Using Netdom for Trust Relationships

NETDOM is a Swiss army knife command-line tool that creates, validates, and manages domain relationships. As you'll see later, you can also use it to perform domain migration. Actually, NETDOM is the reason we installed NetBEUI on the target domain. The program is hidden on the Windows Server 2003 installation CD-ROM in the \Support\Tools folder. Double-click SUPPORT.cab, and you'll see a file listing that includes a number of support utilities that were not automatically installed by Setup. Copy the NETDOM.exe program to some folder on your hard drive. To create the trust relationships, you'll need to have an administrative account in both domains. Type NETDOM/? to view the many options available. The command syntax to create a mutual trust looks like this, typed on a single line at the AD domain:

Netdom trust ntdomain /D:ADdomain /UserO:ntaccount /PasswordO:ntpassword ^/UserD:ADaccount /PasswordD:ADpassword /Add /Twoway

The D: argument refers to the Active Directory domain, admin account, and admin password. The O: pertains to the external NT domain, admin account, and admin password.

For our illustration, we will create a two-way trust between the NT domain called NT4_domain, where AaronA is the administrator using the password def, and the Active Directory Royal-tech.com domain, where BobA is the administrator using the password abc. The one-line command below uses abbreviated syntax to perform this task:

Netdom trust nt4_domain /D:royal-tech.com /UO:aarona /PO:def

There should be a pause and then a response that awards your patience with a success message. To check that everything did indeed go smoothly, you can ask NETDOM to verify the operation by typing:

Netdom trust nt4_domain /D:royal-tech.com /UO:aarona /PO:def /UD:boba /PD:abc /Verify

Or, if you'd like to validate the trusts with the GUI program that you've been itching to use in Windows Server 2003, activate the MMC Active Directory Domains and Trusts on the Administrative Tools menu. Right-click the AD domain listed in the pane on the left, and then select Properties from the drop-down menu. In the dialog box that appears, click the Trusts tab, as shown in Figure 17.2.

Figure 17.2

The Trusts tab in AD Domains and Trusts

lRoyal-Tech.com Properties

?l x|

General Trusts | Managed By |

Domains trusted by this domain (outgoing trusts): ^

Domain Name | Trust Type Transitive

Properties:.. 1

!NT4 DOMAIN External No

Remove |

Domains that trust this domain (incoming trusts):

Domain Name | Trust Type Transitive

Propériiès... 1

NT4_D OMAIN External No

Remove |

New Trust...

OK 1 Cancel

èpply

If you select either the outgoing or incoming trust, a Properties button becomes active. Click it to view details about this relationship, as indicated in Figure 17.3. Then you can click the Validate button to confirm the relationship, if you didn't trust the command-line response.

Figure 17.3

Trusted Domain properties

Figure 17.3

Trusted Domain properties

Using NETDOM to Migrate Domains

NETDOM can also be used to transfer accounts from one domain to another. You need to create or use an existing organizational unit on the AD domain for transferred accounts. The command will also call for the name of the PDC computer. After you've established trust between domains, use your administrative accounts to enter the following at the command line at a domain controller on the AD domain:

Netdom move machine /D:ADdomain /UO:NTadmin /PO:NTpassword *-/UD:ADadmin /PD:ADpassword /OU:orgunit /reboot

The machine name refers to the NT PDC. The D: option, for destination, refers to the Active Directory domain, admin account, and admin password. The O: switch points to the external NT domain, admin account, and admin password. Reusing the domain names and admin users in our earlier example—an OU called ntusers and a PDC named NT4—the command would be:

Netdom move NT4 /D:royal-tech.com /UO:aarona /PO:def *-/UD:boba /PD:abc /OU:ntusers /reboot

The reboot option will reboot the PDC after all accounts have been transferred. This is a one-way, one-time operation. After that server reboots, it will no longer supervise a domain, and all the accounts should appear in the ntusers organizational unit in the Active Directory domain.

Using ADMT to Migrate Domains

The Active Directory Migration Tool, or ADMT, is available on Microsoft's website at no charge. Download ADMT.exe, then double-click to install a GUI program to a domain controller on your AD domain that will be listed in the Administrative Tools folder. ADMT's wizards can copy users, groups, and trusts between domains, providing you with more control than with NETDOM. We'll examine the steps to prepare each domain for the migration process. Some requirements were already completed during the NETDOM trust operation. Here's the first set in the interest of completeness:

♦ Two-way trust relationships must exist between the source (NT) and target (AD) domains.

♦ The AD domain must be promoted to Windows 2000 native mode.

♦ Service Pack 4 or above must be installed on the NT PDC.

♦ Administrative shares must exist on both computers.

♦ You must have an account with Administrator rights to each computer and be a member of Domain Administrators in the AD domain and Administrators in the NT domain.

Next, we'll set up administrative groups on each domain. Here are ADMT's requirements:

♦ The Domain Admins global group in the source must be a member of the Administrators local group in the target.

♦ The Domain Admins global group in the target must be added to the Administrators local group in the source.

♦ A new local group called Source Domain$$$ must be created on the source domain and remain empty.

♦ A target organizational unit for the copied accounts must be created or specified.

On the 2000/2003 domain controller, open up Active Directory Users and Computers. Open up the Builtin container, since that's where the local groups are stored. Then follow these steps:

1. Double-click Administrators.

2. Select the Member tab.

3. Click Add, select Location, and enter NT4_Domain, which is the name of our source domain.

4. Click the Advanced button, then select Find Now.

5. Double-click Domain Admins in the source domain. You should see a screen like Figure 17.4.

Figure 17.4

Choosing Domain Admins from the NT4 Domain

Figure 17.4

Choosing Domain Admins from the NT4 Domain

6. Move over to the PDC, activate User Manager for Domains and double-click to open up the box for the Administrators local group, as shown in Figure 17.5. Click the Add button to set up steps 6 and 7, where we will grant the Domain Administrators group on the Active Directory domain administrative rights on the NT domain.

Figure 17.5

Properties of the Administrators local group

Local Group Properties

Group Name: Administrators

Description: jMembers can fully administer the computer/domai

Group Name: Administrators

Description: jMembers can fully administer the computer/domai

Members:

Show Full Names ]

£ Aaron

£ Administrator

1 Lmba

Domain Admins

empue; I

7. Select the target AD domain in the List Names From drop-down list, which in our scenario is Royal-Tech. This operation will populate the Names box below with the various groups and users contained in the Royal-Tech domain.

8. Select the Domain Admins group in the Names box, shown in Figure 17.6, and click Add.

Figure 17.6

Adding the Domain Admins group

Add Users and Groups

List N ames From: | R 0YAL-T E CH

1

Barnes:

omain Admins

Designated administrators of the domair

ra^D omain Computers

All workstations and servers joined to th

ra^D omain Controllers

All domain controllers in the domain

ra^D omain Guests

All domain guests

^¿iiDomain Users

All domain users

ra&Enterprise Admins

Designated administrators of the enterpr

ra^Group Policy Creator Owners

Members in this group can modify group

3

^ISchema Admins

Designated administrators of the schem<

ml gaaj I

"3

R OYAL-T E CH \D omain Admins

Help

9. At the PDC again, create Source Domain$$$, a local group, and leave it empty. Then, create a new OU on the AD domain controller or make note of an existing one that will receive the NT domain's accounts.

Next, Microsoft suggests that you set up auditing on each domain controller so you have a record of what occurs when you perform the migration. In the next two steps, you will:

♦ Enable Success/Failure auditing on the source (NT) for User and Group management

♦ Enable Success/Failure auditing on the target (AD) for account management in the Default Domain Controllers policy

10. In User Manager at the PDC, select Audit on the Policies menu and choose the check boxes for Success and Failure for User and Group Management, displayed in Figure 17.7.

Was this article helpful?

0 0

Post a comment