NetDom add Computer {/d: | /domain:}Domain [{/ud: | /userd:}[Domain\]User {/pd: | /passwordd:}{Password|*}] [{/s: | /server:}Server] [/ou:OUPath] [/dc] [/help | /?]

Computer

Specifies the name of the computer to be added.

{/d: | /domain:} Domain

Specifies the domain in which to create the account. If this parameter is omitted, then the domain that the current computer belongs to is used.

{/ud: | /userd:}[ Domain\] User

Specifies the user account that makes the connection with the domain that is specified in the /d or /domain parameter. If this parameter is omitted, the current user account is used.

{/pd: | /passwordd:}{ Password|*}

Specifies the password of the user account that is specified in the /ud or /userd parameter. Use the wildcard character (*) to be prompted for the password.

{/s: | /server:} Server

Specifies the name of a domain controller that performs the add.

/ou: OUPath

Specifies the organizational unit (OU) under which to create the account. This must be the full RFC 1779 distinguished name of the OU. If omitted, the account is created under the default OU for machine objects for that domain.

/dc

Specifies that a domain controller's machine account is to be created. This allows the computer accounts for new Windows 2000, Windows Server 2003 domain controllers, and new Windows NT 4.0 backup domain controllers (BDCs) to be pre-created. If installing a new Windows NT 4.0 BDC into an existing Windows 2000 or Windows Server 2003 domain, the computer account must be pre-created. This parameter cannot be used with the /ou parameter.

{/help | /?}

Displays command-line help for the add operation.

netdom add /d:reskit.ms.com mywksta

netdom add /d:reskit.ms.com mynt4dc /dc

NetDom computername Computer [usero:User [/passwordo:[Password|*]] [userd:User [/passwordd:[Password|*]] {/add:NewAltDNSName | /remove:AltDNSName | /makeprimary:ComputerDNSName | /enumerate[:{ALTERNATENAMES | PRIMARYNAME | ALLNAMES}] | /verify | {/help | /?}}

Computer

Specifies the name of the computer to be added.

/usero:[domain\]UserName

Specifies the user account to be used for the originating domain.

/passwordo:[Password | *]

Specifies the password to be used for the originating domain. If the wildcard character (*) is used, then the user will be prompted for the password.

/userd:[Domain\]UserName

Specifies the user account to be used for the destination domain.

/passwordd:[Password | *]

Specifies the password to be used for the destination domain. If the wildcard character (*) is used, then the user will be prompted for the password.

/add: NewAltDNSName

Specifies that a new alternate name should be created. The name must be a fully qualified domain name (computer name followed by primary DNS suffix, such as comp1.example.com).

/remove: AltDNSName

Specifies that an existing alternate name should be deleted. The name must be a fully qualified domain name (computer name followed by primary DNS suffix, such as comp1.example.com).

/makeprimary: ComputerDNSName

Specifies that an existing alternate name should be made into the primary name. The name must be a fully qualified domain name (computer name followed by primary DNS suffix, such as comp1.example.com).

/enumerate[:{ALTERNATENAMES | PRIMARYNAME | ALLNAMES}]

Lists the primary and/or any alternate names. The following valid values can be specified:

 

Value	Description
ALTERNATENAMES	Lists the alternate names only.
PRIMARYNAME	Lists the primary name only.
ALLNAMES	Lists the primary and any alternate names. This is the default.

/verify

Checks if there is a DNS A record and an Service Principal Name (SPN) for each computer name.

{/help | /?}

Displays command-line help for the computername operation.

netdom computername reskit /enumerate:primaryname

NetDom join Computer {/d: | /domain:}Domain [/ou:OUPath] [{/ud: | /userd:}[Domain\]User [{/pd: | /passwordd:}{Password|*}]] [{/uo: | /usero}User [{/po: | /passwordo}{Password|*}] [/reboot[:Delay]] [/help | /?]

Note

• When joining a computer running Windows NT 4.0 or earlier to the domain, the operation is not transacted. This means that a failure during the operation might leave the computer in an undetermined state with respect to the domain to which it was meant to join.
  
  

Computer

Specifies the name of the computer to be joined.

{/d: | /domain:}Domain

Specifies the domain to which the account is joined. If this parameter is omitted, then the domain that the current computer belongs to is used.

/ou: OUPath

Specifies the organizational unit (OU) under which to create the account. This must be the full RFC 1779 distinguished name of the OU. If omitted, the account is created under the default OU for machine objects for that domain.

{/ud: | /userd:}[Domain\]User

Specifies the user account that makes the connection with the domain specified in the /d or /domain parameter. If this parameter is omitted, the current user account is used.

{/pd: | /passwordd:}{Password|*}

Specifies the password of the user account that is specified in the /ud or /userd parameter. Use the wildcard character (*) to be prompted for the password.

{/uo: | /usero}User

Specifies the user account that makes the connection with the computer to be joined. If this parameter is omitted, the current user account is used.

{/po: | /passwordo}{Password|*}

Specifies the password of the user account that is specified in the /uo or /usero parameter. Use the wildcard character (*) to be prompted for the password.

/reboot[:Delay]

Specifies that the computer shuts down and automatically reboots after the join has completed. The Delay value is the number of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.

{/help | /?}

Displays command-line usage for the join operation.

netdom join /d:reskit.ms.com mywksta

NetDom move Computer {/d: | /domain:}Domain [/ou:OUPath] [{/ud: | /userd}[Domain\]User [{/pd: | /passwordd}{Password|*}] [{/uo: | /usero}[Domain\]User [{/po: | /passwordo}{Password|*}]] [{/uf: | /userf}[Domain\]User [{/pf: | /passwordf}{Password|*}]] [/reboot[:Delay]] [{/help | /?}]

Notes

• When moving a computer running Windows NT 4.0 or earlier to the domain, the operation is not transacted. This means that a failure during the operation might leave the computer in an undetermined state with respect to the domain of its intended move.
  
  
• When moving a computer to a new domain, the old computer account in the previous domain is not deleted. If credentials are supplied for the former domain, the old computer account is disabled.
  
  
• The act of moving a computer to a new domain will create an account for the computer on the domain if it does not already exist.
  
  

Computer

Specifies the name of the computer to be moved.

{/d: | /domain:}Domain

Specifies the domain to which the account is moved. If the parameter is omitted, then the domain that the current computer belongs to is used.

/ou: OUPath

Specifies the organizational unit (OU) under which to create the account. This must be the full RFC 1779 distinguished name of the OU. If omitted, the account is created under the default OU for machine objects for that domain.

{/ud: | /userd}[Domain\]User

Specifies the user account that makes the connection with the domain specified in the /d or /domain parameter. If this parameter is omitted, the current user account is used.

{/pd: | /passwordd}{Password|*}

Specifies the password of the user account that is specified in the /ud or /userd parameter. Use an asterisk (*) to be prompted for the password.

{/uo: | /usero}User

Specifies the user account to make the connection with the computer to be moved. If this parameter is omitted, the current user account is used.

{/po: | /passwordo}{Password|*}

Specifies the password of the user account that is specified in the /uo or /usero parameter. Use the wildcard character (*) to be prompted for the password.

{/uf: | /userf}User

Specifies the user account to make the connection with the computer's former domain (of which the computer had been a member prior to the move). This parameter is used to disable the old computer account.

{/pf: | /passwordf}{Password|*}

Specifies the password of the user account that is specified in the /uf or /userf parameter. Use the wildcard character (*) to be prompted for the password.

/reboot[:Delay]

Specifies that the computer shuts down and automatically reboots after the move has completed. The Delay value is the number of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.

{/help | /?}

Displays command-line usage for the move operation.

netdom move /d:newdomain mywksta

NetDom query {/d: |  /domain:}Domain [{/s: | /server:}Server] [{/ud: | /userd:}[Domain\]User {/pd: | /passwordd}{Password|*}] [/verify] [/reset] [/direct] {WORKSTATION|SERVER|DC|OU|PDC|FSMO|TRUST} [{/help | /?}]

{/d: | /domain:}Domain

Specifies the domain to query for the information. If this parameter is omitted, then the domain that the current computer belongs to is used.

{/s: | /server:}Server

Specifies the name of a domain controller that performs the query.

{/ud: | /userd:}[Domain\]User

Specifies the user account that makes the connection with the domain in the /d or /domain parameter. If this parameter is omitted, the current user account is used.

{/pd: | /passwordd}{Password|*}

Specifies the password of the user account that is specified in the /ud or /userd parameter. Use the wildcard character (*) to be prompted for the password.

/verify

Specifies verification of the secure channel secrets for all enumerated memberships or trusts, and displays them. Unless the user is an enterprise-level administrator, it will not be possible to verify all secure channel secrets.

/reset

Specifies resynchronization ofthe secure channel secrets for all enumerated memberships or trusts which are currently broken. The /reset parameter implies the /verify parameter. Unless the user is an enterprise-level administrator, it might not be possible to reset all enumerated trusts or memberships.

/direct

Indicates that the query for trust relationships returns only direct trust relationships, rather than direct and indirect relationships. This parameter is valid only when Domain is specified with the /d parameter.

WORKSTATION|SERVER|DC|OU|PDC|FSMO|TRUST

Specifies the type of list to generate.

 

Object	Description
WORKSTATION	Queries the domain for the list of workstations.
SERVER	Queries the domain for the list of servers.
DC	Queries the domain for the list of domain controllers.
OU	Queries the domain for the list of OUs under which the specified user can create a machine object.
PDC	Queries the domain for the current primary domain controller.
FSMO	Queries the domain for the current list of operations master (also know as flexible single master operations or FSMO) owners.
TRUST	Queries the domain for the list of its trusts.

{/help | /?}

Displays command-line usage for the query operation.

netdom query /d:reskit.ms.com DC

NetDom remove Computer {/d: | /domain:}Domain [{/ud: | /userd:}[Domain\]User [{/pd: | /passwordd}{Password|*}]] [{/uo: | /usero}User [{/po: |/passwordo}{Password|*}]] [/reboot[:Delay]] [{/help | /?}]

Computer

Specifies the name of the computer to be removed.

{/d: | /domain:}Domain

Specifies the domain from which the account is to be removed. If this parameter is omitted, then the domain that the current computer belongs to is used.

{/ud: | /userd:}[ Domain\]User

Specifies the user account that makes the connection with the domain in the /d or /domain parameter. If this parameter is omitted, then the current user account is used.

{/pd: | /passwordd}{Password|*}

Specifies the password of the user account that is specified in the /ud or /userd parameter. Use the wildcard character (*) to be prompted for the password.

{/uo: | /usero}User

Specifies the user account to make the connection with the computer to be removed. If this parameter is omitted, then the current user account is used.

{/po: |/passwordo}{Password|*}

Specifies the password of the user account that is specified in the /uoor /usero parameter. Use the wildcard character (*) to be prompted for the password.

/reboot[:Delay]

Specifies that the computer shuts down and automatically restarts after the remove operation has completed. The Delay value is the number of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.

{/help | /?}

Displays command-line usage for the remove operation.

netdom remove /d:reskit.ms.com mywksta

netdom movent4bdc Computer [{/d: | /domain:}Domain] [/reboot[:Delay]] [{/help | /?}]

Computer

Specifies the name of the backup domain controller to rename.

{/d: | /domain:}Domain

Specifies the new name of the domain.

/reboot[:Delay]

Specifies that the computer shuts down and automatically reboots after the rename operation has completed. The Delay value is the number of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.

{/help | /?}

Displays command-line usage for the movent4bdc operation.

netdom movent4bdc /d:newdomain BDC51

NetDom renamecomputer Computer /newname:NewComputerName /userd:[Domain\]UserName [/passwordd:[Password | *]] /usero:[Domain\]UserName [/passwordo:[Password | *]] [/reboot[:Delay]] [{/help | /?}]

Computer

Specifies the name of the computer to rename.

/newname: NewComputerName

Specifies the new name of the computer.

/userd:[domain\]UserName

Specifies the user account to be used for the destination domain.

/passwordd:[password | *]

Specifies the password of the user account that is specified in the /ud or /userd parameter. If the wildcard character (*) is used, then the user will be prompted for the password.

/usero:[domain\]UserName

Specifies the user account to be used for the originating domain.

/passwordo:[password| *]

Specifies the password of the user account that is specified in the /uo or /usero parameter. If the wildcard character (*) is used, then the user will be prompted for the password.

/force[:Delay]

The user will be prompted for confirmation unless the /force parameter is specified.

/reboot[:Delay]

Specifies that the computer shuts down and automatically reboots after the rename operation has completed. The Delay value is the number of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.

{/help | /?}

Displays command-line usage for the renamecomputer operation.

Note

• Do not use renamecomputer to rename Windows Server 2003 or Windows 2000 domain controllers. Using the renamecomputer operation to rename a domain controller may result in the domain controller no longer functioning as a domain controller on the network. To rename Windows Server 2003 and Windows 2000 servers and domain controllers, use the computername operation.
  
  

NetDom reset Computer {/d: | /domain:}Domain [{/s: | /server:}Server] [{/uo: | /usero:}User {/po: | /passwordo}{Password|*}] [{/help | /?}]

Computer

Specifies the name of the computer for which the connection is to be reset.

{/d: | /domain:}Domain

Specifies the domain with which to establish the secure connection. If this parameter is omitted, then the domain that the current computer belongs to is used.

{/s: | /server:}Server

Specifies the name of the domain controller to use to establish the secure connection.

{/uo: | /usero:}User

Specifies the user account that makes the connection with the computer to be reset. If this parameter is omitted, then the current user account is used.

{/po: | /passwordo}{Password|*}

Specifies the password of the user account that is specified in the /uo or /usero parameter. Use the wildcard character (*) to be prompted for the password.

{/help | /?}

Displays command-line usage for the reset operation.

netdom reset /d:reskit.ms.com redmond

NetDom resetpwd {/s: | /server:}Server {/ud: | /userd:}[Domain\]User {/pd: | /passwordd:}{Password|*}] [{/help | /?}]

{/s: | /server:}Server

Specifies the name of the domain controller to use for setting the machine account password.

{/ud: | /userd:}[Domain\]User

Specifies the user account that makes the connection with the domain specified in the /s parameter. This must be in Domain\User format. If this parameter is omitted, then the current user account is used.

{/pd: | /passwordd:}{Password|*}

Specifies the password of the user account that is specified in the /ud parameter. Use the wildcard character (*) to be prompted for the password.

{/help | /?}

Displays command-line usage for the resetpwd operation.

NetDom trust TrustingDomainName {/d: | /domain:} TrustedDomainName [{/ud: | /userd:}[Domain\]User [{/pd: | /passwordd:}{Password|*}] [{/uo: | /usero:}User] [{/po: | /passwordo:}{Password|*}] [/verify] [/reset] [/passwordt:NewRealmTrustPassword] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:TrustName [/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive] [/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]

TrustingDomainName

Specifies the name of the trusting domain.

{/d: | /domain:}TrustedDomainName

Specifies the name of the trusted domain. If this parameter is omitted, then the domain that the current computer belongs to is used.

{/ud: | /userd:}[Domain\]User]

Specifies the user account that makes the connection with the domain specified in the /d or /domain parameter. If this parameter is omitted, then the current user account is used.

/pd:{Password|*}

Specifies the password of the user account that is specified in the /ud or /userd: parameter. Use the wildcard character (*) to be prompted for the password.

{/uo: | /usero:}User

Specifies the user account that makes the connection with the trusting domain. If this parameter is omitted, then the current user account is used.

{/po: | /passwordo:}{ Password|*}

Specifies the password of the user account that is specified in the /uo or /usero parameter. Use the wildcard character (*) to be prompted for the password.

/verify

Verifies the secure channel secrets upon which a specific trust is based.

/reset

Resets the trust secret between trusted domains or between the domain controller and the workstation.

/passwordt: NewRealmTrustPassword

Specifies a new trust password. This parameter is valid only with the /add parameter, and only if one of the domains specified is a non-Windows Kerberos realm. The trust password is set on the Windows domain only, which means that credentials are not needed for the non-Windows domain.

/add

Specifies to create a trust.

/realm

Indicates that the trust is created to a non-Windows Kerberos realm. The /realm parameter is valid only with the /add and /passwordt parameters.

/remove

Specifies to break a trust.

/force

Removes both the trusted domain object and the cross-reference object for the specified domain from the forest. Use this option to clean up decommissioned domains that are no longer in use, and cannot be removed by using the Active Directory Installation wizard. This problem can occur if the domain controller for that domain was disabled or damaged and there were no domain controllers, or if it was not possible to recover the domain controller from backup media. This parameter is valid only when the /remove parameter is specified.

/twoway

Specifies establishment ofa two-way trust relationship rather than a one-way trust relationship.

/kerberos

Specifies exercisingthe Kerberos protocol between a workstation and a target domain. This parameter is valid only when the /verify parameter is specified.

/transitive[:{YES|NO}]

Specifies whether to set a transitive or non-transitive trust. This parameter is valid only for a non-Windows Kerberos realm. Non-Windows Kerberos trusts are created as non-transitive. If no value is specified, then the current transitivity state is displayed.

 

Value	Description
YES	Sets the realm to a transitive trust.
NO	Sets the realm to a non-transitive trust.

/oneside:{TRUSTED| TRUSTING}

Denotes that the trust object should only be created or removed on one domain.

 

Value	Description
TRUSTED	Indicates that the trust object is created or removed on the trusted domain specified by the /d or /domain parameter).
TRUSTING	Indicates that the trust object is to be created or removed on the trusting domain. Valid only with the /add or /REMove parameter. The /passwordt parameter is required when using with the /ADD or /REMove option

/quarantine[:{YES | NO}]

Sets or clears the domain quarantine attribute. If no value is specified then the current quarantine state is displayed.

 

Value	Description
YES	Specifies that only SIDs from the directly trusted domain will be accepted for authorization data returned during authentication. SIDS from any other domains will be removed.
NO	Specifies that any SID will be accepted for authorization data returned during authentication. This is the default value.

/namesuffixes: TrustName

Lists the routed name suffixes for TrustName on the domain named by TrustingDomainName. The /usero and /passwordo parameters can be used for authentication. The /domain parameter is not required.

/togglesuffix:#

Changes the status of a name suffix. Used with the /namesuffixes parameter. The number of the name entry specified by the /namesuffixes parameter must be provided to indicate which name will have its status changed. Names that are in conflict cannot have their status changed until the name in the conflicting trust is disabled. Always precede this command with the /namesuffixes parameter because LSA will not always return the names in the same order.

/EnableSIDistory

Specifying yes allows users who migrate to the trusted forest from any other forest to use SID history to access resources in this forest. Valid only for an outbound forest trust. This should be done only if the trusted forest administrators can be trusted enough to specify SIDs of this forest in the SID history attribute of their users appropriately. Specifying no would disable the ability of the migrated users in the trusted forest to use SID history to access resources in this forest. Specifying /EnableSIDHistory without yes or no will display the current state.

/ForestTRANsitive

Specifying yes marks this trust as forest transitive. Specifying no marks this trust as not forest transitive. Specifying /ForestTRANsitive without yes or no will display the current state of this trust attribute. Valid only for non-Windows real trusts and can only be performed on the root domain for a forest.

/SelectiveAUTH

Specifying no disables selective authentification across this trust. Specifying /SelectiveAUTH without yes or no displays the currrent state of this trust attribute. Specifying yes enables selective authentification across this trust. Valid only on outbound forest and external trusts.

/AddTLN

Adds the specified top level name (DNS name suffix) to the forest trust info for the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes.

/AddTLNEX

Adds the specified top level name exclusion(DNS name suffix) to the forest trust info for the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes.

/RemoveTLN

Removes the specified top level name (DNS name suffix) from the forest trust info from the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes.

/RemoveTLNEX

Removes the specified top level name exclusion (DNS Name Suffix) from the forest trust info from the specified trust. Valid only for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes operation for a list of name suffixes.

{/help | /?}

Displays command-line usage for the trust operation.

netdom trust /d:masterdom resourcedom

NetDom verify Computer {/d: | /domain:}Domain [{/uo: | usero}User {/po: | /passwordo}{Password|*}] [{/help | /?}]

Computer

Specifies the name of the computer whose secure connection is verified.

{/d: | /domain:}Domain

Specifies the domain with which to verify the secure connection. If this parameter is omitted, then the domain that the current computer belongs to is used.

{/uo: | usero}User

Specifies the domain with which to verify the secure connection. If this parameter is omitted, then the current user account is used.

{/po: | /passwordo}{Password|*}

Specifies the password of the user account that is specified in the /uo or /usero parameter. Use the wildcard character (*) to be prompted for the password.

{/help | /?}

Displays command-line usage for the verify operation.

netdom verify /d:resourcedom yourwksta