How To Determine Trust Relationship Configurations (228477)



The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

This article was previously published under Q228477

SUMMARY

Multiple methods exist for administrators to view the configuration of trust relationships for the domain and perform maintenance on these relationships, both locally and remotely. This article discusses the different tools that can be used to view the configuration.

back to the top

Using the Active Directory Domains and Trusts MMC Snap-in

To view the hierarchy and to view the trust relationships for a domain:
  1. Start the Active Directory Domains and Trusts tool. The tool automatically locates a domain controller to read trust relationship data from.
  2. An icon is displayed for each domain that represents the root of each item in the hierarchy. Expanding any of these nodes displays the hierarchy of child domains, if any exist. To view the trust relationships for a specific domain, right-click the domain, and then click Properties.
  3. Click the Trusts tab. For each of the domains that the selected domain trusts (trusted), or is trusted by (trusting), the type of trust relationship and whether or not the trust relationship is transitive is displayed. Trusts can also be added or removed through the same interface. To view detail information or reset a transitive trust relationship, click the trust you want, and then click View/Edit.

back to the top

Using the Active Directory Users and Computers MMC Snap-in

An administrator can view the trust relationships specific to a domain by using the Active Directory Users and Computers MMC snap-in:
  1. Start the Active Directory Users and Computers tool. Note that this defaults to the domain that the you are logged on to.
  2. On the View menu, click Advanced.
  3. Expand the contents of the left pane, and then locate the System container.
  4. In the right pane, use the Type column to identify all objects with a type of "Trusted Domain". To view more information about the specifics of a given trust, right-click the object, and then click Properties. The detail information about this trust relationship is displayed in a dialog box where an administrator can also reset the trust if it is of the transitive type.

back to the top

Using the NLTEST Tool

NLTEST is a Resource Kit utility you can use to display the current list of trusted domains known by a given server. For each domain listed, you can view the following data:

  • Trust Index (specific to each DC as the trusts are enumerated)
  • NetBIOS Domain Name of the Trusted Domain
  • DNS Domain Name of the Trusted Domain
  • Trust Type (NT 4, NT 5, MIT, or DCE)
  • Any of the following flags:

    • Direct Outbound: There is a direct trust relationship between the domain for the server queried and this domain.
    • Native: This domain is currently in native mode.
    • Primary Domain: This domain is the domain for the server that was used in the query.
    • Forest Tree Root: This domain represents the root of a tree in the forest.
    • Forest: index number: For this trusted domain, where index number is the index number of it's parent domain in the same NLTEST list.
To run a query against a specific server, type NLTEST /server:server name /trusted_domains. For example, the following output might be displayed if a query is run against a domain controller in the root domain of the forest (in this example, the root domain is called root.com). Note that NLTEST shows trusted domains with transitive trust relationships as Windows 2000 trusts without the Direct Outbound tag.

Trusted domain list:

0: TESTDOMAIN testdomain.root.com (NT 5) (Forest: 3) (Direct Outbound)
1: CHILD child.root.com (NT 5) (Forest: 3) (Direct Outbound)
2: GRANDCHILD grandchild.child.root.com (NT 5) (Forest: 1)
3: ROOT root.com (NT 5) (Forest Tree Root) (Primary Domain)
4: NT4DOMAIN (NT 4) (Direct Outbound)
5: NEWROOT newroot.com (NT 5) (Forest Tree Root) (Direct Outbound) ( Attr: 0x800000 )


back to the top

Using the ADSI Edit Tool

ASDI Edit is a Windows 2000 Resource Kit utility. To perform the following steps, you must install this tool.

  1. At a command prompt, type start adsiedit.msc to start an MMC console with the ADSI Edit tool already present. It also populates the left pane with at least three nodes, one for each writ able naming context, or partition, of the Active Directory. These are the default Domain, Schema, and Configuration naming contexts.
  2. Expand the Domain NC [dc=your domain name,dc=com] node in the left pane of the MMC console. Continue to expand this node until you can locate and expand the node named CN=System.
  3. In the right pane, use the Class column to identify all objects with a type of trustedDomain. To get more information regarding the specifics of a given trust, right-click the object, and then click Properties.
  4. Click Both in the Select which properties to view box.
  5. Different data about the trust is kept in several key attributes of each trustedDomain object. The following are the key attributes to select in the Select a property to view box and their meanings:

    flatName: Contains the NetBIOS name of the domain for this Trust.
    trustDirection: Contains the direction of the established trust relationship.

    0=Disabled
    1=Inbound (Trusting Domain)
    2=Outbound (Trusted Domain)
    3=Both (Trusted and Trusting)

    trustPartner: Contains a string that represents the DNS-style name of the domain if it is a Windows 2000 domain or the NetBIOS name of the domain if it is a downlevel trust.
    trustType: Contains the type of trust relationship established to the domain.

    1=Downlevel Trust
    2=Windows 2000 (Uplevel) Trust
    3=MIT
    4=DCE


back to the top

Modification Type:MinorLast Reviewed:7/15/2004
Keywords:kbhowto kbHOWTOmaster kbnetwork KB228477 kbAudITPro