MZ@ !L!This program cannot be run in DOS mode. $Rؕ3}3}3}H̴3}H̱3}Rich3}PEL!  n[@.rsrc@@0H  (@Xp   0 @ P ` p         @tD4x &HzDXMUI $u0ݺQ,v_;FEQ MUI en-USHELPADD COMPUTERNAMEJOINMOVEQUERYREMOVE MOVENT4BDCRESETRESETPWDTRUSTVERIFYSYNTAXUserDUDPA PasswordDPDUserOUO PasswordOPOServerSOUVERBOSEDomainDRebootRebRealmReaVerifyVResetReseDirectDiAddARemoveRemTwoWayTKerberosKPDCSERVER WORKSTATIONDCOUFSMOTRUSTForceDC PasswordTPT TransitiveTransOneSideOSUserFUF PasswordFPF QuarantineNewName ToggleSuffixTS NameSuffixesNSH? MakePrimaryMPPA EnumerateEnumAlternateNames PrimaryNameAllNames ResetOneSideROS EXPERTHELPQEnableSIDHistoryESIDHForestTRANsitiveFTRAN SelectiveAUTHSAUTHAddTLNATLNAddTLNEXATLNEX RemoveTLNRTLN RemoveTLNEXRTLNEXSecurePasswordPromptSPP PasswordMPMReadonlyROEnableTgtDelegationETDEnablePimTrustEPTPATIMEFAre you sure you want to delete the trust to child domain %s (Y or N)?NetDomtrustedtrustingyesnoRENAMECOMPUTER Do you want to proceed (Y or N)?yn%*** Warning: role owner is undefined.+*** Warning: role owner is a deleted DC: %1-Required switch/parameter %1 is not specifiedPAA(  tI.?/8{,NETDOM [ ADD | COMPUTERNAME | HELP | JOIN | MOVE | QUERY | REMOVE | MOVENT4BDC | RENAMECOMPUTER | RESET | TRUST | VERIFY | RESETPWD ] PThe command completed successfully. dThe command failed to complete successfully. NETDOM HELP command -or- NETDOM command /help Commands available are: NETDOM ADD NETDOM RESETPWD NETDOM RESET NETDOM COMPUTERNAME NETDOM QUERY NETDOM TRUST NETDOM HELP NETDOM REMOVE NETDOM VERIFY NETDOM JOIN NETDOM MOVENT4BDC NETDOM MOVE NETDOM RENAMECOMPUTER NETDOM HELP SYNTAX explains how to read NET HELP syntax lines. NETDOM HELP command | MORE displays Help one screen at a time. Note that verbose output can be specified by including /VERBOSE with any of the above netdom commands. SYNTAX The following conventions are used to indicate command syntax: - Capital letters represent words that must be typed as shown. Lower- case letters represent names of items that may vary, such as filenames. - The [ and ] characters surround optional items that can be supplied with the command. - The { and } characters surround lists of items. You must supply one of the items with the command. - The | character separates items in a list. Only one of the items can be supplied with the command. For example, in the following syntax, you must type NETDOM and either SWITCH1 or SWITCH2. Supplying a name is optional. NETDOM [name] {SWITCH1 | SWITCH2} - The [...] characters mean you can repeat the previous item. Separate items with spaces. - The [,...] characters mean you can repeat the previous item, but you must separate items with commas or semicolons, not spaces. - When typed at the command prompt, names of two words or more must be enclosed in quotation marks. For example, NETDOM ADD "/OU:OU=MY OU,DC=Domain,DC=COM" LThe parameter %1 was unexpected. HThe syntax of this command is: d  NETDOM ADD machine [/Domain:domain] [/UserD:user] [/PasswordD:[password | *]] [/Server:server] [/OU:ou path] [/DC] [/SecurePasswordPrompt] NETDOM ADD Adds a workstation or server account to the domain. machine is the name of the computer to be added /Domain Specifies the domain in which to create the machine account /UserD User account used to make the connection with the domain specified by the /Domain argument /PasswordD Password of the user account specified with /UserD. A * means to prompt for the password /Server Name of a specific domain controller that should be used to perform the Add. This option cannot be used with the /OU option. /OU Organizational unit under which to create the machine account. This must be a fully qualified RFC 1779 DN for the OU. When using this argument, you must be running directly on a domain controller for the specified domain. If this argument is not included, the account will be created under the default organization unit for machine objects for that domain. /DC Specifies that a domain controller's machine account is to be created. This option cannot be used with the /OU option. /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as *  NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]] [/PasswordM:[password | *]] [/ReadOnly] [/REBoot[:Time in seconds]] [/SecurePasswordPrompt] NETDOM JOIN Joins a workstation or member server to the domain. machine is the name of the workstation or member server to be joined /Domain Specifies the domain which the machine should join. You can specify a particular domain controller by entering /Domain:domain\dc. When /ReadOnly option is used, you must specify a domain controller. /UserD User account used to make the connection with the domain specified by the /Domain argument /PasswordD Password of the user account specified by /UserD. A * means to prompt for the password /UserO User account used to make the connection with the machine to be joined /PasswordO Password of the user account specified by /UserO. A * means to prompt for the password /OU Organizational unit under which to create the machine account. This must be a fully qualified RFC 1779 DN for the OU. If not specified, the account will be created under the default organization unit for machine objects for that domain. /PasswordM Password of the pre-created computer account, whose name is specified by the machine parameter. A * means to prompt for the password. This option must be used with /ReadOnly option. /ReadOnly Perform a domain join using a pre-created computer account and without performing any writes to a domain controller. This option therefore, does not require a writable domain controller. You must specify the domain controller (using /Domain option) and computer account password (using /PasswordM option) when the option is used. This option cannot be used with /OU option. /REBoot Specifies that the machine should be shutdown and automatically rebooted after the Join has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * Windows Professional machines with the ForceGuest setting enabled (which is the default for machines not joined to a domain during setup) cannot be remotely administered. Thus the join operation must be run directly on the machine when the ForceGuest setting is enabled. When joining a machine running Windows NT version 4 or before to the domain the operation is not transacted. Thus, a failure during the operation could leave the machine in an undetermined state with respect to the domain it is joined to. The act of joining a machine to the domain will create an account for the machine on the domain if it does not already exist.  NETDOM MOVE machine /Domain:domain [/OU:ou path] [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]] [/UserF:user] [/PasswordF:[password | *]] [/REBoot[:Time in seconds]] [/SecurePasswordPrompt] NETDOM MOVE Moves a workstation or member server to a new domain machine is the name of the workstation or member server to be moved /Domain Specifies the domain to which the machine should be moved. You can specify a particular domain controller by entering /Domain:domain\dc. If you specify a domain controller, you must also include the user's domain. For example: /UserD:domain\user /UserD User account used to make the connection with the domain specified by the /Domain argument /PasswordD Password of the user account specified by /UserD. A * means to prompt for the password /UserO User account used to make the connection with the machine to be moved /PasswordO Password of the user account specified by /UserO. A * means to prompt for the password /UserF User account used to make the connection with the machine's former domain (with which the machine had been a member before the move). Needed to disable the old machine account. /PasswordF Password of the user account specified by /UserF. A * means to prompt for the password /OU Organizational unit under which to create the machine account. This must be a fully qualified RFC 1779 DN for the OU. If not specified, the account will be created under the default organization unit for machine objects for that domain. /REBoot Specifies that the machine should be shutdown and automatically rebooted after the Move has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * When moving a downlevel (Windows NT version 4 or before) machine to a new domain, the operation is not transacted. Thus, a failure during the operation could leave the machine in an undetermined state with respect to the domain it is joined to. When moving a machine to a new domain, the old computer account in the former domain is not deleted. If credentials are supplied for the former domain, the old computer account will be disabled. The act of moving a machine to a new domain will create an account for the machine on the domain if it does not already exist.  NETDOM QUERY [/Domain:domain] [/Server:server] [/UserD:user] [/PasswordD:[password | *]] [/Verify] [/RESEt] [/Direct] [/SecurePasswordPrompt] WORKSTATION | SERVER | DC | OU | PDC | FSMO | TRUST NETDOM QUERY Queries the domain for information /Domain Specifies the domain on which to query for the information /UserD User account used to make the connection with the domain specified by the /Domain argument /PasswordD Password of the user account specified by /UserD. A * means to prompt for the password /Server Name of a specific domain controller that should be used to perform the query. /Verify For computers, verifies that the secure channel between the computer and the domain controller is operating properly. For trusts, verifies that the the trust between domains is operating properly. Only outbound trust will be verified. The user must have domain administrator credentials to get correct verification results. /RESEt Resets the secure channel between the computer and the domain controller; valid only for computer enumeration /Direct Applies only for a TRUST query, lists only the direct trust links and omits the domains indirectly trusted through transitive links. Do not use with /Verify. /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * WORKSTATION Query the domain for the list of workstations SERVER Query the domain for the list of servers DC Query the domain for the list of Domain Controllers OU Query the domain for the list of Organizational Units under which the specified user can create a machine object PDC Query the domain for the current Primary Domain Controller FSMO Query the domain for the current list of FSMO owners TRUST Query the domain for the list of its trusts The trust verify command checks only direct, outbound, Windows trusts. To verify an inbound trust, use the NETDOM TRUST command which allows you to specify credentials for the trusting domain.  NETDOM REMOVE machine [/Domain:domain] [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]] [/REBoot[:Time in seconds]] [/Force] [/SecurePasswordPrompt] NETDOM REMOVE Removes a workstation or server from the domain. machine is the name of the computer to be removed /Domain Specifies the domain in which to remove the machine /UserD User account used to make the connection with the domain specified by the /Domain argument /PasswordD Password of the user account specified by /UserD. A * means to prompt for the password /UserO User account used to make the connection with the machine to be removed /PasswordO Password of the user account specified By /UserO. A * means to prompt for the password /REBoot Specifies that the machine should be shutdown and automatically rebooted after the Remove has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds /Force Forces the unjoin of the machine from the domain even if the domain is not found or does not contain the matching computer object. /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * XNETDOM MOVENT4BDC machine [/Domain:domain] [/REBoot[:Time in seconds]] NETDOM MOVENT4BDC Renames NT4 backup domain controllers (moves it to a new domain) machine is the name of the backup Domain Controller to be renamed /Domain Specifies the new name of the domain /REBoot Specifies that the machine should be shutdown and automatically rebooted after the Rename has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds TNETDOM RESET machine [/Domain:domain] [/Server:server] [/UserO:user] [/PasswordO:[password | *]] [/SecurePasswordPrompt] NETDOM RESET Resets the secure connection between a workstation and a domain controller machine is the name of the computer to be have the secure connection reset /Domain Specifies the domain with which to establish the secure connection /Server Name of a specific domain controller that should be used to establish the secure connection. /UserO User account used to make the connection with the machine to be reset /PasswordO Password of the user account specified By /UserO. A * means to prompt for the password /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * TNETDOM RESETPWD /Server:domain-controller /UserD:user /PasswordD:[password | *] [/SecurePasswordPrompt] NETDOM RESETPWD Resets the machine account password for the domain controller on which this command is run. Currently there is no support for resetting the machine password of a remote machine or a member server. All parameters must be specified. /Server Name of a specific domain controller that should have its machine account password reset. /UserD User account used to make the connection with the domain controller specified by the /Server argument. /PasswordD Password of the user account specified with /UserD. A * means to prompt for the password /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * "NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]] [/Verify] [/RESEt] [/PasswordT:new_realm_trust_password] [/Add] [/REMove] [/Twoway] [/REAlm] [/Kerberos] [/Transitive[:{yes | no}]] [/OneSide:{trusted | trusting}] [/Force] [/Quarantine[:{yes | no}]] [/NameSuffixes:trust_name [/ToggleSuffix:#]] [/EnableSIDHistory[:{yes | no}]] [/ForestTRANsitive[:{yes | no}]] [/CrossORGanization[:{yes | no}]] [/AddTLN:TopLevelName] [/AddTLNEX:TopLevelNameExclusion] [/RemoveTLN:TopLevelName] [/RemoveTLNEX:TopLevelNameExclusion] [/SecurePasswordPrompt] [/EnableTgtDelegation[:{yes | no}]] [/EnablePIMTrust[:{yes | no}]] NETDOM TRUST Manages or verifies the trust relationship between domains trusting_domain_name is the name of the trusting domain /Domain Specifies the name of the trusted domain or Non-Windows Realm. /UserD User account used to make the connection with the domain specified by the /Domain argument /PasswordD Password of the user account specified by /UserD. A * means to prompt for the password /UserO User account for making the connection with the trusting domain /PasswordO Password of the user account specified By /UserO. A * means to prompt for the password /Verify Verifies that the trust is operating properly /RESEt Resets the trust passwords between two domains. The domains can be named in any order. Reset is not valid on a trust to a Kerberos realm unless the /PasswordT parameter is included. /PasswordT New trust password, valid only with the /Add or /RESEt options and only if one of the domains specified is a non-Windows Kerberos realm. The trust password is set on the Windows domain only and thus credentials are not needed for the non-Windows domain. /Add Specifies that a trust be created. /REMove Specifies that a trust be removed. /Twoway Specifies that a trust relationship should be bidirectional /OneSide Indicates that the trust be created for or removed from only one of the domains in the trust. Use the keyword "trusted" to create or remove the trust from the trusted domain (the domain named with the /D parameter). Use the keyword "trusting" to create or remove the trust from the trusting domain. This command is valid only with the /Add and /REMove options and requires the /PasswordT command when used with the /Add option. /REAlm Indicates that the trust is to be created to a non-Windows Kerberos realm. Valid only with the /Add option. The /PasswordT option is required. /TRANSitive Valid only for a non-Windows Kerberos realm. Specifying "yes" sets it to a transitive trust. Specifying "no" sets it to a non-transitive trust. If neither is specified, then the current transitivity state will be displayed. /Kerberos Specifies that the Kerberos authentication protocol should be verified between a domain or workstation and a target domain; You must supply user accounts and passwords for both the object and target domain. /Force Valid with the /REMove option. Forces the removal of the trust (and cross-ref) objects on one domain even if the other domain is not found or does not contain matching trust objects. You must use the full DNS name to specify the domain. CAUTION: this option will completely remove a child domain. NETDOM VERIFY machine [/Domain:domain] [/UserO:user] [/PasswordO:[password | *]] [/SecurePasswordPrompt] NETDOM VERIFY Verifies the secure connection between a workstation and a domain controller machine is the name of the computer whose secure connection is to be verified /Domain Specifies the domain with which to verify the secure connection /UserO User account used to make the connection with the machine to be verified /PasswordO Password of the user account specified By /UserO. A * means to prompt for the password /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * NETDOM TIME machine [/Domain:domain] [/UserD:user] [/PasswordD:[[password | *]]] [/UserO:user] [/PasswordO:[password | *]] [/Verify] [/RESEt] [/SecurePasswordPrompt] [WORKSTATION] [SERVER] NETDOM TIME Verifies or resets the time between a workstation and a domain controller machine is the name of the computer to be have the time verified or reset /Domain Specifies the domain which which to verify/reset the time /UserD User account used to make the connection with the domain specified by the /Domain argument /PasswordD Password of the user account specified by /UserD. A * means to prompt for the password /UserO User account used to make the connection with the machine to which the time operation will be performed /PasswordO Password of the user account specified by /UserO. A * means to prompt for the password /Verify Verify the time against the domain controller /RESEt Reset the time against the domain controller /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * WORKSTATION Reset/Verify the time for all the workstations in a domain SERVER Reset/Verify the time for all the domain controllers in a domain  NETDOM HELP command | MORE displays Help one screen at a time. lParameter /Domain is required for this operation tType the password associated with the domain user: %0 tType the password associated with the object user: %0 The command completed successfully but the machine was not restarted. Shutting down due to a domain membership change initiated by %1.%0 The secure channel from %1 to the domain %2 has been verified. The connection is with the machine %3. dThe secure channel from %1 to %2 is invalid. List of Organizational Units within which the specified user can create a machine account: xList of domain controllers with accounts in the domain: lList of workstations with accounts in the domain: dList of servers with accounts in the domain: \Primary domain controller for the domain: L%1 ( Workstation or Server ) LSchema master %1%0 LDomain naming master %1%0 LPDC %1%0 LRID pool manager %1%0 LInfrastructure master %1%0 |Verifying secure channel setup for domain members: Machine Status/Domain Domain Controller ======= ============= ================= |Resetting secure channel setup for domain members: Machine Domain Domain Controller ======= ====== ================= @\\%1!-20s! %2!-18s!%3 H\\%1!-20s! ERROR! ( %2 ) The secure channel from %1 to the domain %2 has been reset. The connection is with the machine %3. hThe secure channel from %1 to %2 was not reset. 4<-> %1!-55s!%0 4<- %1!-55s!%0 4 -> %1!-55s!%0 $Direct %0 $Non-Windows%0 $(Other) %0 <Direction Trusted\Trusting domain Trust type ========= ======================= ========== @Direction Trusted\Trusting domain Trust type Status ========= ======================= ========== ====== Direction Trusted\Trusting domain Trust type ========= ======================= ========== t %1!-31s!  Verified  Broken  Not found ( Access denied 4<-> %1!-48s!%0 4<- %1!-48s!%0 4 -> %1!-48s!%0 4 %1!-48s!%0 The trust between %1 and %2 has been successfully verified XThe trust between %1 and %2 is invalid 8Computer Status ======== ====== %1!-32s!%0 ` In Sync ` Out Of Sync Failed to reset the information for BDC %1 following an attempted rename operation. The machine is in an inconsistent state. XTry "NETDOM HELP" for more information. If the domain no longer exists or is a non-Windows Kerberos Realm, you can use the /FORCE flag to remove the trust objects. Trust not removed! This is a functional parent-child trust. It cannot be removed. Trust not removed! This is a parent-child trust. The parent domain could not be contacted. Trust not removed! This is a parent-child trust. If you are certain you want to remove this parent-child trust because the child domain no longer exists, run the command again and specify the /FORCE flag. The trust between %1 and %2 has been successfully reset and verified hResetting the trust passwords between %1 and %2 Cannot reset the trust passwords; both domains must be Windows 2000 domains. Setting the trust password on domain %1 for its non-Windows trust to domain %2 Successfully set the trust password for the non-Windows trust to domain %1 hThis is not a non-Windows Kerberos realm trust The trust is disabled (the trust direction is set to zero) The secure channel verify on domain controller %1 for trusting domain %2 failed with the following error: 8The attempt to contact the NetLogon service on domain controller %1 for a secure channel query of trusting domain %2 failed with the following error: The secure channel reset on domain controller %1 for trusting domain %2 failed with the following error: 8The attempt to contact the NetLogon service on domain controller %1 for a secure channel reset of trusting domain %2 failed with the following error: (The attempt to do a group look up on domain controller %1 for the Domain Admins group of trusting domain %2 failed with the following error: The Kerberos protocol authentication of a client in domain %1 was successful on a server in domain %2 xThe user in domain %2 was not able to authenticate via the Kerberos protocol in domain %1. %2 may trust %1 but the trust could not be verified using the Kerberos protocol because DThe trust is not transitive. <The trust is transitive. LSetting the trust to transitive. TSetting the trust to non-transitive. LThe trust is already transitive. TThe trust is already non transitive. A trust password must be specified using the /PasswordT command line argument. The argument string supplied with the /OneSide parameter is incorrect. It must be either 'trusted' or 'trusting' (without the quotes). HUnable to contact the domain %1 You already have a connection to %1. Please disconnect it and then rerun the netdom command. The machine account password for the local machine has been successfully reset. The machine account password for the local machine could not be reset. Type the password associated with the machine's former domain user: %0 `The machine is already joined to domain %1 $Indirect %0 SID filtering is not enabled for this trust. All SIDs presented in an authentication request from this domain will be honored. SID filtering is enabled for this trust. Only SIDs from the trusted domain will be accepted for authorization data returned during authentication. SIDs from other domains will be removed. LSetting the trust to filter SIDs. TSetting the trust to not filter SIDs. lSID filtering is already enabled for this trust. dSID filtering is not enabled for this trust. SID filtering can only be enabled on direct, outbound trusts. The trust to %1 is inbound-only. XSID history is enabled for this trust. XSID history is disabled for this trust. hSID history is already enabled for this trust. TEnabling SID history for this trust. TDisabling SID history for this trust. hSID history is already disabled for this trust. `This trust is marked as Forest Transitive. hThis trust is not marked as Forest Transitive. pThis trust is already marked as Forest Transitive. \Marking this trust as Forest Transitive. dMarking this trust as Not Forest Transitive. xThis trust is already marked as Not Forest Transitive. `This trust is marked as Cross Organization. hThis trust is not marked as Cross Organization. pThis trust is already marked as Cross Organization. \Marking this trust as Cross Organization. dMarking this trust as Not Cross Organization. xThis trust is already marked as Not Cross Organization. NETDOM RENAMECOMPUTER machine /NewName:new-name [/UserD:user [/PasswordD:[password | *]]] [/UserO:user [/PasswordO:[password | *]]] [/Force] [/REBoot[:Time in seconds]] [/SecurePasswordPrompt] NETDOM RENAMECOMPUTER renames a computer. If the computer is joined to a domain, then the computer object in the domain is also renamed. Certain services, such as the Certificate Authority, rely on a fixed machine name. If any services of this type are running on the target computer, then a computer name change would have an adverse impact. This command should not be used to rename a domain controller. machine is the name of the workstation or member server to be renamed /NewName Specifies the new name for the computer. Both the DNS host label and the NetBIOS name are changed to new-name. If new-name is longer than 15 characters, the NetBIOS name is derived from the first 15 characters /UserD User account used to make the connection with the domain. The domain can be specified as "/ud:domain\user". If domain is omitted, then the computer's domain is assumed. /PasswordD Password of the user account specified by /UserD. A * means to prompt for the password /UserO User account used to make the connection with the machine to be renamed. If omitted, then the currently logged on user's account is used. The user's domain can be specified as "/uo:domain\user". If domain is omitted, then a local computer account is assumed. /PasswordO Password of the user account specified by /UserO. A * means to prompt for the password /Force As noted above, this command can adversely affect some services running on the computer. The user will be prompted for confirmation unless the /FORCE switch is specified. /REBoot Specifies that the machine should be shutdown and automatically rebooted after the Rename has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * T NETDOM COMPUTERNAME machine [/UserO:user] [/PasswordO:[password | *]] [/UserD:user] [/PasswordD:[password | *]] [/SecurePasswordPrompt] /Add:<new-alternate-DNS-name> | /Remove:<alternate-DNS-name> | /MakePrimary:<computer-dns-name> | /Enumerate[:{AlternateNames | PrimaryName | AllNames}] | /Verify NETDOM COMPUTERNAME manages the primary and alternate names for a computer. This command can safely rename a domain controller or a server. machine The name of the computer whose names are to be managed. /UserO User account used to make the connection with the machine to be managed /PasswordO Password of the user account specified By /UserO. A * means to prompt for the password /UserD User account used to make the connection with the domain of the machine to be managed /PasswordD Password of the user account specified By /UserD. A * means to prompt for the password /Add Specifies that a new alternate name should be added. The new name must be a fully qualified DNS name(FQDN - computer name followed by primary DNS suffix, such as comp1.example.com.). /REMove Specifies that an existing alternate name should be removed. The name being removed must be a fully qualified DNS name (FQDN - computer name followed by primary DNS suffix, such as comp1.example.com.). /MakePrimary Specifies that an existing alternate name should be made into the primary name. The name being made primary must be a fully qualified DNS name (FQDN - computer name followed by primary DNS suffix, such as comp1.example.com.). /ENUMerate Lists the specified names. It defaults to AllNames. /Verify Checks if there is a DNS A record and an SPN for each computer name. /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * The computer name, %1, is too long. A valid computer name (DNS host label) can contain a maximum of %2!d! UTF-8 bytes. pThe syntax of the new computer name, %1, is incorrect. A computer name (DNS host label) may contain letters (a-z, A-Z), numbers (0-9), and hyphens, but no spaces or periods (.). The name '%1' does not conform to Internet Domain Name Service specifications, although it conforms to Microsoft specifications. The computer name %1 contains one or more characters that could not be converted to a NetBIOS name. pThe NetBIOS computer name %1 is a number. The name may not be a number. You must have at least one non-numeric character within the first %2!d! characters of the computer name. The NetBIOS name of the computer name contains illegal characters. Illegal characters include "" / \\ [ ] : | < > + = ; , ? and * The NetBIOS name of the computer is limited to %1!d! bytes. The NetBIOS name will be shortened to "%2". pThis operation will rename the computer %1 to %2. Certain services, such as the Certificate Authority, rely on a fixed machine name. If any services of this type are running on %1, then a computer name change would have an adverse impact. Active Directory Domain Services are being installed or removed on this computer. The computer name cannot be changed at this time. <This computer has not been restarted since Active Directory Domain Services were installed or removed. The computer name cannot be changed at this time. DThe computer is a domain controller undergoing upgrade. You must complete the Active Directory Installation Wizard before you can change the computer name. The Certification Authority Service is installed on this computer. You must remove that service before you can change the computer name. 8The attempt to open the service control manager on %1 failed with error %2!d!. Unable to determine if the Certificate Authority service is installed. pThe attempt to read the machine role information on %1 failed with error %2!d!. Unable to determine if the machine is in the midst of a role change or domain controller upgrade. Unable to connect to the computer %1 The error code is %2!d!. Shutting down due to a computer name change initiated by %1.%0 A name suffix index must be specified using the /ToggleSuffix command line argument. $The name suffix index specified using the /ToggleSuffix command line argument is outside the range of name indices listed by /ListSuffixes. hThis command is implemented in adprop.dll. The local version of the library is incorrect and does not contain this command. Please install the correct version of adprop.dll. 8This command is implemented in netapi32.dll. This file could not be loaded. Please ensure that the file netapi32.dll is present in the system folder. TThis command is implemented in netapi32.dll. The local version of this library does not contain this command. Either the version of the library on this computer is incorrect or the command is not running on Windows XP or Windows Server 2003 or later which is required for this operation. 0This command is implemented in dnsapi.dll. This file could not be loaded. Please ensure that the file dnsapi.dll is present in the system folder. TThis command is implemented in dnsapi32.dll. The local version of this library does not contain this command. Either the version of the library on this computer is incorrect or the command is not running on Windows XP or Windows Server 2003 or later which is required for this operation. Active Directory Domain Services already contain a Computer Account or a Server Object with the specified name: %1. If these objects are associated with an existing computer in the domain then this name cannot be made primary. If these objects are not associated with an existing computer, it may have been improperly renamed or removed from the domain. Remove them from Active Directory Domain Services and retry the make primary operation. The following tools can be used to locate and remove these objects: For Computer Account - Active Directory Users and Computers . For Server Object - Active Directory Sites and Services . TThe primary name for the computer is: \The alternate names for the computer are: XAll of the names for the computer are: Successfully added %1 as an alternate name for the computer. Unable to add %1 as an alternate name for the computer. The error is: Successfully removed %1 as an alternamte name for the computer. Unable to remove %1 as an alternamte name for the computer. The error is: pSuccessfully made %1 the primary name for the computer. The computer must be rebooted for this name change to take effect. Until then this computer may not be able to authenticate users and other computers, and may not be authenticated by other computers in the forest. The specified new name was removed from the list of alternate computer names. The primary computer name will be set to the specified new name after the reboot. Unable to make %1 the primary name for the computer. The error is: 4The specified trust is not a Non-Windows Realm Trust. Adding and Removing TLNs and TLN Exculsions are only supported for Non-Windows Realm trusts. The specified trust is not a Non-Windows Realm Trust. Changing this trust attribute is only supported for Non-Windows Realm trusts. The computer needs to be restarted in order to complete the operation. 1/Quarantine Valid only on an existing direct, outbound trust. Set or clear the domain quarantine attribute. Default is "no". When "yes" is specified, then only SIDs from the directly trusted domain will be accepted for authorization data returned during authentication. SIDS from any other domains will be removed. Specifying /Quarantine without yes or no will display the current state. /NameSuffixes Valid only for a forest trust or a Forest Transitive Non-Windows Realm Trust . Lists the routed name suffixes for trust_name on the domain named by trusting_domain_name. The /UserO and /PasswordO values can be used for authentication. The /Domain parameter is not needed. /ToggleSuffix Use with /NameSuffixes to change the status of a name suffix. The number of the name entry, as listed by a preceding call to /NameSuffixes, must be provided to indicate which name will have its status changed. Names that are in conflict cannot have their status changed until the name in the conflicting trust is disabled. Always precede this command with a /NameSuffixes command because LSA will not always return the names in the same order. /EnableSIDHistory Valid only for an outbound, forest trust. Specifying "yes" allows users migrated to the trusted forest from any other forest, to use SID history to access resources in this forest. This should be done only if the trusted forest administrators can be trusted enough to specify SIDs of this forest in the SID history attribute of their users appropriately. Specifying "no" would disable the ability of the migrated users in the trusted forest to use SID history to access resources in this forest. Specifying /EnableSIDHistory without yes or no will display the current state. /ForestTRANsitive Valid only for Active Directory Trusts and Non-Windows Realm Trusts, and can only be performed on the root domain for a forest. Specifying "yes" marks this trust as Forest Transitive. Specifying "no" marks this trust as Not Forest Transitive. Specifying /ForestTRANsitive without yes or no will display the current state of this trust attribute. /SelectiveAUTH Valid only on outbound Forest and External trusts. Specifying "yes" enables selective authentication across this trust. Specifying "no" disables selective authentication across this trust. Specifying /SelectiveAUTH without yes or no will display the current state of this trust attribute. /AddTLN Valid only for a Forest Transitive Non-Windows Realm Trust and can only be performed on the root domain for a forest. Adds the specified Top Level Name (DNS Name Suffix) to the Forest Trust Info for the specified trust. Also see the /NameSuffixes operation to list name suffixes. /AddTLNEX Valid only for a Forest Transitive Non-Windows Realm Trust and can only be performed on the root domain for a forest. Adds the specified Top Level Name Exclusion (DNS Name Suffix)to the Forest Trust Info for the specified trust. Also see the /NameSuffixes operation to list name suffixes. /RemoveTLN Valid only for a Forest Transitive Non-Windows Realm Trust and can only be performed on the root domain for a forest. Removes the specified Top Level Name (DNS Name Suffix) from the Forest Trust Info from the specified trust. Also see the /NameSuffixes operation to list name suffixes. /RemoveTLNEX Valid only for a Forest Transitive Non-Windows Realm Trust and can only be performed on the root domain for a forest. Removes the specified Top Level Name Exclusion (DNS Name Suffix)from the Forest Trust Info from the specified trust. Also see the /NameSuffixes operation to list name suffixes. /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * /EnableTgtDelegation Set to no to disable Kerberos full delegation on outbound forest trusts. This prevents services in the other forests from receiving forwarded TGTs. Warning: By setting EnableTgtDelegation to no, services in the other forests with "Trust this computer/user for delegation to any service" configured will not be able to use Kerberos full delegation with any account in this forest to any service. /EnablePIMTrust Specifies whether to enable or disable Privileged Identity Management trust behaviors on this trust. In order to enable this trust attribute, the trust must first be marked as forest transitive. Specifying /EnablePIMTrust without yes or no will display the current state of this trust attribute. dFinding a domain controller for the domain %1 `Creating a machine account for %1 in OU %2 LCreating a machine account for %1 HEstablishing a session with %1 DDeleting the session with %1 HRemoving machine account for %1 `Setting LSA domain policy information on %1 0Starting service %1 0Stopping service %1 8Configuring service %1 XAdding domain account to local group %1 `Removing domain account from local group %1 ,Joining domain %1 XFailed to establish the session with %1 `Failed to remove the machine account for %1 XEstablishing the secure channel with %1 $The secure channel reset to %1 failed as the server does not support naming a Domain Controller. Establishing the secure channel with %2. The secure channel could not be reset to the named server %1. A different domain controller was chosen. hVerifying the secure connection with domain %1 DRemoving trust account for %1 TOpening the trusted domain object %1 LRemoving the trust object for %1 <Opening secret object %1 DRemoving the secret object %1 @Adding trust account for %1 0Creating secret %1 HCreating a trust with domain %1 TReading LSA domain policy information `Reading trusted domain information from %1 \Setting trusted domain information on %1 @Setting secret value for %1 Determining the list of Organizational Units the specified user can create a machine account under `Failed to determine the role of machine %1 TBinding to LDAP server on machine %1 @Unbinding from LDAP server LSending the command to reboot %1 PThe domain %1 cannot be contacted. `Could not find the trusted domain object %1 hRemoving the cross-ref and sever objects for %1 lSuccessfully removed the NTDS Settings object %1 dSuccessfully removed the cross-ref object %1 hCould not find or remove the NTDS-DSA object %1 XCound not find the cross-ref object %1 Verifying the trust between trusting domain %1 and trusted domain %2 tTrust information for domain %1 written to domain %2 The machine %1 is not currently joined to a domain. Proceeding with joining it to domain %2. hDisabling the old machine account in domain %1 To improve the security of this external trust, security identifier (SID) filtering is enabled. However, if users have been migrated to the trusted domain and their SID histories have been preserved, you may choose to turn off this feature. For more information about SID filtering and how to turn it off, see the help for netdom trust /FilterSids or see Help and Support. tThe computer rename attempt failed with error %1!d!. tThe computer rename attempt failed with error %1!d!. tThis error can also result if one side of the trust is a forest trust and the other side is an external trust. To fix this problem you can remove the trust from one or both sides and then re-create the trust with the desired type. Use the Active Directory Domains & Trusts snap-in to create a forest trust. XThe computer rename preparation procedure is available only if the functional level of the domain to which this computer is joined is Windows Server 2003 or higher. Checking %1 The computer is not joined to a domain, thus there will be no SPN registrations to check. The computer is not joined to a Windows 2000 or later domain, thus there will be no SPN registrations to check. Reading the Service Principal Names listed for this computer which is joined to the domain %1. Checking if the computer %1 is joined to a Windows 2000 or later domain. Unable to read the SPNs for the computer from the Active Directory Domain Services. dUnable to read the SPNs for the computer from the Active Directory Domain Services. The supplied or current user credentials do not grant permission to read the directory. Unable to read the primary name for the computer %1. The error is %2 Could not find a DNS registration for the computer name: %1 The error is: %2 Could not find a host Service Principal Name for the computer name: %1 TCould not find the computer named: %1 Could not find a computer object in the Active Directory Domain Services with a SAM-Account- Name of %1$. All of the computer's names have A records that are properly registered with DNS. All of the computer's names have properly registered host Service Principal Names in the Active Directory Domain Services. \The host name label of this new alternate name is longer than %1!d! characters. If this name is made primary the new NetBIOS computer name will be truncated to "%2" The specified alternate computer name "%1%" does not contain a dot. Although it is a valid DNS name, usually a DNS name consists of multiple labels, for example server1.microsoft.com. This field MUST contain the full DNS name of a computer. The host name label of the new primary name is longer than %1!d! characters. The new NetBIOS computer name will be truncated to "%2" `The response is not valid. Program exiting. `The alternate computer name was not added. `NETDOM TRUST target_domain_name /Domain:trust_partner_domain_name /ResetOneSide /PasswordT:new_password_set_on_target_domain_side_only [/UserO:user] [/PasswordO:[password | *]] [/SecurePasswordPrompt] NETDOM TRUST /ResetOneSide writes a new trust password on the target_domain_name for the trust with the trust_partner_domain_name. This command can be used to stop authentication between the target domain and the trust partner domain. This command would normally be used only in a forest recovery scenario. target_domain_name Specifies the name of the domain on which the trust password is to be reset. This should be the DNS name or NetBIOS name of the domain. /Domain Specifies the name of the domain with which the target domain has a trust relationship. This should be the DNS name or NetBIOS name of the domain. /ResetOneSide Set the password (given by PasswordT) on one side of the trust (i.e. on the side of the target domain). /PasswordT New trust password. This is set as both the current and the stored previous password, thus erasing the password history. /UserO User account for making the connection with the target domain /PasswordO Password of the user account specified by /UserO. A * means to prompt for a password /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * xResetting the trust password on %1 for trust with %2. The old machine account was not disabled in domain %1 because credentials for that domain were not specified on the command line. Type the password associated with the computer account object: %0 A computer account password must be specified using the /PasswordM command line argument. A domain controller must be specified using the /Domain command line argument. For example, /Domain:domain\dc tThe /ReadOnly option cannot be used with /OU option. Cannot rename remote server %1 because it is not joined to the AD environment. @TGT Delegation is enabled. @TGT Delegation is disabled. <Enabling TGT delegation. <Disabling TGT delegation. PTGT delegation is already enabled. PTGT delegation is already disabled. 4PIM Trust is enabled. 8PIM Trust is disabled. 0Enabling PIM Trust. 4Disabling PIM Trust. DPIM Trust is already enabled. HPIM Trust is already disabled. Only non-windows or cross-forest trust types are valid for this operation. A trust must first be marked as forest transitive before you can enable PIM. Marking this trust as Not Forest Transitive. Note, this will also disable PIM Trust. 0Warning: enabling Kerberos full TGT delegation on outbound trusts is not recommended. See https://aka.ms/netdomtgtdelegation for more information. 4VS_VERSION_INFOK%K%?StringFileInfo040904B0LCompanyNameMicrosoft Corporation8FileDescriptionNETDOM5t*FileVersion6.3.9600.19343 (winblue_ltsb.190404-0600)6 InternalNameNETDOM.EXE.LegalCopyright Microsoft Corporation. All rights reserved.FOriginalFilenameNETDOM.EXE.MUIj%ProductNameMicrosoft Windows Operating SystemBProductVersion6.3.9600.19343DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADD