51 2.18.2.2 Using a command-line interface > netdom trust <ADDomainDNSName> /Domain:<KerberosRealmDNSName>[RETURN] /Realm /ADD /PasswordT:<TrustPassword>[RETURN] [/UserO:<ADDomainAdminUser> /PasswordO:*] The <TrustPassword> has to match what was set on the Kerberos side. To create a realm trust from the rallencorp.com domain to the Kerberos realm called kerb.rallencorp.com, use the following command: > netdom trust rallencorp.com /Domain:kerb.rallencorp.com[RETURN] /Realm /ADD /PasswordT:MyKerbRealmPassword[RETURN] /UserO:administrator@rallencorp.com /PasswordO:* 2.18.3 Discussion You can create a Kerberos realm trust between an Active Directory domain and a non-Windows Kerberos v5 realm. A realm trust can be used to allow clients from the non-Windows Kerberos realm to access resources in Active Directory, and vice versa. See Recipe 18.7 for more information on MIT Kerberos interoperability with Active Directory. 2.18.4 See Also MS KB 260123 (Information on the Transitivity of a Kerberos Realm Trust) and MS KB 266080 (Answers to Frequently Asked Kerberos Questions) Recipe 2.19 Viewing the Trusts for a Domain 2.19.1 Problem You want to view the trusts for a domain. 2.19.2 Solution 2.19.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. In the left pane, right-click the domain you want to view and select Properties. 3. Click on the Trusts tab. 2.19.2.2 Using a command-line interface > netdom query trust /Domain:<DomainDNSName> 2.19.2.3 Using VBScript ' This code prints the trusts for the specified domain. ' SCRIPT CONFIGURATION strDomain = "<DomainDNSName>" ' e.g. rallencorp.com ' END CONFIGURATION 52 ' Trust Direction Constants taken from NTSecAPI.h set objTrustDirectionHash = CreateObject("Scripting.Dictionary") objTrustDirectionHash.Add "DIRECTION_DISABLED", 0 objTrustDirectionHash.Add "DIRECTION_INBOUND", 1 objTrustDirectionHash.Add "DIRECTION_OUTBOUND", 2 objTrustDirectionHash.Add "DIRECTION_BIDIRECTIONAL", 3 ' Trust Type Constants - taken from NTSecAPI.h set objTrustTypeHash = CreateObject("Scripting.Dictionary") objTrustTypeHash.Add "TYPE_DOWNLEVEL", 1 objTrustTypeHash.Add "TYPE_UPLEVEL", 2 objTrustTypeHash.Add "TYPE_MIT", 3 objTrustTypeHash.Add "TYPE_DCE", 4 ' Trust Attribute Constants - taken from NTSecAPI.h set objTrustAttrHash = CreateObject("Scripting.Dictionary") objTrustAttrHash.Add "ATTRIBUTES_NON_TRANSITIVE", 1 objTrustAttrHash.Add "ATTRIBUTES_UPLEVEL_ONLY", 2 objTrustAttrHash.Add "ATTRIBUTES_QUARANTINED_DOMAIN", 4 objTrustAttrHash.Add "ATTRIBUTES_FOREST_TRANSITIVE", 8 objTrustAttrHash.Add "ATTRIBUTES_CROSS_ORGANIZATION", 16 objTrustAttrHash.Add "ATTRIBUTES_WITHIN_FOREST", 32 objTrustAttrHash.Add "ATTRIBUTES_TREAT_AS_EXTERNAL", 64 set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") set objTrusts = GetObject("LDAP://cn=System," & _ objRootDSE.Get("defaultNamingContext") ) objTrusts.Filter = Array("trustedDomain") Wscript.Echo "Trusts for " & strDomain & ":" for each objTrust in objTrusts for each strFlag In objTrustDirectionHash.Keys if objTrustDirectionHash(strFlag) = objTrust.Get("trustDirection") then strTrustInfo = strTrustInfo & strFlag & " " end If next for each strFlag In objTrustTypeHash.Keys if objTrustTypeHash(strFlag) = objTrust.Get("trustType") then strTrustInfo = strTrustInfo & strFlag & " " end If next for each strFlag In objTrustAttrHash.Keys if objTrustAttrHash(strFlag) = objTrust.Get("trustAttributes") then strTrustInfo = strTrustInfo & strFlag & " " end If next WScript.Echo " " & objTrust.Get("trustPartner") & " : " & strTrustInfo strTrustInfo = "" next 53 2.19.3 Discussion 2.19.3.1 Using a graphical user interface You can view the properties of a particular trust by clicking on a trust and clicking the Properties button. 2.19.3.2 Using a command-line interface You can include the /Direct switch if you want to view only direct-trust relationships. If you don't use /Direct, implicit trusts that occur due to transitive-trust relationships will also be listed. 2.19.3.3 Using VBScript This script uses dictionary objects to ease the mapping of the various integer values for attributes, such as trustType and trustDirection, to descriptive names. A dictionary object in VBScript is analogous to a hash or associative array in other programming languages. The Add method accepts a key and value pair to add to the dictionary. The Keys method returns the keys of the dictionary as a collection. To access a value of the dictionary, you simply pass the key name as a parameter to the dictionary object, such as objDictionary( strKey ). Another option to query trusts programmatically is with the Trustmon WMI Provider. The Trustmon Provider is new to Windows Server 2003. See Recipe 2.20 for an example. 2.19.4 See Also The Introduction at the beginning of this chapter for attributes of trustedDomain objects, Recipe 2.20 for another way to query trusts programmatically, MS KB 228477 (HOW TO: Determine Trust Relationship Configurations), and MSDN: TRUSTED_DOMAIN_INFORMATION_EX Recipe 2.20 Verifying a Trust 2.20.1 Problem You want to verify that a trust is working correctly. This is the first diagnostics step to take if users notify you that authentication to a remote domain appears to be failing. 2.20.2 Solution 2.20.2.1 Using a graphical user interface For the Windows 2000 version of the Active Directory Domains and Trusts snap-in: 1. In the left pane, right-click on the trusting domain and select Properties. 2. Click the Trusts tab. 54 3. Click the domain that is associated with the trust you want to verify. 4. Click the Edit button. 5. Click the Verify button. For the Windows Server 2003 version of the Active Directory Domains and Trusts snap-in: 1. In the left pane, right-click on the trusting domain and select Properties. 2. Click the Trusts tab. 3. Click the domain that is associated with the trust you want to verify. 4. Click the Properties button. 5. Click the Validate button. 2.20.2.2 Using a command-line interface > netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose[RETURN] [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN] [/UserD:<TrustedDomainUser> /PasswordD:*] 2.20.2.3 Using VBScript ' The following code lists all of the trusts for the ' specified domain using the Trustmon WMI Provider. ' The Trustmon WMI Provider is only supported on Windows Server 2003. ' SCRIPT CONFIGURATION strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com ' END CONFIGURATION set objWMI = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus") for each objTrust in objTrusts Wscript.Echo objTrust.TrustedDomain Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes Wscript.Echo " TrustedDCName: " & objTrust.TrustedDCName Wscript.Echo " TrustedDirection: " & objTrust.TrustDirection Wscript.Echo " TrustIsOk: " & objTrust.TrustIsOK Wscript.Echo " TrustStatus: " & objTrust.TrustStatus Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString Wscript.Echo " TrustType: " & objTrust.TrustType Wscript.Echo "" next ' This code shows how to search specifically for trusts ' that have failed, which can be accomplished using a WQL query that ' contains the query: TrustIsOk = False ' SCRIPT CONFIGURATION strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com ' END CONFIGURATION set objWMI = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("select * " _ & " from Microsoft_DomainTrustStatus " _ & " where TrustIsOk = False ") 55 if objTrusts.Count = 0 then Wscript.Echo "There are no trust failures" else WScript.Echo "Trust Failures:" for each objTrust in objTrusts Wscript.Echo " " & objTrust.TrustedDomain & " : " & _ objTrust.TrustStatusString Wscript.Echo "" next end if 2.20.3 Discussion Verifying a trust consists of checking connectivity between the domains, and determining if the shared secrets of a trust are synchronized between the two domains. 2.20.3.1 Using a graphical user interface The Active Directory Domains and Trusts screens have changed somewhat between Windows 2000 and Windows Server 2003. The Verify button has been renamed Validate. 2.20.3.2 Using a command-line interface If you want to verify a Kerberos trust, use the /Kerberos switch with the netdom command. 2.20.3.3 Using VBScript The WMI Trustmon Provider is new to Windows Server 2003. It provides a nice interface for querying and checking the health of trusts. One of the benefits of using WMI to access this kind of data is that you can use WQL, the WMI Query Language, to perform complex queries to find trusts that have certain properties. WQL is a subset of the Structured Query Language (SQL) commonly used to query databases. In the second VBScript example, I used WQL to find all trusts that have a problem. You could expand the query to include additional criteria, such as trust direction, and trust type. 2.20.4 See Also MSDN: Trustmon Provider Recipe 2.21 Resetting a Trust 2.21.1 Problem You want to reset a trust password. If you've determined a trust is broken, you need to reset it, which will allow users to authenticate across it again. 56 2.21.2 Solution 2.21.2.1 Using a graphical user interface Follow the same directions as Recipe 2.20 . The option to reset the trust will only be presented if the Verify/Validate did not succeed. 2.21.2.2 Using a command-line interface > netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Reset /verbose[RETURN] [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN] [/UserD:<TrustedDomainUser> /PasswordD:*] 2.21.2.3 Using VBScript ' This code resets the specified trust. ' SCRIPT CONFIGURATION ' Set to the DNS or NetBIOS name for the Windows 2000, ' Windows NT domain or Kerberos realm you want to reset the trust for. strTrustName = "<TrustToCheck>" ' Set to the DNS name of the source or trusting domain. strDomain = "<TrustingDomain>" ' END CONFIGURATION ' Enable SC_RESET during trust enumerations set objTrustProv = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@") objTrustProv.TrustCheckLevel = 3 ' Enumerate with SC_RESET objTrustProv.Put_ ' Query the trust and print status information set objWMI = GetObject("winmgmts:\\" & strDomain & _ "\root\MicrosoftActiveDirectory") set objTrusts = objWMI.ExecQuery("Select * " _ & " from Microsoft_DomainTrustStatus " _ & " where TrustedDomain = '" & strTrustName & "'" ) for each objTrust in objTrusts Wscript.Echo objTrust.TrustedDomain Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes Wscript.Echo " TrustedDCName: " & objTrust.TrustedDCName Wscript.Echo " TrustedDirection: " & objTrust.TrustDirection Wscript.Echo " TrustIsOk: " & objTrust.TrustIsOK Wscript.Echo " TrustStatus: " & objTrust.TrustStatus Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString Wscript.Echo " TrustType: " & objTrust.TrustType Wscript.Echo "" next 2.21.3 Discussion Resetting a trust synchronizes the shared secrets (i.e., passwords) for the trust. The PDC in both domains is used to synchronize the password so they must be reachable. 57 2.21.3.1 Using a command-line interface If you are resetting a Kerberos realm trust, you'll need to specify the /PasswordT option with netdom. 2.21.4 See Also Recipe 2.20 for verifying a trust Recipe 2.22 Removing a Trust 2.22.1 Problem You want to remove a trust. This is commonly done when the remote domain has been decommissioned or access to it is no longer required. 2.22.2 Solution 2.22.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. In the left pane, right-click on the trusting domain and select Properties. 3. Click the Trusts tab. 4. Click on the domain that is associated with the trust you want to remove. 5. Click the Remove button. 6. Click OK. 2.22.2.2 Using a command-line interface > netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Remove /verbose[RETURN] [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN] [/UserD:<TrustedDomainUser> /PasswordD:*] 2.22.2.3 Using VBScript ' This code deletes a trust in the specified domain. ' SCRIPT CONFIGURATION ' Set to the DNS or NetBIOS name for the Windows 2000, ' Windows NT domain or Kerberos realm trust you want to delete. strTrustName = "<TrustName>" ' Set to the DNS name of the source or trusting domain strDomain = "<DomainDNSName>" ' END CONFIGURATION set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") set objTrust = GetObject("LDAP://cn=System," & _ objRootDSE.Get("defaultNamingContext") ) objTrust.Delete "trustedDomain", "cn=" & strTrustName set objTrustUser = GetObject("LDAP://cn=Users," & _ objRootDSE.Get("defaultNamingContext") ) 58 objTrustUser.Delete "trustedDomain", "cn=" & strTrustName & "$" WScript.Echo "Successfully deleted trust for " & strTrustName 2.22.3 Discussion Trusts are stored in Active Directory as two objects; a trustedDomain object in the System container and a user object in the Users container. Both of these objects need to be removed when deleting a trust. The GUI and CLI solutions take care of that in one step, but in the VBScript example both objects needed to be explicitly deleted. It is also worth noting that each solution only deleted one side of the trust. If the trust was to a remote AD forest or NT 4.0 domain, you also need to delete the trust in that domain. Recipe 2.23 Enabling SID Filtering for a Trust 2.23.1 Problem You want to enable Security Identifier (SID) filtering for a trust. By enabling SID filtering you can keep a hacker from spoofing a SID across a trust. 2.23.2 Solution 2.23.2.1 Using a command-line interface > netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Quarantine Yes[RETURN] [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN] [/UserD:<TrustedDomainUser> /PasswordD:*] 2.23.3 Discussion A security vulnerability exists with the use of SID history, which is described in detail in MS KB 289243. An administrator in a trusted domain can modify the SID history for a user, which could grant her elevated privileges in the trusting domain. The risk of this exploit is relatively low due to the complexity in forging a SID, but nevertheless, you should be aware of it. To prevent this from happening you can enable SID Filtering for a trust. When SID filtering is enabled, the only SIDs that are used as part of a user's token are from the trusted domain itself. SIDs from other trusting domains are not included. SID filtering makes things more secure, but prevents the use of SID history and can cause problems with transitive trusts. 2.23.4 See Also MS KB 289243 (MS02-001: Forged SID Could Result in Elevated Privileges in Windows 2000) 59 Recipe 2.24 Finding Duplicate SIDs in a Domain 2.24.1 Problem You want to find any duplicate SIDs in a domain. Generally, you should never find duplicate SIDs in a domain, but it is possible in some situations, such as when the relative identifier (RID) FSMO role owner has to be seized or you are migrating users from Windows NT domains. 2.24.2 Solution 2.24.2.1 Using a command-line interface To find duplicate SIDs run the following command, replacing <DomainControllerName> with a domain controller or domain name: > ntdsutil "sec acc man" "co to se <DomainControllerName>" "check dup sid" q q The following message will be returned: Duplicate SID check completed successfully. Check dupsid.log for any duplicates The dupsid.log file will be in the directory where you started ntdsutil. If you want to delete any objects that have duplicate SIDs, you can use the following command: > ntdsutil "sec acc man" "co to se <DomainControllerName>" "clean dup sid" q q Like the check command, the clean command will generate a message like the following upon completion: Duplicate SID cleanup completed successfully. Check dupsid.log for any duplicate 2.24.3 Discussion All security principals in Active Directory have a SID, which is used to uniquely identify the object in the Windows security system. There are two parts of a SID, the domain identifier and the RID. Domain controllers are allocated a RID pool from the RID FSMO for the domain. When a new security principal (user, group, or computer) is created, the domain controller takes a RID from its pool to generate a SID for the account. In some rare circumstances, such as when the RID master role is seized, overlapping RID pools can be allocated, which can ultimately lead to duplicate SIDs. Having duplicate SIDs is a 60 potentially hazardous problem because a user, group, or computer could gain access to sensitive data they were never intended to have access to. 2.24.4 See Also MS KB 315062 (HOW TO: Find and Clean Up Duplicate Security Identifiers with Ntdsutil in Windows 2000) . between an Active Directory domain and a non -Windows Kerberos v5 realm. A realm trust can be used to allow clients from the non -Windows Kerberos realm to access resources in Active Directory, . Directory, and vice versa. See Recipe 18.7 for more information on MIT Kerberos interoperability with Active Directory. 2.18.4 See Also MS KB 260123 (Information on the Transitivity of a Kerberos. is new to Windows Server 2003. See Recipe 2.20 for an example. 2.19.4 See Also The Introduction at the beginning of this chapter for attributes of trustedDomain objects, Recipe 2.20 for another