????

Your IP : 18.188.100.195

Current Path : C:/Windows/SysWOW64/en-US/

Current File : C:/Windows/SysWOW64/en-US/netdom.exe.mui

MZ����@��� �!�L�!This program cannot be run in DOS mode.

$��<߱�R���R���R�U�����R�U�P���R�Rich��R�PEL�!�

�@ ��8.rdata�@@.rsrc� �@@�4
T88�4$��8.rdata8x.rdata$zzzdbg .rsrc$01 #��.rsrc$02 ��_��t_Fgk�0�I+�6Qq�Adz�n�4�0�H����������(�@�X�p�������������� 0 @ P ` p � � � � � � � � #���#���$��@%���%��t&��D'4�x( ��)��0*H�x+��8,z��,���H���MUI���K�jYNb�E���mܒL.�E��-S�j���MUIen-USHELPADDCOMPUTERNAMEJOINMOVEQUERYREMOVE
MOVENT4BDCRESETRESETPWDTRUSTVERIFYSYNTAXUserDUDPA PasswordDPDUserOUO PasswordOPOServerSOUVERBOSEDomainDRebootRebRealmReaVerifyVResetReseDirectDiAddARemoveRemTwoWayTKerberosKPDCSERVERWORKSTATIONDCOUFSMOTRUSTForceDC PasswordTPT
TransitiveTransOneSideOSUserFUF PasswordFPF
QuarantineNewNameToggleSuffixTSNameSuffixesNSH?MakePrimaryMPPA EnumerateEnumAlternateNamesPrimaryNameAllNamesResetOneSideROS
EXPERTHELPQEnableSIDHistoryESIDHForestTRANsitiveFTRAN
SelectiveAUTHSAUTHAddTLNATLNAddTLNEXATLNEX RemoveTLNRTLNRemoveTLNEXRTLNEXSecurePasswordPromptSPP PasswordMPMReadonlyROEnableTgtDelegationETDEnablePimTrustEPTAuthTargetValidationATVChildDomainCDInvokeTrustScannerITSTIMEFAre you sure you want to delete the trust to child domain %s (Y or N)?NetDomtrustedtrustingyesnoRENAMECOMPUTER Do you want to proceed (Y or N)?yn%*** Warning: role owner is undefined.+*** Warning: role owner is a deleted DC: %1-Required switch/parameter %1 is not specifiedPAA�( \J�.H/��,NETDOM [ ADD | COMPUTERNAME | HELP | JOIN | MOVE | QUERY | REMOVE |

PThe command completed successfully.

dThe command failed to complete successfully.

�NETDOM HELP command

-or-

NETDOM command /help

Commands available are:

NETDOM ADD NETDOM RESETPWD NETDOM RESET

NETDOM COMPUTERNAME NETDOM QUERY NETDOM TRUST

NETDOM HELP NETDOM REMOVE NETDOM VERIFY

NETDOM JOIN NETDOM MOVENT4BDC

NETDOM MOVE NETDOM RENAMECOMPUTER

NETDOM HELP SYNTAX explains how to read NET HELP syntax lines.

NETDOM HELP command | MORE displays Help one screen at a time.

Note that verbose output can be specified by including /VERBOSE with

any of the above netdom commands.

�SYNTAX

The following conventions are used to indicate command syntax:

- Capital letters represent words that must be typed as shown. Lower-

case letters represent names of items that may vary, such as filenames.

- The [ and ] characters surround optional items that can be supplied

with the command.

- The { and } characters surround lists of items. You must supply one

of the items with the command.

- The | character separates items in a list. Only one of the items can

be supplied with the command.

For example, in the following syntax, you must type NETDOM and

either SWITCH1 or SWITCH2. Supplying a name is optional.

NETDOM [name] {SWITCH1 | SWITCH2}

- The [...] characters mean you can repeat the previous item.

Separate items with spaces.

- The [,...] characters mean you can repeat the previous item, but

you must separate items with commas or semicolons, not spaces.

- When typed at the command prompt, names of two words or more must

be enclosed in quotation marks. For example,

NETDOM ADD "/OU:OU=MY OU,DC=Domain,DC=COM"

LThe parameter %1 was unexpected.

HThe syntax of this command is:

NETDOM ADD machine [/Domain:domain] [/UserD:user] [/PasswordD:[password | *]]

[/Server:server] [/OU:ou path] [/DC] [/SecurePasswordPrompt]

NETDOM ADD Adds a workstation or server account to the domain.

machine is the name of the computer to be added

/Domain Specifies the domain in which to create the machine account

/UserD User account used to make the connection with the domain

specified by the /Domain argument

/PasswordD Password of the user account specified with /UserD. A * means

to prompt for the password

/Server Name of a specific domain controller that should be used to

perform the Add. This option cannot be used with the /OU

option.

/OU Organizational unit under which to create the machine account.

This must be a fully qualified RFC 1779 DN for the OU. When

using this argument, you must be running directly on a domain

controller for the specified domain.

If this argument is not included, the account will be created

under the default organization unit for machine objects for

that domain.

/DC Specifies that a domain controller's machine account is to be

created. This option cannot be used with the /OU option.

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user]

[/PasswordD:[password | *]]

[/UserO:user] [/PasswordO:[password | *]]

[/PasswordM:[password | *]]

[/ReadOnly]

[/REBoot[:Time in seconds]]

[/SecurePasswordPrompt]

NETDOM JOIN Joins a workstation or member server to the domain.

machine is the name of the workstation or member server to be joined

/Domain Specifies the domain which the machine should join. You

can specify a particular domain controller by entering

/Domain:domain\dc. When /ReadOnly option is used, you

must specify a domain controller.

/UserD User account used to make the connection with the domain

specified by the /Domain argument

/PasswordD Password of the user account specified by /UserD. A * means

to prompt for the password

/UserO User account used to make the connection with the machine to

be joined

/PasswordO Password of the user account specified by /UserO. A * means

to prompt for the password

/OU Organizational unit under which to create the machine account.

This must be a fully qualified RFC 1779 DN for the OU.

If not specified, the account will be created under the default

organization unit for machine objects for that domain.

/PasswordM Password of the pre-created computer account, whose name is

specified by the machine parameter. A * means to prompt

for the password. This option must be used with /ReadOnly

option.

/ReadOnly Perform a domain join using a pre-created computer account and

without performing any writes to a domain controller. This

option therefore, does not require a writable domain controller.

You must specify the domain controller (using /Domain option)

and computer account password (using /PasswordM option)

when the option is used. This option cannot be used with /OU

option.

/REBoot Specifies that the machine should be shutdown and automatically

rebooted after the Join has completed. The number of seconds

before automatic shutdown can also be provided. Default is

30 seconds

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

Windows Professional machines with the ForceGuest setting enabled (which is the

default for machines not joined to a domain during setup) cannot be remotely

administered. Thus the join operation must be run directly on the machine

when the ForceGuest setting is enabled.

When joining a machine running Windows NT version 4 or before to the domain

the operation is not transacted. Thus, a failure during the operation could

leave the machine in an undetermined state with respect to the domain it is

joined to.

The act of joining a machine to the domain will create an account for the

machine on the domain if it does not already exist.

�

NETDOM MOVE machine /Domain:domain [/OU:ou path]

[/UserD:user] [/PasswordD:[password | *]]

[/UserO:user] [/PasswordO:[password | *]]

[/UserF:user] [/PasswordF:[password | *]]

[/REBoot[:Time in seconds]]

[/SecurePasswordPrompt]

NETDOM MOVE Moves a workstation or member server to a new domain

machine is the name of the workstation or member server to be moved

/Domain Specifies the domain to which the machine should be moved. You

can specify a particular domain controller by entering

/Domain:domain\dc. If you specify a domain controller, you

must also include the user's domain. For

example: /UserD:domain\user

/UserD User account used to make the connection with the domain

specified by the /Domain argument

/PasswordD Password of the user account specified by /UserD. A * means

to prompt for the password

/UserO User account used to make the connection with the machine to

be moved

/PasswordO Password of the user account specified by /UserO. A * means

to prompt for the password

/UserF User account used to make the connection with the machine's

former domain (with which the machine had been a member before

the move). Needed to disable the old machine account.

/PasswordF Password of the user account specified by /UserF. A * means

to prompt for the password

/OU Organizational unit under which to create the machine account.

This must be a fully qualified RFC 1779 DN for the OU.

If not specified, the account will be created under the default

organization unit for machine objects for that domain.

/REBoot Specifies that the machine should be shutdown and automatically

rebooted after the Move has completed. The number of seconds

before automatic shutdown can also be provided. Default is

30 seconds

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

When moving a downlevel (Windows NT version 4 or before) machine to a new

domain, the operation is not transacted. Thus, a failure during the operation

could leave the machine in an undetermined state with respect to the domain it

is joined to.

When moving a machine to a new domain, the old computer account in the

former domain is not deleted. If credentials are supplied for the former

domain, the old computer account will be disabled.

The act of moving a machine to a new domain will create an account for the

machine on the domain if it does not already exist.

�

NETDOM QUERY [/Domain:domain] [/Server:server]

[/UserD:user] [/PasswordD:[password | *]]

[/Verify] [/RESEt] [/Direct] [/SecurePasswordPrompt]

WORKSTATION | SERVER | DC | OU | PDC | FSMO | TRUST

NETDOM QUERY Queries the domain for information

/Domain Specifies the domain on which to query for the information

/UserD User account used to make the connection with the domain

specified by the /Domain argument

/PasswordD Password of the user account specified by /UserD. A * means

to prompt for the password

/Server Name of a specific domain controller that should be used to

perform the query.

/Verify For computers, verifies that the secure channel between the

computer and the domain controller is operating properly.

For trusts, verifies that the the trust between domains is

operating properly. Only outbound trust will be verified. The

user must have domain administrator credentials to get

correct verification results.

/RESEt Resets the secure channel between the computer and the domain

controller; valid only for computer enumeration

/Direct Applies only for a TRUST query, lists only the direct trust

links and omits the domains indirectly trusted through

transitive links. Do not use with /Verify.

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

WORKSTATION Query the domain for the list of workstations

SERVER Query the domain for the list of servers

DC Query the domain for the list of Domain Controllers

OU Query the domain for the list of Organizational Units under

which the specified user can create a machine object

PDC Query the domain for the current Primary Domain Controller

FSMO Query the domain for the current list of FSMO owners

TRUST Query the domain for the list of its trusts

The trust verify command checks only direct, outbound, Windows trusts. To

verify an inbound trust, use the NETDOM TRUST command which allows you to

specify credentials for the trusting domain.

�

NETDOM REMOVE machine [/Domain:domain] [/UserD:user]

[/PasswordD:[password | *]]

[/UserO:user] [/PasswordO:[password | *]]

[/REBoot[:Time in seconds]] [/Force]

[/SecurePasswordPrompt]

NETDOM REMOVE Removes a workstation or server from the domain.

machine is the name of the computer to be removed

/Domain Specifies the domain in which to remove the machine

/UserD User account used to make the connection with the domain

specified by the /Domain argument

/PasswordD Password of the user account specified by /UserD. A * means

to prompt for the password

/UserO User account used to make the connection with the machine to be

removed

/PasswordO Password of the user account specified By /UserO. A * means

to prompt for the password

/REBoot Specifies that the machine should be shutdown and automatically

rebooted after the Remove has completed. The number of seconds

before automatic shutdown can also be provided. Default is

30 seconds

/Force Forces the unjoin of the machine from the domain even if the

domain is not found or does not contain the matching computer

object.

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

XNETDOM MOVENT4BDC machine [/Domain:domain] [/REBoot[:Time in seconds]]

NETDOM MOVENT4BDC Renames NT4 backup domain controllers (moves it to a new

domain)

machine is the name of the backup Domain Controller to be renamed

/Domain Specifies the new name of the domain

/REBoot Specifies that the machine should be shutdown and automatically

rebooted after the Rename has completed. The number of seconds

before automatic shutdown can also be provided. Default is

30 seconds

TNETDOM RESET machine [/Domain:domain] [/Server:server]

[/UserO:user] [/PasswordO:[password | *]] [/SecurePasswordPrompt]

NETDOM RESET Resets the secure connection between a workstation and a domain

controller

machine is the name of the computer to be have the secure connection reset

/Domain Specifies the domain with which to establish the secure

connection

/Server Name of a specific domain controller that should be used to

establish the secure connection.

/UserO User account used to make the connection with the machine to

be reset

/PasswordO Password of the user account specified By /UserO. A * means

to prompt for the password

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

TNETDOM RESETPWD /Server:domain-controller /UserD:user /PasswordD:[password | *]

[/SecurePasswordPrompt]

NETDOM RESETPWD Resets the machine account password for the domain controller

on which this command is run. Currently there is no support for resetting

the machine password of a remote machine or a member server. All parameters

must be specified.

/Server Name of a specific domain controller that should have its

machine account password reset.

/UserD User account used to make the connection with the domain

controller specified by the /Server argument.

/PasswordD Password of the user account specified with /UserD. A * means

to prompt for the password

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

p#NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name [/UserD:user]

[/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]]

[/Verify] [/RESEt] [/PasswordT:new_realm_trust_password]

[/Add] [/REMove] [/Twoway] [/REAlm] [/Kerberos]

[/Transitive[:{yes | no}]]

[/OneSide:{trusted | trusting}] [/Force] [/Quarantine[:{yes | no}]]

[/NameSuffixes:trust_name [/ToggleSuffix:#]]

[/EnableSIDHistory[:{yes | no}]]

[/ForestTRANsitive[:{yes | no}]]

[/CrossORGanization[:{yes | no}]]

[/AddTLN:TopLevelName]

[/AddTLNEX:TopLevelNameExclusion]

[/RemoveTLN:TopLevelName]

[/RemoveTLNEX:TopLevelNameExclusion]

[/SecurePasswordPrompt]

[/EnableTgtDelegation[:{yes | no}]]

[/EnablePIMTrust[:{yes | no}]]

[[/AuthTargetValidation[:{yes | no}] [/ChildDomain:childdomainname]]

[/InvokeTrustScanner]

NETDOM TRUST Manages or verifies the trust relationship between domains

trusting_domain_name is the name of the trusting domain

/Domain Specifies the name of the trusted domain or Non-Windows

Realm.

/UserD User account used to make the connection with the domain

specified by the /Domain argument

/PasswordD Password of the user account specified by /UserD. A *

means to prompt for the password

/UserO User account for making the connection with the trusting

domain

/PasswordO Password of the user account specified By /UserO. A *

means to prompt for the password

/Verify Verifies that the trust is operating properly

/RESEt Resets the trust passwords between two domains. The

domains can be named in any order. Reset is not valid

on a trust to a Kerberos realm unless the /PasswordT

parameter is included.

/PasswordT New trust password, valid only with the /Add or /RESEt

options and only if one of the domains specified is a

non-Windows Kerberos realm. The trust password is set on

the Windows domain only and thus credentials are not

needed for the non-Windows domain.

/Add Specifies that a trust be created.

/REMove Specifies that a trust be removed.

/Twoway Specifies that a trust relationship should be

bidirectional

/OneSide Indicates that the trust be created for or removed from

only one of the domains in the trust.

Use the keyword "trusted" to create or remove the trust

from the trusted domain (the domain named with the /D

parameter). Use the keyword "trusting" to create or

remove the trust from the trusting domain. This command is

valid only with the /Add and /REMove options and requires

the /PasswordT command when used with the /Add option.

/REAlm Indicates that the trust is to be created to a non-Windows

Kerberos realm. Valid only with the /Add option. The

/PasswordT option is required.

/TRANSitive Valid only for a non-Windows Kerberos realm. Specifying

"yes" sets it to a transitive trust. Specifying "no" sets

it to a non-transitive trust. If neither is specified,

then the current transitivity state will be displayed.

/Kerberos Specifies that the Kerberos authentication protocol should

be verified between a domain or workstation and a target

domain; You must supply user accounts and passwords for

both the object and target domain.

/Force Valid with the /REMove option. Forces the removal of the

trust (and cross-ref) objects on one domain even if the

other domain is not found or does not contain matching

trust objects. You must use the full DNS name to specify

the domain.

CAUTION: this option will completely remove a child domain.

NETDOM VERIFY machine [/Domain:domain] [/UserO:user]

[/PasswordO:[password | *]] [/SecurePasswordPrompt]

NETDOM VERIFY Verifies the secure connection between a workstation and a domain

controller

machine is the name of the computer whose secure connection is to be verified

/Domain Specifies the domain with which to verify the secure connection

/UserO User account used to make the connection with the machine to be

verified

/PasswordO Password of the user account specified By /UserO. A * means

to prompt for the password

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

�NETDOM TIME machine [/Domain:domain] [/UserD:user]

[/PasswordD:[[password | *]]] [/UserO:user]

[/PasswordO:[password | *]] [/Verify] [/RESEt]

[/SecurePasswordPrompt]

[WORKSTATION] [SERVER]

NETDOM TIME Verifies or resets the time between a workstation and a domain

controller

machine is the name of the computer to be have the time verified or reset

/Domain Specifies the domain which which to verify/reset the time

/UserD User account used to make the connection with the domain

specified by the /Domain argument

/PasswordD Password of the user account specified by /UserD. A * means

to prompt for the password

/UserO User account used to make the connection with the machine to

which the time operation will be performed

/PasswordO Password of the user account specified by /UserO. A * means

to prompt for the password

/Verify Verify the time against the domain controller

/RESEt Reset the time against the domain controller

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

WORKSTATION Reset/Verify the time for all the workstations in a domain

SERVER Reset/Verify the time for all the domain controllers in a

domain

�

NETDOM HELP command | MORE displays Help one screen at a time.

lParameter /Domain is required for this operation

tType the password associated with the domain user: %0

tType the password associated with the object user: %0

�The command completed successfully but the machine was not restarted.

�Shutting down due to a domain membership change initiated by %1.%0

�The secure channel from %1 to the domain %2 has been verified. The connection

is with the machine %3.

dThe secure channel from %1 to %2 is invalid.

�List of Organizational Units within which the specified user can create a

machine account:

xList of domain controllers with accounts in the domain:

lList of workstations with accounts in the domain:

dList of servers with accounts in the domain:

\Primary domain controller for the domain:

L%1 ( Workstation or Server )

LSchema master %1%0

LDomain naming master %1%0

LPDC %1%0

LRID pool manager %1%0

LInfrastructure master %1%0

|Verifying secure channel setup for domain members:

Machine Status/Domain Domain Controller

======= ============= =================

|Resetting secure channel setup for domain members:

Machine Domain Domain Controller

======= ====== =================

@\\%1!-20s! %2!-18s!%3

H\\%1!-20s! ERROR! ( %2 )

�The secure channel from %1 to the domain %2 has been reset. The connection is

with the machine %3.

hThe secure channel from %1 to %2 was not reset.

4<-> %1!-55s!%0

4<- %1!-55s!%0

4 -> %1!-55s!%0

$Direct %0

$Non-Windows%0

$(Other) %0

<Direction Trusted\Trusting domain Trust type

========= ======================= ==========

@Direction Trusted\Trusting domain Trust type Status

========= ======================= ========== ======

Direction Trusted\Trusting domain Trust type

========= ======================= ==========

t %1!-31s!

Verified

Broken

Not found

( Access denied

4<-> %1!-48s!%0

4<- %1!-48s!%0

4 -> %1!-48s!%0

4 %1!-48s!%0

�The trust between %1 and %2 has been successfully verified

XThe trust between %1 and %2 is invalid

8Computer Status

======== ======

%1!-32s!%0

` In Sync

` Out Of Sync

Failed to reset the information for BDC %1 following an attempted rename

operation. The machine is in an inconsistent state.

XTry "NETDOM HELP" for more information.

If the domain no longer exists or is a non-Windows Kerberos Realm, you can use

the /FORCE flag to remove the trust objects.

�Trust not removed! This is a functional parent-child trust. It cannot be

removed.

�Trust not removed! This is a parent-child trust. The parent domain could not

be contacted.

�Trust not removed! This is a parent-child trust. If you are certain you

want to remove this parent-child trust because the child domain no longer

exists, run the command again and specify the /FORCE flag.

�The trust between %1 and %2

has been successfully reset and verified

hResetting the trust passwords between %1 and %2

�Cannot reset the trust passwords; both domains must be Windows 2000 domains.

�Setting the trust password on domain %1

for its non-Windows trust to domain %2

�Successfully set the trust password for the non-Windows trust to

domain %1

hThis is not a non-Windows Kerberos realm trust

�The trust is disabled (the trust direction is set to zero)

�The secure channel verify on domain controller %1 for trusting domain

%2 failed with the following error:

8The attempt to contact the NetLogon service on domain controller %1

for a secure channel query of trusting domain

%2 failed with the following error:

�The secure channel reset on domain controller %1 for trusting domain

%2 failed with the following error:

8The attempt to contact the NetLogon service on domain controller %1

for a secure channel reset of trusting domain

%2 failed with the following error:

(The attempt to do a group look up on domain controller %1

for the Domain Admins group of trusting domain

%2 failed with the following error:

�The Kerberos protocol authentication of a client in domain %1

was successful on a server in domain %2

xThe user in domain %2 was not able

to authenticate via the Kerberos protocol in domain %1.

%2 may trust %1

but the trust could not be verified using the Kerberos protocol because

DThe trust is not transitive.

<The trust is transitive.

LSetting the trust to transitive.

TSetting the trust to non-transitive.

LThe trust is already transitive.

TThe trust is already non transitive.

�A trust password must be specified using the /PasswordT command line argument.

The argument string supplied with the /OneSide parameter is incorrect. It must

be either 'trusted' or 'trusting' (without the quotes).

HUnable to contact the domain %1

�You already have a connection to %1. Please disconnect it and then

rerun the netdom command.

�The machine account password for the local machine has been successfully reset.

�The machine account password for the local machine could not be reset.

�Type the password associated with the machine's former domain user: %0

`The machine is already joined to domain %1

$Indirect %0

SID filtering is not enabled for this trust. All SIDs presented in an

authentication request from this domain will be honored.

�SID filtering is enabled for this trust. Only SIDs from the trusted domain

will be accepted for authorization data returned during authentication. SIDs

from other domains will be removed.

LSetting the trust to filter SIDs.

TSetting the trust to not filter SIDs.

lSID filtering is already enabled for this trust.

dSID filtering is not enabled for this trust.

�SID filtering can only be enabled on direct, outbound trusts. The trust to %1

is inbound-only.

XSID history is enabled for this trust.

XSID history is disabled for this trust.

hSID history is already enabled for this trust.

TEnabling SID history for this trust.

TDisabling SID history for this trust.

hSID history is already disabled for this trust.

`This trust is marked as Forest Transitive.

hThis trust is not marked as Forest Transitive.

pThis trust is already marked as Forest Transitive.

\Marking this trust as Forest Transitive.

dMarking this trust as Not Forest Transitive.

xThis trust is already marked as Not Forest Transitive.

`This trust is marked as Cross Organization.

hThis trust is not marked as Cross Organization.

pThis trust is already marked as Cross Organization.

\Marking this trust as Cross Organization.

dMarking this trust as Not Cross Organization.

xThis trust is already marked as Not Cross Organization.

�NETDOM RENAMECOMPUTER machine /NewName:new-name

[/UserD:user [/PasswordD:[password | *]]]

[/UserO:user [/PasswordO:[password | *]]]

[/Force]

[/REBoot[:Time in seconds]]

[/SecurePasswordPrompt]

NETDOM RENAMECOMPUTER renames a computer. If the computer is joined to a

domain, then the computer object in the domain is also renamed. Certain

services, such as the Certificate Authority, rely on a fixed machine name.

If any services of this type are running on the target computer, then a

computer name change would have an adverse impact. This command should not

be used to rename a domain controller.

machine is the name of the workstation or member server to be renamed

/NewName Specifies the new name for the computer. Both the DNS host

label and the NetBIOS name are changed to new-name. If

new-name is longer than 15 characters, the NetBIOS name is

derived from the first 15 characters

/UserD User account used to make the connection with the domain.

The domain can be specified as "/ud:domain\user". If domain is

omitted, then the computer's domain is assumed.

/PasswordD Password of the user account specified by /UserD. A * means

to prompt for the password

/UserO User account used to make the connection with the machine to

be renamed. If omitted, then the currently logged on user's

account is used. The user's domain can be specified as

"/uo:domain\user". If domain is omitted, then a local computer

account is assumed.

/PasswordO Password of the user account specified by /UserO. A * means

to prompt for the password

/Force As noted above, this command can adversely affect some services

running on the computer. The user will be prompted for

confirmation unless the /FORCE switch is specified.

/REBoot Specifies that the machine should be shutdown and automatically

rebooted after the Rename has completed. The number of seconds

before automatic shutdown can also be provided. Default is

30 seconds

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

NETDOM COMPUTERNAME machine [/UserO:user] [/PasswordO:[password | *]]

[/UserD:user] [/PasswordD:[password | *]] [/SecurePasswordPrompt]

/Add:<new-alternate-DNS-name> | /Remove:<alternate-DNS-name>

| /MakePrimary:<computer-dns-name> |

/Enumerate[:{AlternateNames | PrimaryName | AllNames}] |

/Verify

NETDOM COMPUTERNAME manages the primary and alternate names for a computer.

This command can safely rename a domain controller or a server.

machine The name of the computer whose names are to be managed.

/UserO User account used to make the connection with the machine to be

managed

/PasswordO Password of the user account specified By /UserO. A * means

to prompt for the password

/UserD User account used to make the connection with the domain of

the machine to be managed

/PasswordD Password of the user account specified By /UserD. A * means

to prompt for the password

/Add Specifies that a new alternate name should be added. The new

name must be a fully qualified DNS name(FQDN - computer name

followed by primary DNS suffix, such as comp1.example.com.).

/REMove Specifies that an existing alternate name should be removed.

The name being removed must be a fully qualified DNS

name (FQDN - computer name followed by primary DNS suffix,

such as comp1.example.com.).

/MakePrimary Specifies that an existing alternate name should be made into

the primary name. The name being made primary must be a fully

qualified DNS name (FQDN - computer name followed by primary

DNS suffix, such as comp1.example.com.).

/ENUMerate Lists the specified names. It defaults to AllNames.

/Verify Checks if there is a DNS A record and an SPN for each computer

name.

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

�The computer name, %1,

is too long. A valid computer name (DNS host label) can contain a maximum

of %2!d! UTF-8 bytes.

pThe syntax of the new computer name, %1,

is incorrect. A computer name (DNS host label) may contain letters (a-z, A-Z),

numbers (0-9), and hyphens, but no spaces or periods (.).

The name '%1'

does not conform to Internet Domain Name Service specifications, although it

conforms to Microsoft specifications.

�The computer name %1

contains one or more characters that could not be converted to a NetBIOS name.

pThe NetBIOS computer name %1 is a number.

The name may not be a number. You must have at least one non-numeric

character within the first %2!d! characters of the computer name.

The NetBIOS name of the computer name contains illegal characters. Illegal

characters include "" / \\ [ ] : | < > + = ; , ? and *

�The NetBIOS name of the computer is limited to %1!d! bytes. The NetBIOS name

will be shortened to "%2".

pThis operation will rename the computer %1

to %2.

�Certain services, such as the Certificate Authority, rely on a fixed machine

name. If any services of this type are running on %1,

then a computer name change would have an adverse impact.

Active Directory Domain Services are being installed or removed on this computer. The computer

name cannot be changed at this time.

<This computer has not been restarted since Active Directory Domain Services were installed or

removed. The computer name cannot be changed at this time.

DThe computer is a domain controller undergoing upgrade. You must complete the

Active Directory Installation Wizard before you can change the computer name.

The Certification Authority Service is installed on this computer. You must

remove that service before you can change the computer name.

8The attempt to open the service control manager on %1

failed with error %2!d!. Unable to determine if the Certificate Authority

service is installed.

pThe attempt to read the machine role information on %1

failed with error %2!d!. Unable to determine if the machine is in the

midst of a role change or domain controller upgrade.

�Unable to connect to the computer %1

The error code is %2!d!.

�Shutting down due to a computer name change initiated by %1.%0

�A name suffix index must be specified using the /ToggleSuffix command line

argument.

$The name suffix index specified using the /ToggleSuffix command line argument

is outside the range of name indices listed by /ListSuffixes.

hThis command is implemented in adprop.dll. The local version of the library is

incorrect and does not contain this command. Please install the correct

version of adprop.dll.

8This command is implemented in netapi32.dll. This file could not be loaded.

Please ensure that the file netapi32.dll is present in the system folder.

TThis command is implemented in netapi32.dll. The local version of this library

does not contain this command.

Either the version of the library on this computer is incorrect or the command

is not running on Windows XP or Windows Server 2003 or later which is

required for this operation.

0This command is implemented in dnsapi.dll. This file could not be loaded.

Please ensure that the file dnsapi.dll is present in the system folder.

TThis command is implemented in dnsapi32.dll. The local version of this library

does not contain this command.

Either the version of the library on this computer is incorrect or the command

is not running on Windows XP or Windows Server 2003 or later which is

required for this operation.

Active Directory Domain Services already contain a Computer Account or a Server Object with

the specified name: %1.

If these objects are associated with an existing computer in the domain then

this name cannot be made primary.

If these objects are not associated with an existing computer, it may have

been improperly renamed or removed from the domain. Remove them from

Active Directory Domain Services and retry the make primary operation.

The following tools can be used to locate and remove these objects:

For Computer Account - Active Directory Users and Computers .

For Server Object - Active Directory Sites and Services .

TThe primary name for the computer is:

\The alternate names for the computer are:

XAll of the names for the computer are:

�Successfully added %1

as an alternate name for the computer.

�Unable to add %1

as an alternate name for the computer.

The error is:

�Successfully removed %1

as an alternamte name for the computer.

�Unable to remove %1

as an alternamte name for the computer.

The error is:

pSuccessfully made %1

the primary name for the computer. The computer must be rebooted for this name

change to take effect. Until then this computer may not be able to authenticate

users and other computers, and may not be authenticated by other computers in

the forest. The specified new name was removed from the list of alternate

computer names. The primary computer name will be set to the specified new

name after the reboot.

�Unable to make %1

the primary name for the computer.

The error is:

4The specified trust is not a Non-Windows Realm Trust. Adding and Removing TLNs and

TLN Exculsions are only supported for Non-Windows Realm trusts.

The specified trust is not a Non-Windows Realm Trust. Changing this trust attribute

is only supported for Non-Windows Realm trusts.

�The computer needs to be restarted in order to complete the operation.

$9/Quarantine Valid only on an existing direct, outbound trust. Set or

clear the domain quarantine attribute. Default is "no".

When "yes" is specified, then only SIDs from the directly

trusted domain will be accepted for authorization data

returned during authentication. SIDS from any other

domains will be removed. Specifying /Quarantine without

yes or no will display the current state.

/NameSuffixes Valid only for a forest trust or a Forest Transitive

Non-Windows Realm Trust . Lists the routed name suffixes

for trust_name on the domain named by trusting_domain_name.

The /UserO and /PasswordO values can be used for

authentication. The /Domain parameter is not needed.

/ToggleSuffix Use with /NameSuffixes to change the status of a name

suffix. The number of the name entry, as listed by a

preceding call to /NameSuffixes, must be provided to

indicate which name will have its status changed. Names

that are in conflict cannot have their status changed

until the name in the conflicting trust is disabled. Always

precede this command with a /NameSuffixes command because

LSA will not always return the names in the same order.

/EnableSIDHistory Valid only for an outbound, forest trust. Specifying "yes"

allows users migrated to the trusted forest from any other

forest, to use SID history to access resources in this

forest. This should be done only if the trusted forest

administrators can be trusted enough to specify SIDs of

this forest in the SID history attribute of their users

appropriately. Specifying "no" would disable the ability of

the migrated users in the trusted forest to use SID history

to access resources in this forest. Specifying

/EnableSIDHistory without yes or no will display the

current state.

/ForestTRANsitive Valid only for Active Directory Trusts and Non-Windows

Realm Trusts, and can only be performed on the root domain

for a forest.

Specifying "yes" marks this trust as Forest Transitive.

Specifying "no" marks this trust as Not Forest Transitive.

Specifying /ForestTRANsitive without yes or no will

display the current state of this trust attribute.

/SelectiveAUTH Valid only on outbound Forest and External trusts.

Specifying "yes" enables selective authentication across

this trust.

Specifying "no" disables selective authentication across

this trust.

Specifying /SelectiveAUTH without yes or no will display

the current state of this trust attribute.

/AddTLN Valid only for a Forest Transitive Non-Windows Realm Trust

and can only be performed on the root domain for a forest.

Adds the specified Top Level Name (DNS Name Suffix) to the

Forest Trust Info for the specified trust.

Also see the /NameSuffixes operation to list name suffixes.

/AddTLNEX Valid only for a Forest Transitive Non-Windows Realm Trust

and can only be performed on the root domain for a forest.

Adds the specified Top Level Name Exclusion (DNS Name

Suffix)to the Forest Trust Info for the specified trust.

Also see the /NameSuffixes operation to list name suffixes.

/RemoveTLN Valid only for a Forest Transitive Non-Windows Realm Trust

and can only be performed on the root domain for a forest.

Removes the specified Top Level Name (DNS Name Suffix) from

the Forest Trust Info from the specified trust.

Also see the /NameSuffixes operation to list name suffixes.

/RemoveTLNEX Valid only for a Forest Transitive Non-Windows Realm Trust

and can only be performed on the root domain for a forest.

Removes the specified Top Level Name Exclusion (DNS Name

Suffix)from the Forest Trust Info from the specified trust.

Also see the /NameSuffixes operation to list name suffixes.

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

/EnableTgtDelegation

Set to no to disable Kerberos full delegation on outbound

forest trusts. This prevents services in the other forests

from receiving forwarded TGTs. Warning: By setting

EnableTgtDelegation to no, services in the other forests

with "Trust this computer/user for delegation to any

service" configured will not be able to use Kerberos full

delegation with any account in this forest to any service.

/EnablePIMTrust

Specifies whether to enable or disable Privileged Identity

Management trust behaviors on this trust. In order to

enable this trust attribute, the trust must first be marked

as forest transitive.

Specifying /EnablePIMTrust without yes or no will display

the current state of this trust attribute.

/AuthTargetValidation

Specifies whether to enable or disable authentication target

validation for authentication requests on the specified trust.

For forest trusts, the setting can optionally be limited to a

specific child domain using the /ChildDomain parameter.

NOTE: disabling this validation opens you to an attack by the

remote forest and should only be done when necessary.

/InvokeTrustScanner

Requests that a trust scan operation be run for the specified

trusting domain. If the trusting domain is specified as '*'

all trusts will be scanned. This command must be run locally

on the PDC itself. Note that the trust scanner runs automatically

and this command is only intended for support scenarios.

dFinding a domain controller for the domain %1

`Creating a machine account for %1 in OU %2

LCreating a machine account for %1

HEstablishing a session with %1

DDeleting the session with %1

HRemoving machine account for %1

`Setting LSA domain policy information on %1

0Starting service %1

0Stopping service %1

8Configuring service %1

XAdding domain account to local group %1

`Removing domain account from local group %1

,Joining domain %1

XFailed to establish the session with %1

`Failed to remove the machine account for %1

XEstablishing the secure channel with %1

$The secure channel reset to %1 failed as the server does not

support naming a Domain Controller. Establishing the secure

channel with %2.

�The secure channel could not be reset to the named server %1.

A different domain controller was chosen.

hVerifying the secure connection with domain %1

DRemoving trust account for %1

TOpening the trusted domain object %1

LRemoving the trust object for %1

<Opening secret object %1

DRemoving the secret object %1

@Adding trust account for %1

0Creating secret %1

HCreating a trust with domain %1

TReading LSA domain policy information

`Reading trusted domain information from %1

\Setting trusted domain information on %1

@Setting secret value for %1

�Determining the list of Organizational Units the specified user can create a

machine account under

`Failed to determine the role of machine %1

TBinding to LDAP server on machine %1

@Unbinding from LDAP server

LSending the command to reboot %1

PThe domain %1 cannot be contacted.

`Could not find the trusted domain object %1

hRemoving the cross-ref and sever objects for %1

lSuccessfully removed the NTDS Settings object %1

dSuccessfully removed the cross-ref object %1

hCould not find or remove the NTDS-DSA object %1

XCound not find the cross-ref object %1

�Verifying the trust between trusting domain %1

and trusted domain %2

tTrust information for domain %1

written to domain %2

�The machine %1 is not currently joined to a domain.

Proceeding with joining it to domain %2.

hDisabling the old machine account in domain %1

To improve the security of this external trust, security identifier (SID)

filtering is enabled. However, if users have been migrated to the trusted

domain and their SID histories have been preserved, you may choose to turn

off this feature.

For more information about SID filtering and how to turn it off, see the help

for netdom trust /Quarantine or see Help and Support.

tThe computer rename attempt failed with error %1!d!.

tThis error can also result if one side of the trust is a forest trust and the

other side is an external trust. To fix this problem you can remove the trust

from one or both sides and then re-create the trust with the desired type. Use

the Active Directory Domains & Trusts snap-in to create a forest trust.

XThe computer rename preparation procedure is available only if the

functional level of the domain to which this computer is joined is

Windows Server 2003 or higher.

Checking %1

�The computer is not joined to a domain, thus there will be no SPN

registrations to check.

�The computer is not joined to a Windows 2000 or later domain, thus there will

be no SPN registrations to check.

�Reading the Service Principal Names listed for this computer which is joined

to the domain %1.

�Checking if the computer %1

is joined to a Windows 2000 or later domain.

�Unable to read the SPNs for the computer from the Active Directory Domain Services.

dUnable to read the SPNs for the computer from the Active Directory Domain Services. The

supplied or current user credentials do not grant permission to read the

directory.

�Unable to read the primary name for the computer %1.

The error is %2

�Could not find a DNS registration for the computer name:

The error is: %2

�Could not find a host Service Principal Name for the computer name:

TCould not find the computer named: %1

�Could not find a computer object in the Active Directory Domain Services with a SAM-Account-

Name of %1$.

�All of the computer's names have A records that are properly registered

with DNS.

All of the computer's names have properly registered host Service Principal

Names in the Active Directory Domain Services.

\The host name label of this new alternate name is longer than %1!d!

characters. If this name is made primary the new NetBIOS computer

name will be truncated to

"%2"

�The specified alternate computer name "%1%" does not contain a dot.

Although it is a valid DNS name, usually a DNS name consists of multiple

labels, for example server1.microsoft.com. This field MUST contain the full

DNS name of a computer.

The host name label of the new primary name is longer than %1!d!

characters. The new NetBIOS computer name will be truncated

to "%2"

`The response is not valid. Program exiting.

`The alternate computer name was not added.

`NETDOM TRUST target_domain_name /Domain:trust_partner_domain_name

/ResetOneSide

/PasswordT:new_password_set_on_target_domain_side_only

[/UserO:user] [/PasswordO:[password | *]]

[/SecurePasswordPrompt]

NETDOM TRUST /ResetOneSide writes a new trust password on the

target_domain_name for the trust with the trust_partner_domain_name. This

command can be used to stop authentication between the target domain and the

trust partner domain. This command would normally be used only in a forest

recovery scenario.

target_domain_name Specifies the name of the domain on which the trust

password is to be reset. This should be the DNS name

or NetBIOS name of the domain.

/Domain Specifies the name of the domain with which the target

domain has a trust relationship. This should be the

DNS name or NetBIOS name of the domain.

/ResetOneSide Set the password (given by PasswordT) on one

side of the trust (i.e. on the side of the

target domain).

/PasswordT New trust password. This is set as both the current

and the stored previous password, thus erasing the

password history.

/UserO User account for making the connection with the

target domain

/PasswordO Password of the user account specified by /UserO.

A * means to prompt for a password

/SecurePasswordPrompt

Use secure credentials popup to specify credentials. This

option should be used when smartcard credentials need to be

specified. This option is only in effect when the password

value is supplied as *

xResetting the trust password on %1 for trust with %2.

The old machine account was not disabled in domain %1 because credentials

for that domain were not specified on the command line.

�Type the password associated with the computer account object: %0

�A computer account password must be specified using the /PasswordM command line argument.

�A domain controller must be specified using the /Domain command line argument. For example, /Domain:domain\dc

tThe /ReadOnly option cannot be used with /OU option.

�Cannot rename remote server %1 because it is not joined to the AD environment.

@TGT Delegation is enabled.

@TGT Delegation is disabled.

<Enabling TGT delegation.

<Disabling TGT delegation.

PTGT delegation is already enabled.

PTGT delegation is already disabled.

4PIM Trust is enabled.

8PIM Trust is disabled.

0Enabling PIM Trust.

4Disabling PIM Trust.

DPIM Trust is already enabled.

HPIM Trust is already disabled.

�Only non-windows or cross-forest trust types are valid for this operation.

�A trust must first be marked as forest transitive before you can enable PIM.

�Marking this trust as Not Forest Transitive. Note, this will also disable PIM Trust.

0Warning: enabling Kerberos full TGT delegation on outbound trusts is not recommended. See https://aka.ms/netdomtgtdelegation for more information.

pMultiple records matched the domain you specified.

�Failed to find a record that matched the domain you specified.

�Authentication target validation for the specified domain has been enabled.

�Authentication target validation for the specified domain has been disabled.

�Authentication target validation for the specified domain is already enabled.

�Authentication target validation for the specified domain is already disabled.

�Only inbound or bi-directional forest trusts are valid for this operation.

The trust scanner request was successfully submitted. Please check the event log for details on the outcome of the request.

The LsaQueryForestTrustInformation2 call failed with 0x%x. The server may need the latest patches in order to support this method.

�4VS_VERSION_INFO��
!|O
!|O?�StringFileInfo�040904B0LCompanyNameMicrosoft Corporation8FileDescriptionNETDOM5n'FileVersion10.0.20348.2849 (WinBuild.160101.0800)6InternalNameNETDOM.EXE�.LegalCopyright� Microsoft Corporation. All rights reserved.FOriginalFilenameNETDOM.EXE.MUIj%ProductNameMicrosoft� Windows� Operating SystemDProductVersion10.0.20348.2849DVarFileInfo$Translation �PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX