Manage or verify the trust relationship between domains.
Syntax
NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name
[/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]]
[/Verify] [/RESEt] [/PasswordT:new_realm_trust_password]
[/Add] [/REMove] [/Twoway] [/REAlm] [/Kerberos]
[/Transitive[:{yes | no}]]
[/OneSide:{trusted | trusting}] [/Force] [/Quarantine[:{yes | no}]]
[/NameSuffixes:trust_name [/ToggleSuffix:#]]
[/EnableSIDHistory[:{yes | no}]]
[/ForestTRANsitive[:{yes | no}]]
[/CrossORGanization[:{yes | no}]]
[/AddTLN:TopLevelName] [/AddTLNEX:TopLevelNameExclusion]
[/RemoveTLN:TopLevelName] [/RemoveTLNEX:TopLevelNameExclusion]
[/SecurePasswordPrompt]
Key:
trusting_domain_name
The name of the trusting domain
/Domain The name of the trusted domain or Non-Windows Realm.
/UserD User account used to make the connection with the Domain
specified by the /Domain argument
/PasswordD Password of the user account specified By /UserD.
Specifying a * will prompt for the password.
/UserO User account used to make the connection with the trusting domain.
/PasswordO Password of the user account specified By /UserO.
Specifying a * will prompt for the password.
/Verify Verify that the trust is operating properly
/RESEt Reset the trust passwords between two domains. The
domains can be named in any order. Reset is not valid
on a trust to a Kerberos realm unless the /PasswordT
parameter is included.
/PasswordT New trust password, valid only with the /Add or /RESEt
options and only if one of the domains specified is a
non-Windows Kerberos realm. The trust password is set on
the Windows domain only and thus credentials are not
needed for the non-Windows domain.
/Add Create a trust.
/REMove Remove a trust.
/Twoway Specifies that a trust relationship should be bidirectional
/OneSide Indicates that the trust be created for or removed from
only one of the domains in the trust.
Use the keyword "trusted" to create or remove the trust
from the trusted domain (the domain named with the /D parameter).
Use the keyword "trusting" to create or remove the trust from the
trusting domain. This command is valid only with the /Add and
/REMove options and requires the /PasswordT command when used
with the /Add option.
/REAlm Indicates that the trust is to be created to a non-Windows
Kerberos realm. Valid only with the /Add option.
The /PasswordT option is required.
/TRANSitive Valid only for a non-Windows Kerberos realm. Specifying
"yes" sets it to a transitive trust. Specifying "no" sets
it to a non-transitive trust. If neither is specified,
then the current transitivity state will be displayed.
/Kerberos Verify the Kerberos authentication protocol between a domain
or workstation and a target domain; You must supply user
accounts and passwords for both the object and target domain.
/Force Forces the removal of the trust (and cross-ref) objects on one
domain even if the other domain is not found or does not contain
matching trust objects. You must use the full DNS name to specify
the domain. Valid with the /REMove option.
CAUTION: this option will completely remove a child domain.
/Quarantine Valid only on an existing direct, outbound trust. Set or clear
the domain quarantine attribute. Default is "no".
When "yes" is specified, then only SIDs from the directly trusted
domain will be accepted for authorization data returned during
authentication. SIDS from any other domains will be removed.
Specifying /Quarantine without yes or no will display the current state.
/NameSuffixes Valid only for a forest trust or a Forest Transitive
Non-Windows Realm Trust . Lists the routed name suffixes
for trust_name on the domain named by trusting_domain_name.
The /UserO and /PasswordO values can be used for
authentication. The /Domain parameter is not needed.
/ToggleSuffix Use with /NameSuffixes to change the status of a name
suffix. The number of the name entry, as listed by a
preceding call to /NameSuffixes, must be provided to
indicate which name will have its status changed. Names
that are in conflict cannot have their status changed
until the name in the conflicting trust is disabled. Always
precede this command with a /NameSuffixes command because
LSA will not always return the names in the same order.
/EnableSIDHistory Valid only for an outbound, forest trust. Specifying "yes"
allows users migrated to the trusted forest from any other
forest, to use SID history to access resources in this
forest. This should be done only if the trusted forest
administrators can be trusted enough to specify SIDs of
this forest in the SID history attribute of their users
appropriately. Specifying "no" would disable the ability of
the migrated users in the trusted forest to use SID history
to access resources in this forest. Specifying /EnableSIDHistory
without yes or no will display the current state.
/ForestTRANsitive Valid only for Non-Windows Realm Trusts and can only be
performed on the root domain for a forest.
Specifying "yes" marks this trust as Forest Transitive.
Specifying "no" marks this trust as Not Forest Transitive.
Specifying /ForestTRANsitive without yes or no will
display the current state of this trust attribute.
/SelectiveAUTH Valid only on outbound Forest and External trusts.
Specifying "yes" enables selective authentication across
this trust.
Specifying "no" disables selective authentication across
this trust.
Specifying /SelectiveAUTH without yes or no will display
the current state of this trust attribute.
/AddTLN Valid only for a Forest Transitive Non-Windows Realm Trust
and can only be performed on the root domain for a forest.
Adds the specified Top Level Name (DNS Name Suffix) to the
Forest Trust Info for the specified trust.
Also see the /NameSuffixes operation to list name suffixes.
/AddTLNEX Valid only for a Forest Transitive Non-Windows Realm Trust
and can only be performed on the root domain for a forest.
Adds the specified Top Level Name Exclusion (DNS Name
Suffix)to the Forest Trust Info for the specified trust.
Also see the /NameSuffixes operation to list name suffixes.
/RemoveTLN Valid only for a Forest Transitive Non-Windows Realm Trust
and can only be performed on the root domain for a forest.
Removes the specified Top Level Name (DNS Name Suffix) from
the Forest Trust Info from the specified trust.
Also see the /NameSuffixes operation to list name suffixes.
/RemoveTLNEX Valid only for a Forest Transitive Non-Windows Realm Trust
and can only be performed on the root domain for a forest.
Removes the specified Top Level Name Exclusion (DNS Name
Suffix)from the Forest Trust Info from the specified trust.
Also see the /NameSuffixes operation to list name suffixes.
/SecurePasswordPrompt
Use secure credentials popup to specify credentials. This
option should be used when smartcard credentials need to be
specified. This option is only in effect when the password
value is supplied as *
Netdom options can be abbreviated to just the UPPER case letters, e.g. /PasswordD can be supplied as just /PD
“He who does not trust enough, Will not be trusted” ~ Lao Tzu
Related:
Active Directory Domains and Trusts - Snap In.
PowerShell: Get-ADTrust
NETDOM MOVE - Move a workstation or member server to a new domain.
NETDOM VERIFY - Verify the secure connection between a workstation and a DC.