Couldn't verify trust domain relashionship between two-forest via Powershell\CMD

Arnold Mishaev 71 Reputation points
2022-05-29T09:37:20.92+00:00

Hi,

We've establish two-way trust relationship between two forest .
we've manage to validate trust in the "Active Directory Domain and Trust" tool, but when we trying to verify trust with "netdom" command we getting next message:

206452-image.png

Does anyone know what cause this issue?

is there any other modern PowerShell tools for checking trust?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,586 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,811 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Ian Xue 39,186 Reputation points Microsoft Vendor
    2022-06-06T02:53:14.293+00:00

    Hi,

    Please use the /ud: parameter to specify the domain account that has domain administrator privileges.

    {/ud: | /userd:}[<Domain>]<User>]

    Specifies the user account to use to make the connection with the domain that you specify in the /d or /domain parameter. If you do not specify this parameter, then netdom trust uses the current user account.

    /pd:{<Password>|*}

    Specifies the password of the user account that you specify in the /ud or /userd: parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.

    Please refer to this link for more details.
    Netdom trust

    Best Regards,
    Ian Xue

    -----------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Limitless Technology 39,791 Reputation points
    2022-06-06T07:54:28.983+00:00

    Hello ArnoldMishaev

    If access is denied for Netdom commands across a trust, you likely need to enable the Network access: Allow anonymous SID/Name translation group policy object on each domain controller.

    The GPO is located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

    Source - https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation

    Other option is that your Domain Admin account which is running the command has no priviledges set into the other domain, in that case you should add the credential from Domain A into your domain controller of Domain B as Domain Admins group.

    -----------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  3. Arnold Mishaev 71 Reputation points
    2022-06-06T15:12:36.327+00:00

    Hi @Ian Xue ,

    Thanks for your respond,

    I'm checking the trust from domain B, and it's still failed

    208799-image-7.png

    0 comments No comments

  4. Arnold Mishaev 71 Reputation points
    2022-06-06T15:15:30.253+00:00

    Hi @Limitless Technology

    Thanks for your respond,

    I did enable the policy of "Network access: Allow anonymous SID/Name translation", on DCs on two forest.
    and still same issue

    and i also try to run the test with built-in Administrator user

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.