Netdom

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008, Windows Server 2008 R2

Enables administrators to manage Active Directory domains and trust relationships from the command prompt.

Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

You can use netdom to:

  • Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain.

    • Provide an option to specify the organizational unit (OU) for the computer account.

    • Generate a random computer password for an initial Join operation.

  • Manage computer accounts for domain member workstations and member servers. Management operations include:

    • Add, Remove, Query.

    • An option to specify the OU for the computer account.

    • An option to move an existing computer account for a member workstation from one domain to another while maintaining the security descriptor on the computer account.

  • Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:

    • From a Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domain to a Windows NT 4.0 domain.

    • From a Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domain to a Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domain in another enterprise.

    • Between two Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domains in an enterprise (a shortcut trust).

    • The Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000 Server half of an interoperable Kerberos protocol realm.

  • Verify or reset the secure channel for the following configurations:

    • Member workstations and servers.

    • Backup domain controllers (BDCs) in a Windows NT 4.0 domain.

    • Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000 replicas.

  • Manage trust relationships between domains, including the following operations:

    • Enumerate trust relationships (direct and indirect).

    • View and change some attributes on a trust.

Note

You must run netdom from an elevated command prompt.

Syntax

Netdom uses the following general syntaxes:

NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>]
NetDom help <Operation>

Commands

Command Description

Netdom add

Adds a workstation or server account to the domain.

Netdom computername

Manages the primary and alternate names for a computer. This command can safely rename Active Directory domain controllers as well as member servers.

Netdom join

Joins a workstation or member server to a domain. The act of joining a computer to a domain creates an account for the computer on the domain, if it does not already exist.

Netdom move

Moves a workstation or member server to a new domain. The act of moving a computer to a new domain creates an account for the computer on the domain, if it does not already exist.

Netdom query

Queries the domain for information such as membership and trust.

Netdom remove

Removes a workstation or server from the domain.

Netdom movent4bdc

Renames a Windows NT 4.0 backup domain controller to reflect a domain name change. This can assist in Windows NT 4.0 domain renaming efforts.

Netdom renamecomputer

Renames a domain computer and its corresponding domain account. Use this command to rename domain workstations and member servers only. To rename domain controllers, use the netdom computername command.

Netdom reset

Resets the secure connection between a workstation and a domain controller.

Netdom resetpwd

Resets the computer account password for a domain controller.

Netdom trust

Establishes, verifies, or resets a trust relationship between domains.

Netdom verify

Verifies the secure connection between a workstation and a domain controller.

Remarks

  • A trust relationship is a defined affiliation between domains that enables pass-through authentication.

  • A one-way trust relationship between two domains means that one domain (the trusting domain) allows users who have accounts on the other domain (the trusted domain), access to its resources.

  • The one-way trust relationship described here is helpful in master domain models, but it is not the only kind of trust relationship. When two one-way trusts are established between domains, it is known as a two-way trust. In two-way trusts, each domain treats the users from the trusted (and trusting) domain as its own users.

  • By default, only the result of an operation is reported. For example, if you use the Join operation, you see output similar to the following:

    success: mywksta joined to mycompany domain
    
  • If you specify the /verbose parameter, the output lists the success or failure of each transaction that is necessary to perform the operation. For example, this time when you use the Join operation, you see output similar to the following:

    success: adding machine account for mywksta to mycompany domain
    success: configuring lsa on mywksta
    success: mywksta joined to mycompany domain
    
  • The /reboot parameter specifies that the computer being acted upon by the specified netdom operation is shut down and automatically rebooted after the completion of the operation. When you specify the /reboot parameter, the following message and a countdown timer display on the workstation screen, prior to the Restart operation:

    The system is shutting down. Please save
    all work in progress and logoff. Any unsaved changes
    will be lost. This shutdown was initiated because the
    domain which this machine belongs to was changed by
    nnn.
    
  • For nnn, netdom substitutes the name of the administrator that you enter by using the /uo parameter.

  • The default delay before the computer restarts is 20 seconds.

Additional references

Command-Line Syntax Key