Checking for Active Trusts
Each domain trust is stored as a Trusted Domain object in the System container in the domain partition. Regardless of what some documentation states, trusts with NT4 domains still create TDOs.
By querying the whenChanged attribute on the TDO you can determine if the trusts is still active as all trusts involve creating a secure channel to the trusted domain, so the password needs to be reset every 30 days.
Remember that the whenChanged attribute is not replicated so can be different on each DC.
Also beware that the whenChanged attribute is not the same as the creation date of the computer object as the date can be no older than the computer object itself. My golden rule is to ignore any whenChanged dates when they're the same as the whenCreated date of the DC's computer account itself.
Trust Types
nltest /server:nameofDC /domain_trusts
This shows all of the trusts, direction of trust, what sort of trust. Also shows the trust type which is basically what sort of domain it's with.
Can be NT4, NT5, MIT or DCE.
NT4 - this is only NT4 domains.
NT5 - Windows 2000 or higher (not confirmed for W2K8). Functional level of domain is not a factor - it's just the OS.
MIT - realm trust
DCE - have not found an example of this yet.
Verifying Trusts are Working
nltest /SC_VERIFY:trusteddomainname
This, and the netdom command
netdom verify nameofDC /domain:trusteddomainname
can only show details of the secure channel when you're on the trusting domain (so will show a DC on the trusted domain).
There is no way of seeing the secure channel from the trusted domain (presuming it's one-way) as there is no secure channel - the secure channel is only set up from the trusting domain to the trusted domain.
Which DC does a trusting DC set up a secure channel with?
It depends on how it resolves the name of the trusted domain.
It might be using a secondary zone, lmhosts file etc. Quite often this will be using the same as domain name A records. It will then choose at random so to stop this you need to manipulate which DCs it sees as answering to the name of the domain...
Subscribe to:
Post Comments (Atom)
Youre so cool! I dont suppose Ive learn anything like this before. So good to find somebody with some original thoughts on this subject. realy thanks for starting this up. this website is something that is needed on the internet, someone with a bit originality. useful job for bringing one thing new to the internet! online casino games
ReplyDeleteUse our tool Whois lookup to domain registration information like domain availability or the domain owner contact information. This may be useful if you need to contact the domain owner.
ReplyDelete