the trustpartnerdomain. The trust must be either a Cross Forest trust or Non-Windows Realm Trust with the Forest Transitive attribute set.

Sample Output

 
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /namesuffixes:powermatic

   Name, Type, Status, Notes

1. *.flotsam.org, Name Suffix, Enabled

2. *.powermatic.nttest.microsoft.com, Name Suffix, Enabled

3. *.jetsam.com, Name Suffix, Enabled

4. *.blah.com, Name Suffix, Conflicting, With shasandom2.nttest.microsoft.com

5. unisaw.powermatic.nttest.microsoft.com, Domain DNS name, Enabled

6. UNISAW, Domain NetBIOS name, Enabled, For unisaw.powermatic.nttest.microsoft.

com

7. s-1-5-21-1550512861-723516995-420396236, Domain SID, Enabled, For unisaw.powe

rmatic.nttest.microsoft.com

8. powermatic.nttest.microsoft.com, Domain DNS name, Enabled

9. POWERMATIC, Domain NetBIOS name, Enabled, For powermatic.nttest.microsoft.com

 

10. s-1-5-21-1390067357-1757981266-527237240, Domain SID, Enabled, For powermati

c.nttest.microsoft.com

 

The command completed successfully.

Example 29: Enable/disable the first routed name suffix in the list generated by the previous command

Note

  • /ToggleSuffix must be used with /NameSuffixes. Use /NameSuffixes immediately before using /ToggleSuffix because the order in which the name suffixes are listed may change.

To enable/disable the first routed name suffix in the list generated by the previous command, type the following at the command prompt:

netdom trust myTestDomain /namesuffixes:foresttrustpartnerdomain /togglesuffix:1

Sample Output

Note

  • The output generated reflects the routed name suffix list after the Toggling.

 
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:powermatic /ts:1

   Name, Type, Status, Notes

1. *.flotsam.org, Name Suffix, Admin-Disabled

2. *.powermatic.nttest.microsoft.com, Name Suffix, Enabled

3. *.jetsam.com, Name Suffix, Enabled

4. *.blah.com, Name Suffix, Conflicting, With shasandom2.nttest.microsoft.com

5. unisaw.powermatic.nttest.microsoft.com, Domain DNS name, Enabled

6. UNISAW, Domain NetBIOS name, Enabled, For unisaw.powermatic.nttest.microsoft.

com

7. s-1-5-21-1550512861-723516995-420396236, Domain SID, Enabled, For unisaw.powe

rmatic.nttest.microsoft.com

8. powermatic.nttest.microsoft.com, Domain DNS name, Enabled

9. POWERMATIC, Domain NetBIOS name, Enabled, For powermatic.nttest.microsoft.com

 

10. s-1-5-21-1390067357-1757981266-527237240, Domain SID, Enabled, For powermati

c.nttest.microsoft.com

 

The command completed successfully.

Example 30: Adding/Removing TLN Suffixes

To add the DNS name suffix blah.com to the Forest Trust Info with trustpartnerdomain, type the following at the command prompt:

Netdom trust myTestDomain /d:trustPartnerDomain /AddTln:blah.com

Note

  • This is only allowed for a trust with a Forest Transitive, Non-Windows Realm Trust. This is also true for:

    • Netdom trust myTestDomain /d:trustPartnerDomain /RemoteTln:blah.com

    • Netdom trust myTestDomain /d:trustPartnerDomain /AddTLNEx:something.blah.com (must have a TLN entry present for the parent Naming context, in this case blah.com, otherwise operation will be disallowed)

    • Netdom trust myTestDomain /d:trustPartnerDomain /RemoveTLNEx:something.blah.com

List the name suffixes on a Non-Windows Realm Trust

 
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:blah.mit.org

   Name, Type, Status, Notes

1. *.bowwow.com, Name Suffix, Enabled

2. *.meow.com, Name Suffix, Enabled

 

The command completed successfully.

Add another TLN

 
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:blah.mit.org /addtln:

dude.com

The TLN or Exclusion was successfully added to the Forest Trust Info.

The command completed successfully.

Add an invalid TLN exclusion

 
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:blah.mit.org /addtlne

x:dude.com

The Forest Trust Info for the specified trust could not be stored.

The parameter is incorrect.

 

Try "NetDom HELP" for more information.

Add an valid TLN exclusion

 
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:blah.mit.org /addtlne

x:cool.dude.com

The TLN or Exclusion was successfully added to the Forest Trust Info.

The command completed successfully.

View the result of previous operations

 
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:blah.mit.org

   Name, Type, Status, Notes

1. *.cool.dude.com, Exclusion

2. *.bowwow.com, Name Suffix, Enabled

3. *.meow.com, Name Suffix, Enabled

4. *.dude.com, Name Suffix, Enabled

 

The command completed successfully.

	

Article N° 128, du 08.04.2016, par Alain Gremaud
URL de cet article : http://winad.epfl.ch/?article=128

© 2017 VPSI - EXAPP - TC