Domain and Forest Trust Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In this section

  • Trust Tools

  • Trust WMI Classes

  • Network Ports used by Trusts

  • Related Information

Administrators can use a number of methods to configure and manage trust relationships in Active Directory environments. This section discusses the tools that can be used to create, view and modify trusts, as well as the WMI classes and network ports that are associated with trusts.

Trust Tools

The two principal Microsoft tools that can be used to create and manage trusts are Active Directory Domains and Trusts (Domain.msc) and Windows Domain Manager, also called Netdom (Netdom.exe). In addition, there are three other Microsoft tools that administrators can use to help troubleshoot trust related issues. These are Nltest (Nltest.exe), Network Connectivity Tester, also called Netdiag (Netdiag.exe) and the Domain Controller Diagnostic tool, also called Dcdiag (Dcdiag.exe). Each trust management tool has its own primary purpose, but can also be used for other purposes. The following table briefly describes these tools and their different purposes.

Trust Tools and Purposes

Microsoft Tool Primary Purpose Other Purpose

Active Directory Domains and Trusts

Create and manage trusts

Manage functional levels (Windows Server 2003 only) and user principal name suffixes

Netdom

Manage domains and trust relationships from the command-line

Join computers to a domain and manage computer accounts

Nltest

Test secured channels

View or record trust information and verify trusts

Netdiag

Test network health

Help troubleshoot client connectivity by testing the secured channel

Dcdiag

Test domain controller health

Verify some trust information and monitor trust related replication

Netdom, Nltest, Dcdiag, and Netdiag are command-line support tools that can be installed from the Support\Tools folder on the Windows Server 2003 product CD. (To do this, in the Support\Tools folder, right-click the Suptools.msi file and then click Install.) The following table lists common trust related tasks and indicates which tools can be used to perform them. Detailed descriptions of each tool follow the table.

Trust Tools Comparison by Task

Trust Task Active Directory Domains and Trusts Netdom NLTest Netdiag Dcdiag

Create an external trust

Table Bullet Table Bullet

 

 

 

Create a realm trust

Table Bullet Table Bullet

 

 

 

Create a shortcut trust

Table Bullet Table Bullet

 

 

 

Create a forest trust

Table Bullet

 

 

 

 

Create both sides of a trust at once

Table Bullet Table Bullet

 

 

 

Troubleshoot client network connectivity over a secured channel

 

 

 

Table Bullet

 

Batch manage trusts

 

Table Bullet

 

 

 

View and record all trust relationships

Table Bullet

 

Table Bullet

 

 

Change transitivity of a non-Windows Kerberos realm trust

Table Bullet Table Bullet

 

 

 

Change the direction of a trust (one-way to two-way and back)

Table Bullet Table Bullet

 

 

 

Enable or disable selective authentication for external and forest trusts

Table Bullet Table Bullet

 

 

 

Change the routing status of a name suffix

Table Bullet Table Bullet

 

 

 

Enable or disable an existing name suffix from routing

Table Bullet Table Bullet

 

 

 

Verify all trust types

Table Bullet Table Bullet Table Bullet

 

 

Verify only external trusts

 

 

 

 

Table Bullet

Reset a secured channel

 

Table Bullet Table Bullet

 

 

Remove a trust

Table Bullet Table Bullet

 

 

 

Enable or disable SID Filtering

Table Bullet Table Bullet

 

 

 

Display the contents of a Forest Trust Information (FTInfo) record

 

Table Bullet

 

 

 

Domain.msc: Active Directory Domains and Trusts

Category

Active Directory Domains and Trusts is a Microsoft Management Console (MMC) snap-in that is installed automatically on computers running Windows Server 2003 when you install Active Directory. You can open Active Directory Domains and Trusts by clicking Start, Programs, Administrative Tools, and clicking Active Directory Domains and Trusts.

Version compatibility

This tool is compatible with domain controllers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition. You can also use Active Directory Domains and Trusts with the Windows Server 2003 Administration Tools pack to remotely administer Active Directory from a computer that is not a domain controller, such as a computer running Windows XP Professional. You can use this tool to target any domain controller in either Windows 2000 Server or Windows Server 2003 domains.

Note

  • When using Windows Server 2003 Active Directory administrative tools to connect to a domain controller running Windows 2000 you must first make sure that the Windows 2000–based domain controller to which your are connecting has Service Pack 3 or later installed. This is because Windows Server 2003 administrative tools sign and encrypt all LDAP traffic by default. If business reasons do not permit the installation of Service Pack 3 or later on domain controllers running Windows 2000 it is possible to disable this default behavior.

Active Directory Domains and Trusts provides a graphical interface in which you can view all domains in the forest. Using this tool, an administrator can manage each of the domains in the forest, trust relationships between domains, configure the functional level for each domain or forest, and configure the alternative user principal name (UPN) suffixes for a forest.

Active Directory Domains and Trusts can be used to accomplish most trust related tasks. It can be used to target all Active Directory domain controllers and can verify all Active Directory trust types. Trust verification takes place between two domains by enumerating all of the domain controllers in each domain. If you choose to have Active Directory Domains and Trusts create both sides of the trust at once, the trust password is automatically generated.

For the various trust related tasks that can be performed using this tool, see the table Trust Tools Comparison by Task earlier in this section. For more information, see Help in Active Directory Domains and Trusts.

Netdom.exe: Windows Domain Manager

Category

The Windows Domain Manager command-line tool (Netdom) is included when you install Windows Server 2003 Support Tools.

Version compatibility

This tool is compatible with computers running Windows XP Professional, Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition, Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition.

Netdom is a command-line tool that allows you to create and manage Active Directory trust relationships (except forest trusts) and can help reduce the number of steps needed to create a trust by using Active Directory Domains and Trusts. You can also use the Netdom command line tool to complete batch management of trusts, join computers to domains, verify trusts (including forest trusts) and secured channels, and obtain information about the status of trusts.

Netdom can be targeted at all Active Directory domain controllers and can verify all Active Directory trust types. Verification is accomplished between two domains by enumerating the domain controllers in each domain. If you choose to have Netdom create both sides of the trust at once the trust password is automatically generated.

For the various trust related tasks that you can perform using this tool, see the table Trust Tools Comparison by Task earlier in this section. To find more information about Netdom, see “Support Tools Help” in the Tools and Settings Collection.

Nltest.exe: NLTest

Category

The NLTest command-line tool is included when you install Windows Server 2003 Support Tools.

Version compatibility

This tool is compatible with computers running Windows XP Professional, Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition, Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition.

You can use the NLTest command-line tool to perform trust-related network administrative tasks such as testing the trust relationship between a Windows–based computer that is a member of a domain and the domain controller on which its computer account is located. In domains where an external trust is defined, NLTest can be used to test the trust relationship between all domain controllers in the trusting domain and a domain controller in the trusted domain. Nltest can also be used to verify any secured channel.

To view the various trust related tasks that can be performed using this tool, see the table Trust Tools Comparison by Tasks earlier in this section.. To find more information about NLTest, see “Support Tools Help” in the Tools and Settings Collection.

Netdiag.exe: Network Connectivity Tester

Category

The Network Connectivity Tester command-line tool (Netdiag) is included when you install Windows Server 2003 Support Tools.

Version compatibility

This tool is compatible with computers running Windows XP Professional, Windows Server 2003, Standard Edition; Windows Server  2003, Web Edition, Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition.

The Netdiag command-line tool examines .dll files, output from other tools, and the system registry to find potential problems. You can use Netdiag to troubleshoot connectivity over the secured channel that exists between a workstation and a domain controller.

For the various trust related tasks that can be performed using this tool, see the table Trust Tools Comparison by Task earlier in this section. To find more information about Netdiag, see “Support Tools Help” in the Tools and Settings Collection.

Dcdiag.exe: Domain Controller Diagnostic Tool

Category

The Domain Controller Diagnostic Tool command-line tool (Dcdiag) is included when you install Windows Server 2003 Support Tools.

Version compatibility

This tool is compatible with computers running Windows XP Professional, Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition, Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition.

You can use the Dcdiag command line tool to verify external trusts. The Dcdiag tool cannot be used to verify Kerberos-based trust relationships; to verify Kerberos-based trust relationships, the recommended method is to use the Netdom tool. Using Dcdiag you can; scope your external trust verification by site or by domain controller, check for trust establishment, check secured channel setup, and check for ticket validity between each pair of domain controllers. By default, errors are flagged. In verbose mode, the successes are printed as well.

For the various trust related tasks that can be performed using this tool, see the table Trust Tools Comparison by Task earlier in this section. To find more information about Dcdiag, see “Support Tools Help” in the Tools and Settings Collection.

Trust WMI Classes

Windows Management Instrumentation (WMI) provides access to information about certain objects in a Windows 2000 Server or Windows Server 2003 operating system. WMI providers and classes represent the managed resources on a computer and are used by administrators and developers for scripting and monitoring purposes.

TrustMon is the WMI provider that can access health information about the trusts between domains and the secured channels between domain controllers. Enterprise Administrators can use the TrustMon provider and its associated WMI classes to monitor and troubleshoot trusts remotely and to create scripts that will help automate trust related administrative tasks. Consequently, developers can use the TrustMon provider and classes to create trust related event monitoring applications that will alert an administrator when an important incident occurs and, when appropriate, supply the necessary troubleshooting details.

TrustMon registers three WMI classes that can be used to retrieve information about trust properties for a given domain. These are Microsoft_TrustProvider, Microsoft_DomainTrustStatus and Microsoft_LocalDomainInfo. The following table lists and describes these WMI classes.

WMI Classes Associated with Trusts

Class Name Namespace Version Compatibility

Microsoft_TrustProvider

root\microsoftactivedirectory

Windows 2000 Server and Windows Server 2003

Microsoft_DomainTrustStatus

root\microsoftactivedirectory

Windows 2000 Server and Windows Server 2003

Microsoft_LocalDomainInfo

root\microsoftactivedirectory

Windows 2000 Server and Windows Server 2003

For more information about these WMI classes, see the WMI SDK documentation on MSDN.

Network Ports used by Trusts

Because trusts must be deployed across various network boundaries, they might have to span one or more firewalls. When this is the case, you can either tunnel trust traffic across a firewall or open specific ports in the firewall to allow the traffic to pass through. In Windows Server 2003, this procedure is simplified through configurable remote procedure call (RPC) ports for the main trust services. The two main configurable RPC ports are the Local Security Authority RPC port and the Net Logon RPC port.

The Local Security Authority (LSA) RPC port.

This port is used for trust creation and other access to the LSA policy database.

The Net Logon RPC port.

This port is used for NTLM authentication and secured channel communications.

The following table shows the list of ports that might need to be opened before you establish trusts.

Ports Required for Trusts

Task Outbound Ports Inbound Ports From–To

Set up trusts on both sides from the internal forest

LDAP (389 UDP and TCP)

Microsoft SMB (445 TCP)

Kerberos (88 UDP)

Endpoint resolution — portmapper (135 TCP) Net Logon fixed port

 N/A

Internal domain domain controllers–External domain domain controllers (all ports)

Trust validation from the internal forest domain controller to the external forest domain controller (outgoing trust only)

LDAP (389 UDP)

Microsoft SMB (445 TCP)

Endpoint resolution — portmapper (135 TCP) Net Logon fixed port

 N/A

Internal domain domain controllers–External domain domain controllers (all ports)

Use Object picker on the external forest to add objects that are in an internal forest to groups and DACLs

 N/A

LDAP (389 UDP and TCP)

Windows NT Server 4.0 directory service fixed port

Net Logon fixed port

Kerberos (88 UDP)

Endpoint resolution portmapper (135 TCP)

External server–Internal domain PDCs (Kerberos)

External domain domain controllers–Internal domain domain controllers (Net Logon)

Set up trust on the external forest from the external forest

 N/A

LDAP (389 UDP and TCP)

Microsoft SMB (445 TCP)

Kerberos (88 UDP)

External domain domain controllers–Internal domain domain controllers (all ports)

Use Kerberos authentication (internal forest client to external forest)

Kerberos (88 UDP)

 N/A

Internal client–External domain domain controllers (all ports)

Use NTLM authentication (internal forest client to external forest)

 N/A

Endpoint resolution – portmapper (135 TCP) Net Logon fixed port

External domain domain controllers–Internal domain domain controllers (all ports)

Join a domain from a computer in the internal network to an external domain

LDAP (389 UDP and TCP)

Microsoft SMB (445 TCP)

Kerberos (88 UDP)

Endpoint resolution — portmapper (135 TCP) Net Logon fixed port

Windows NT Server 4.0 directory service fixed port

 N/A

Internal client–External domain domain controllers (all ports)

To specify the services that you want to run on a fixed port, you must appropriately configure the registry for that port.

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

Settings for the Local Security Authority (LSA) RPC port are stored in the TCP/IP Port entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters registry key.

Settings for the Net Logon RPC port are stored in the DCTcpipPort entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key.

The following resources contain additional information that is relevant to this section.