Microsoft KB Archive/232050

{|
 * width="100%"|

This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about obtaining support for a Beta release, please see the documentation included with the Beta product files, or check the Web location from which you downloaded the release.

-

The information in this article applies to:


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Server

-

SUMMARY
Trustdom.exe is a tool an administrator can use to create and manage trust relationships at a command prompt. By default, the Trustdom.exe tool is not installed. The Trustdom.exe file is located on the Windows 2000 CD-ROM Resource Kit in the Support\Reskit\Netmgmt folder.

MORE INFORMATION
With the Trustdom tool an administrator can view, create, and delete trust relationships between Windows 2000-based and Microsoft Windows NT-based domains. This tool can manage:


 * Two-way trust relationships between Windows 2000-based domains.
 * Explicit one-way trust relationships with Windows NT version 4.0-based domains.
 * A trust relationship between a Windows 2000-based domain and an MIT-based Kerberos realm on a UNIX-based computer.

The trustdom syntax is: C:\> trustdom domain[:dc],]target_domain[:dc [Options] The default switch is "-out." There are two methods a one-way trust is created:


 * An outbound trust on the local/specified domain.
 * An inbound trust on the specified target domain.

Domain/Target_Domain
Domains (Flat or Domain Naming Service (DNS) names)

List
Lists all trust links of a specified target domain or local domain.

For example: trustdom DomX -list. This list trusts for the domain DomX. If you do not specify a domain name, it uses "local" for the domain name.

Untrust
Breaks the trust.

Both
Establishes a two way trust (bidirectional).

For example: trustdom DOMX,DOMY -both

Out
Establishes a outbound trust. This switch is enabled by default.

In
Establishes a inbound trust.

Localonly
All operations (create/delete) are applied only for the trust objects on the first or local Domain Controller (DC). The use of this switch should be used with care.

Downlevel
Creates a downlevel trust.

Mit
Creates a MIT-based Kerberos trust, which enables the localonly switch.

Parent
Establishes a two-way parent-child trust. This switch sets the parent bit in the trust object on the child computer.

Pw:password
Optional password to set on the object as clear text only. Use the wildcard character (*) to enter a password in no-echo mode.

Debug
A detailed message is displayed about the switches that are typed on the command-line. For example: trustdom DomX,DomY -untrust -debug.

Force
Forces to use a setting, even if they are illegal. For example, you set a trust to a Windows 2000-based computer without specifying the "downlevel" switch. The use of the downlevel switch should be used with care.

NT4
Uses a Windows NT 4.0 style operation even if the domains are Windows 2000.

Sidlist
Displays a list of Security Identifiers (SIDs). The use of this switch enables the "list" option.

/?
The usage screen is displayed.

You can create and remove trusts using the following methods:

Creating a Windows 2000 Transitive Two-way Trust

 * 1) Click Start, point to Programs, point to Accessories, and then click Command Prompt.
 * 2) Type cd Program Files\Resource Kit.
 * 3) Type Trustdom DomX,DomY -both
 * 4) To verify that the trust is successfully removed and to list the trust for a specified domain, type Trustdom DomX -list.

To do this in Windows 2000:


 * 1) * Click Start, point to Programs, point to Administrative Tools, and then point to Active Directory Domain and Trusts.
 * 2) * In the left pane, right-click on the domain name, click Properties, and then click the Trusts tab.

Create a One-Way Trust Between Two Domains

 * 1) Click Start, point to Programs, point to Accessories, and then click Command Prompt.
 * 2) To create a one-way trust from a local domain to DomX, type the following syntax:

trustdom DomX.
 * 1) To create a one-way trust from DomX to DomY, type the following syntax:

trustdom DomX,DomY

Create a Downlevel Trust Between a Windows 2000 Domain and a Windows NT 4.0 Domain

 * 1) Click Start, point to Programs, point to Accessories, and then click Command Prompt.
 * 2) Type cd Program Files\Resource Kit.
 * 3) Type Trustdom DomX,DomY -Downlevel
 * 4) To verify that the trust is successfully removed and to list the trust for a specified domain, type Trustdom DomX -list.

To do this in Windows 2000:


 * 1) * Click Start, point to Programs, point to Administrative Tools, and then point to Active Directory Domain and Trusts.
 * 2) * In the left pane, right-click on the domain name, click Properties, and then click the Trusts tab.

Remove a Trust Between Windows 2000 Domains
Click Start, point to Programs, point to Accessories, and then click Command Prompt.

Type cd Program Files\Resource Kit.

Type Trustdom DomX,DomY -Untrust.

NOTE: A message is not displayed that states the command completed successfully. If there is problem creating the trust, an error message is displayed.

To verify that the trust is successfully removed and to list the trust for a specified domain, type Trustdom DomX -list.

To do this in Windows 2000:


 * Click Start, point to Programs, point to Administrative Tools, and then point to Active Directory Domain and Trusts.
 * In the left pane, right-click on the domain name, click Properties, and then click the Trusts tab.

Additional query words:

Keywords         : kbtool Version          : WINDOWS:2000 Platform         : WINDOWS Issue type       : kbhowto
 * }