{
	"id": "8657dba8-93c6-41c1-9c40-57d09d0a7341",
	"created_at": "2026-04-06T15:53:37.601973Z",
	"updated_at": "2026-04-10T03:21:19.496998Z",
	"deleted_at": null,
	"sha1_hash": "e1fdce5d3aa4c2559e9f069ea9294c578bc23b0b",
	"title": "Netdom trust",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 99431,
	"plain_text": "Netdom trust\r\nBy robinharwood\r\nArchived: 2026-04-06 15:47:46 UTC\r\nThe netdom trust command allows administrators to manage, establish, verify, or reset trust relationships\r\nbetween domains. It's available if you have the Active Directory Domain Services (AD DS) server role installed.\r\nIt's also available if you install the AD DS tools that are part of the Remote Server Administration Tools (RSAT).\r\nFor more information, see How to Administer Microsoft Windows Client and Server Computers Locally and\r\nRemotely.\r\nTo use netdom trust , you must run the command from an elevated command prompt.\r\nNote\r\nThe netdom trust command can't be used to create a forest trust between two AD DS forests. To create a cross-forest trust between two AD DS forests, use the Active Directory Domains and Trusts snap-in to create and\r\nmanage forest trusts. Scripting solution such as using PowerShell is also an option for managing these types of\r\ntrusts if you need to automate the process.\r\nnetdom trust trusting_domain_name /Domain:trusted_domain_name [/UserD:user]\r\n [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]]\r\n [/Verify] [/Reset] [/PasswordT:new_realm_trust_password]\r\n [/Add] [/Remove] [/Twoway] [/Realm] [/Kerberos]\r\n [/Transitive[:{yes | no}]]\r\n [/OneSide:{trusted | trusting}] [/Force] [/Quarantine[:{yes | no}]]\r\n [/NameSuffixes:trust_name [/ToggleSuffix:#]]\r\n [/EnableSIDHistory[:{yes | no}]] [/ForestTransitive[:{yes | no}]]\r\n [/CrossOrganization[:{yes | no}]] [/AddTLN:TopLevelName]\r\n [/AddTLNEX:TopLevelNameExclusion] [/RemoveTLN:TopLevelName]\r\n [/RemoveTLNEX:TopLevelNameExclusion] [/SecurePasswordPrompt]\r\n [/EnableTgtDelegation[:{yes | no}]] [/EnablePIMTrust[:{yes | no}]]\r\n [/AuthTargetValidation[:{yes | no}]] [/ChildDomain:childdomainname]\r\n [/InvokeTrustScanner]\r\nParameter Description\r\n\u003cTrustingDomainName\u003e Specifies the name of the trusting domain.\r\n/domain:\r\n\u003cTrustedDomainName\u003e\r\nSpecifies the name of the trusted domain or non-Windows realm. If not\r\nspecified, the current domain to which the current computer belongs is\r\nused.\r\nhttps://technet.microsoft.com/library/cc835085.aspx\r\nPage 1 of 6\n\nParameter Description\r\n/userd:\u003cUser\u003e\r\nSpecifies the user account to use for the connection with the domain\r\nspecified using the /domain parameter. Defaults to the current user\r\naccount if not specified.\r\n/passwordd:\u003cPassword\u003e | *\r\nSpecifies the password for the user account used with /userd . Use * to\r\nprompt for the password.\r\n/usero:\u003cUser\u003e\r\nSpecifies the user account to use for the connection with the trusting\r\ndomain. Defaults to the current user account if not specified.\r\n/passwordo:\u003cPassword\u003e | *\r\nSpecifies the password for the user account used with /usero . Use * to\r\nprompt for the password.\r\n/verify Verifies the secure channel secrets for a specific trust relationship.\r\n/reset\r\nResets the trust secret between trusted domains or between the domain\r\ncontroller (DC) and the workstation.\r\n/passwordt:\r\n\u003cNewRealmTrustPassword\u003e\r\nSets a new trust password. This option is valid only with the /add or\r\n/reset parameters, and only if one of the specified domains is a non-Windows Kerberos realm. The trust password is configured on the\r\nWindows domain only, so credentials for the non-Windows domain aren't\r\nrequired.\r\n/add Creates a trust.\r\n/remove Removes a trust.\r\n/twoway Establishes a two-way trust relationship.\r\n/realm\r\nCreates the trust for a non-Windows Kerberos realm. Valid only with the\r\n/add parameter. The /passwordt parameter is required.\r\n/kerberos\r\nUses the Kerberos protocol to verify authentication between a workstation\r\nand the specified domain. Requires credentials for both the source and\r\ntarget domains.\r\n/transitive:Yes | No\r\nApplies only to non-Windows Kerberos realm trusts. Use yes to make\r\nthe trust transitive, or no to make it non-transitive. If not specified,\r\ndisplays the current transitivity setting.\r\n/oneside:trusted |\r\ntrusting\r\nSpecifies that the trust operation should be conducted on only one side of\r\nthe trust relationship. Use trusted to apply the operation to the domain\r\nspecified with the /domain parameter (the \"trusted\" domain), or use\r\ntrusting to apply it to the \"trusting\" domain. This option is only valid\r\nhttps://technet.microsoft.com/library/cc835085.aspx\r\nPage 2 of 6\n\nParameter Description\r\nwith the /add and /remove parameters. When used with /add , the\r\n/passwordt parameter is also required.\r\n- Trusted Domain: This is the domain that is being trusted. In a trust\r\nrelationship, the trusting domain allows users from the trusted domain to\r\naccess its resources. The trusted domain's users are given certain\r\npermissions or access within the trusting domain.\r\n- Trusting Domain: This is the domain that trusts another domain (the\r\ntrusted domain). It essentially means that the trusting domain is extending\r\nits trust to the users of the trusted domain, allowing them to access\r\nresources within the trusting domain.\r\n/force\r\nRemoves both the trusted domain object and cross-reference object from\r\nthe forest. The full DNS name must be specified for the domain. Valid\r\nwith the /remove parameter and if specified, a child domain is removed.\r\n/quarantine:Yes | No\r\nSets or clears the domain quarantine attribute. If not specified, displays the\r\ncurrent state. Yes accepts only SIDs from the directly trusted domain.\r\nNo accepts any SID (default). Specifying /quarantine without an\r\noption displays the current state.\r\n/namesuffixes:\u003cTrustName\u003e\r\nLists the routed name suffixes for the specified trust. This parameter is\r\nvalid only for a forest trust or a forest transitive non-Windows realm trust.\r\nUse /usero and /passwordo for authentication if needed. The\r\n/domain parameter isn't required for this operation.\r\n/togglesuffix:#\r\nUse this parameter with /namesuffixes to enable or disable a specific\r\nname suffix. Specify the number of the name entry as shown in the output\r\nof the preceding /namesuffixes command. You can't change the status of\r\nnames that are in conflict until the conflicting name in the other trust is\r\ndisabled. Always run /namesuffixes immediately before\r\n/togglesuffix because the order of name entries might change.\r\n/enablesidhistory:Yes | No\r\nEnables ( Yes ) or disables ( No ) migrated users in the trusted forest to\r\nuse SID history to access resources. Valid only for outbound forest trusts.\r\nOnly enable if you trust the administrators of the trusted forest. If an\r\noption isn't specified, the current state is displayed.\r\n/foresttransitive:Yes | No\r\nMarks the trust as forest transitive (yes) or not (no). Valid only for AD\r\ntrusts and non-Windows realm trusts only on the root domain for a forest.\r\nIf not specified, displays the current state.\r\nhttps://technet.microsoft.com/library/cc835085.aspx\r\nPage 3 of 6\n\nParameter Description\r\n/selectiveauth:Yes | No\r\nEnables ( Yes ) or disables ( No ) selective authentication across the trust.\r\nValid only on outbound forest and external trusts. If not specified, displays\r\nthe current state.\r\n/addtln:\u003cTopLevelName\u003e\r\nAdds the specified top-level DNS name suffix to the forest trust info for\r\nthe trust. Valid only for a forest transitive non-Windows realm trust and\r\nonly on the root domain for a forest. Run /namesuffixes for a list of\r\nname suffixes.\r\n/addtlnex:\r\n\u003cTopLevelNameExclusion\u003e\r\nAdds the specified top-level name exclusion (DNS name suffix) to the\r\nforest trust info for the trust. Valid only for a forest transitive non-Windows realm trust and only on the root domain for a forest. Run\r\n/namesuffixes for a list of name suffixes.\r\n/removetln:\u003cTopLevelName\u003e\r\nRemoves the specified top-level DNS name suffix from the forest trust\r\ninfo for the trust. Valid only for a forest transitive non-Windows realm\r\ntrust and only on the root domain for a forest. Run /namesuffixes for a\r\nlist of name suffixes.\r\n/removetlnex:\r\n\u003cTopLevelNameExclusion\u003e\r\nRemoves the specified top-level name exclusion (DNS name suffix) from\r\nthe forest trust info for the trust. Valid only for a forest transitive non-Windows realm trust and only on the root domain for a forest. Run\r\n/namesuffixes for a list of name suffixes.\r\n/securepasswordprompt\r\nOpens a secure credentials popup for entering credentials. This is useful\r\nwhen specifying smartcard credentials. This option is effective only when\r\nthe password is entered as * .\r\n/enabletgtdelegation:Yes |\r\nNo\r\nEnables ( Yes ) or disables ( No ) Kerberos full delegation on outbound\r\nforest trusts. When set to No , Kerberos full delegation is blocked,\r\npreventing services in the other forest from receiving forwarded Ticket\r\nGranting Tickets (TGTs).\r\nDisabling this option means that services in the other forest configured for\r\n\"Trust this computer/user for delegation to any service\" isn't able to use\r\nKerberos full delegation with any account in this forest.\r\n/enablepimtrust:Yes | No\r\nEnables ( Yes ) or disables ( No ) Privileged Identity Management (PIM)\r\ntrust behaviors for this trust. The trust must be marked as forest transitive\r\nbefore enabling this attribute. If /enablepimtrust is specified without\r\nYes or No , the current state of this attribute is displayed.\r\nhttps://technet.microsoft.com/library/cc835085.aspx\r\nPage 4 of 6\n\nParameter Description\r\n/authtargetvalidation:Yes |\r\nNo\r\nEnables ( Yes ) or disables ( No ) authentication target validation for\r\nauthentication requests on the specified trust. For forest trusts, you can\r\nlimit this setting to a specific child domain using the /childdomain\r\nparameter.\r\nDisabling this validation might expose your environment to security risks\r\nfrom the remote forest and should only be done when necessary.\r\n/childdomain:\r\n\u003cChildDomainName\u003e\r\nUse to target a child domain within a larger domain structure when\r\nperforming trust-related operations to ensure that the trust operation\r\napplies directly to the child domain. This parameter is useful in scenarios\r\nwhere precise control over trust relationships is needed within complex\r\ndomain environments.\r\n/invoketrustscanner\r\nInitiates a trust scan for the specified trusting domain. If the trusting\r\ndomain is set to * , all trusts are scanned. This command must be\r\nexecuted locally on the primary DC. The trust scanner typically runs\r\nautomatically. Use this command only for troubleshooting or support\r\npurposes.\r\nhelp | /? Displays help at the command prompt.\r\nTo set the domain USA-Chicago to trust the domain NorthAmerica, run the following command:\r\nnetdom trust USA-Chicago /domain:NorthAmerica /add /userd:NorthAmerica\\admin /passwordd:* /usero:USA-Chicago\\ad\r\nTo establish a two-way trust between the engineering.contoso.com domain and the marketing.contoso.com\r\ndomain, run the following command:\r\nnetdom trust engineering.contoso.com /domain:marketing.contoso.com /add /twoway /usero:admin@engineering.contos\r\nTo establish a one-way trust where the NorthAmerica domain trusts the non-Windows Kerberos realm\r\nATHENA, run the following command:\r\nnetdom trust NorthAmerica /domain:ATHENA /add /passwordt:* /realm\r\nNote\r\nVerifying a specific trust relationship requires credentials unless the user has domain administrator privileges on\r\nboth domains.\r\nIf you want to set the Kerberos realm ATHENA to trust the NorthAmerica domain, run the following command:\r\nhttps://technet.microsoft.com/library/cc835085.aspx\r\nPage 5 of 6\n\nnetdom trust NorthAmerica /domain:ATHENA /add /realm\r\nTo undo (remove) the trust that USA-Chicago has with NorthAmerica, run the following command:\r\nnetdom trust USA-Chicago /domain:NorthAmerica /remove\r\nTo reset the secure channel for the one-way trust between NorthAmerica and USA-Chicago, run the following\r\ncommand:\r\nnetdom trust USA-Chicago /domain:NorthAmerica /userd:NorthAmerica\\admin /passwordd:* /reset\r\nTo verify that the trust relationship between the MyDomain domain and the devgroup.example.com domain\r\nsupports Kerberos authentication, run the following command:\r\nnetdom trust MyDomain /domain:devgroup.example.com /verify /kerberos /userd:devgroup\\admin /passwordd:* /usero\r\nNote\r\nYou can't run this trust operation from a remote location. You must run the operation on the workstation that you\r\nwant to test.\r\nTo enable or disable the first routed name suffix in the list generated by the previous command, run the following\r\ncommand:\r\nnetdom trust myTestDomain /domain:foresttrustpartnerdomain /namesuffixes /togglesuffix:1\r\nYou can only add a DNS name suffix for a trust that is a forest transitive non-Windows realm trust. The same\r\nrestriction applies to the parameters for managing name suffix routing within a forest trust:\r\n/addtln\r\n/addtlnex\r\n/removetln\r\n/removetlnex\r\nCommand-Line Syntax Key\r\nSource: https://technet.microsoft.com/library/cc835085.aspx\r\nhttps://technet.microsoft.com/library/cc835085.aspx\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/library/cc835085.aspx"
	],
	"report_names": [
		"cc835085.aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775490817,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e1fdce5d3aa4c2559e9f069ea9294c578bc23b0b.pdf",
		"text": "https://archive.orkl.eu/e1fdce5d3aa4c2559e9f069ea9294c578bc23b0b.txt",
		"img": "https://archive.orkl.eu/e1fdce5d3aa4c2559e9f069ea9294c578bc23b0b.jpg"
	}
}