刘辉的blog Support Tools netdom

netdom
The syntax of this command is:
NETDOM HELP command
-or-
NETDOM command /help

Commands available are:

NETDOM ADD
NETDOM RESETPWD
NETDOM RESET
NETDOM COMPUTERNAME
NETDOM QUERY

NETDOM TRUST
NETDOM REMOVE
NETDOM VERIFY
NETDOM JOIN
NETDOM RENAME
NETDOM MOVE
NETDOM RENAMECOMPUTER

NETDOM HELP SYNTAX explains how to read NET HELP syntax lines.
NETDOM HELP command | MORE displays Help one screen at a time.

Note that verbose output can be specified by including /VERBOSE with
any of the above netdom commands.

The command completed successfully.
------------------------------------------------------------------------------------------------------------------

NETDOM ADD machine /Domain:domain [/UserD:user] [/PasswordD:[password | *]]
[/Server:server] [/OU:ou path] [/DC]

NETDOM ADD Adds a workstation or server account to the domain.

machine is the name of the computer to be added

/Domain Specifies the domain in which to create the machine account

/UserD User account used to make the connection with the domain specified by the /Domain argument

/PasswordD Password of the user account specified with /UserD. A * means to prompt for the password

/Server Name of a specific domain controller that should be used to perform the Add. This option cannot be used with the /OU option.

/OU Organizational unit under which to create the machine account.
This must be a fully qualified RFC 1779 DN for the OU. When using this argument, you must be running directly on a domain controller for the specified domain.
If this argument is not included, the account will be created under the default organization unit for machine objects for that domain.

/DC Specifies that a domain controller's machine account is to be created. This option cannot be used with the /OU option.
-------------------------------------------------------------------------------------

NETDOM COMPUTERNAME machine [UserO:user] [/PasswordO:[password | *]]
[UserD:user] [/PasswordD:[password | *]]
/Add:<name> | /Remove:<name> | /MakePrimary:<name> |
/Enumerate[:{AlternateNames | PrimaryNames | AllNames}]

NETDOM COMPUTERNAME manages the primary and alternate names for a computer.

machine is the name of the computer whose names are to be managed.

/UserO User account used to make the connection with the machine to be managed

/PasswordO Password of the user account specified By /UserO. A * means to prompt for the password

/UserD User account used to make the connection with the domain of the machine to be managed

/PasswordD Password of the user account specified By /UserD. A * means to prompt for the password

/Add Specifies that a new alternate name should be added.

/REMove Specifies that an existing alternate name should be removed.

/MakePrimary Specifies that an existing alternate name should be made into the primary name.

/ENUMerate Lists the specified names. It defaults to AllNames.

---------------------------------------------------------------------------

NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user] [/PasswordD:[password | *]] [UserO:user] [/PasswordO:[password | *]] [/REBoot[:Time in seconds]]

NETDOM JOIN Joins a workstation or member server to the domain.

machine is the name of the workstation or member server to be joined /Domain Specifies the domain which the machine should join. You can specify a particular domain controller by entering /Domain:domain\dc. If you specify a domain controller, you must also include the user's domain. For example: /UserD:domain\user

/UserD User account used to make the connection with the domain specified by the /Domain argument

/PasswordD Password of the user account specified by /UserD. A * means to prompt for the password

/UserO User account used to make the connection with the machine to be joined

/PasswordO Password of the user account specified by /UserO. A * means to prompt for the password

/OU Organizational unit under which to create the machine account.
This must be a fully qualified RFC 1779 DN for the OU. If not specified, the account will be created under the default organization unit for machine objects for that domain.

/REBoot Specifies that the machine should be shutdown and automatically rebooted after the Join has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds

Windows Professional machines with the ForceGuest setting enabled (which is the default for machines not joined to a domain during setup) cannot be remotely administered. Thus the join operation must be run directly on the machine when the ForceGuest setting is enabled.

When joining a machine running Windows NT version 4 or before to the domain the operation is not transacted. Thus, a failure during the operation could leave the machine in an undetermined state with respect to the domain it is joined to.

The act of joining a machine to the domain will create an account for the machine on the domain if it does not already exist.

-------------------------------------------------------------------------------------

NETDOM MOVE machine /Domain:domain [/OU:ou path] [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]] [/UserF:user] [/PasswordF:[password | *]] [/REBoot[:Time in seconds]]

NETDOM MOVE Moves a workstation or member server to a new domain machine is the name of the workstation or member server to be moved /Domain Specifies the domain to which the machine should be moved. You can specify a particular domain controller by entering /Domain:domain\dc. If you specify a domain controller, you must also include the user's domain. For example: /UserD:domain\user

/UserD User account used to make the connection with the domain specified by the /Domain argument

/PasswordD Password of the user account specified by /UserD. A * means to prompt for the password

/UserO User account used to make the connection with the machine to be moved

/PasswordO Password of the user account specified by /UserO. A * means to prompt for the password

/UserF User account used to make the connection with the machine's former domain (with which the machine had been a member before the move). Needed to disable the old machine account.

/PasswordF Password of the user account specified by /UserF. A * means to prompt for the password

/OU Organizational unit under which to create the machine account. This must be a fully qualified RFC 1779 DN for the OU. If not specified, the account will be created under the default organization unit for machine objects for that domain.

/REBoot Specifies that the machine should be shutdown and automatically rebooted after the Move has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds

When moving a downlevel (Windows NT version 4 or before) machine to a new domain, the operation is not transacted. Thus, a failure during the operation could leave the machine in an undetermined state with respect to the domain it is joined to.

When moving a machine to a new domain, the old computer account in the former domain is not deleted. If credentials are supplied for the former domain, the old computer account will be disabled.

The act of moving a machine to a new domain will create an account for the machine on the domain if it does not already exist.
--------------------------------------------------------------------------------------

/Domain Specifies the domain on which to query for the information

/UserD User account used to make the connection with the domain specified by the /Domain argument

/PasswordD Password of the user account specified by /UserD. A * means to prompt for the password

/Server Name of a specific domain controller that should be used to perform the query.

/Verify For computers, verifies that the secure channel between the computer and the domain controller is operating properly. For trusts, verifies that the the trust between domains is operating properly. Only outbound trust will be verified. The user must have domain administrator credentials to get correct verification results.

/RESEt Resets the secure channel between the computer and the domain controller; valid only for computer enumeration

/Direct Applies only for a TRUST query, lists only the direct trust links and omits the domains indirectly trusted through transitive links. Do not use with /Verify.

WORKSTATION Query the domain for the list of workstations
SERVER Query the domain for the list of servers
DC Query the domain for the list of Domain Controllers
OU Query the domain for the list of Organizational Units underwhich the specified user can create a machine object
PDC Query the domain for the current Primary Domain Controller
FSMO Query the domain for the current list of FSMO owners
TRUST Query the domain for the list of its trusts

The trust verify command checks only direct, outbound, Windows trusts. To verify an inbound trust, use the NETDOM TRUST command which allows you to specify credentials for the trusting domain.

---------------------------------------------------------------------------------------------------

NETDOM REMOVE machine /Domain:domain [/UserD:user] [/PasswordD:[password | *]] [UserO:user] [/PasswordO:[password | *]] [/REBoot[:Time in seconds]]

NETDOM REMOVE Removes a workstation or server from the domain. machine is the name of the computer to be removed

/Domain Specifies the domain in which to remove the machine

/UserD User account used to make the connection with the domain specified by the /Domain argument

/PasswordD Password of the user account specified by /UserD. A * means to prompt for the password

/UserO User account used to make the connection with the machine to be removed

/PasswordO Password of the user account specified By /UserO. A * means to prompt for the password

/REBoot Specifies that the machine should be shutdown and automatically rebooted after the Remove has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds

------------------------------------------------------------------------------------------------

NETDOM RENAME machine [/Domain:domain] [/REBoot[:Time in seconds]]

NETDOM RENAME Renames NT4 backup domain controllers (moves it to a new domain) machine is the name of the backup Domain Controller to be renamed

/Domain Specifies the new name of the domain

/REBoot Specifies that the machine should be shutdown and automatically rebooted after the Rename has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds

NETDOM HELP command | MORE displays Help one screen at a time. The command completed successfully.

-----------------------------------------------------------------------------------------------

NETDOM RENAMECOMPUTER machine /NewName:new-name /UserD:user [/PasswordD:[password | *]] [/UserO:user [/PasswordO:[password | *]]] [/Force] [/REBoot[:Time in seconds]]

NETDOM RENAMECOMPUTER renames a computer that is joined to a domain. The computer object in the domain is also renamed. Certain services, such as the Certificate Authority, rely on a fixed machine name. If any services of this type are running on the target computer, then a computer name change would have an adverse impact. machine is the name of the workstation, member server, or domain controller to be renamed

/NewName Specifies the new name for the computer. Both the DNS host label and the NetBIOS name are changed to new-name. If new-name is longer than 15 characters, the NetBIOS name is derived from the first 15 characters

/UserD User account used to make the connection with the domain to which the computer is joined. This is a required parameter. The domain can be specified as "/ud:domain\user". If domain is omitted, then the computer's domain is assumed.

/PasswordD Password of the user account specified by /UserD. A * means to prompt for the password

/UserO User account used to make the connection with the machine to be renamed. If omitted, then the currently logged on user's account is used. The user's domain can be specified as "/uo:domain\user". If domain is omitted, then a local computer account is assumed.

/PasswordO Password of the user account specified by /UserO. A * means to prompt for the password

/Force As noted above, this command can adversely affect some services running on the computer. The user will be prompted for confirmation unless the /FORCE switch is specified.

------------------------------------------------------------------------------------

NETDOM RESET machine /Domain:domain [/Server:server] [UserO:user] [/PasswordO:[password | *]]

NETDOM RESET Resets the secure connection between a workstation and a domain controller machine is the name of the computer to be have the secure connection reset

/Domain Specifies the domain with which to establish the secure connection

/Server Name of a specific domain controller that should be used to establish the secure connection.

/UserO User account used to make the connection with the machine to be reset

/PasswordO Password of the user account specified By /UserO. A * means to prompt for the password

---------------------------------------------------------------------------------

NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name [/UserD:user]
[/PasswordD:[password | *]] [UserO:user] [/PasswordO:[password | *]]
[/Verify] [/RESEt] [/PasswordT:new_realm_trust_password]
[/Add] [/REMove] [/Twoway] [/Kerberos] [/Transitive[:{yes | no}]]
[/OneSide:{trusted | trusting}] [/Force] [/FilterSIDs[:{yes | no}]]
[/NameSuffixes:trust_name [/ToggleSuffix:#]]

NETDOM TRUST Manages or verifies the trust relationship between domains

trusting_domain_name is the name of the trusting domain

/Domain Specifies the name of the trusted domain.

/UserD User account used to make the connection with the domain
specified by the /Domain argument

/PasswordD Password of the user account specified by /UserD. A * means
to prompt for the password

/UserO User account for making the connection with the trusting
domain

/PasswordO Password of the user account specified By /UserO. A * means
to prompt for the password

/Verify Verifies that the the trust is operating properly

/RESEt Resets the trust passwords between two domains. The domains can
be named in any order. Reset is not valid on a trust to a
Kerberos realm unless the /PASSWORDT parameter is included.

/PasswordT New trust password, valid only with the /ADD or /RESET options
and only if one of the domains specified is a non-Windows
Kerberos realm. The trust password is set on the Windows domain
only and thus credentials are not needed for the non-Windows
domain.

/Add Specifies that a trust should be created

/REMove Specifies that a trust should be removed

/Twoway Specifies that a trust relationship should be bidirectional

/OneSide Denotes that the trust object should only be created on one
domain. The 'trusted' keyword indicates that the trust object
is created on the trusted domain (the one named with the /D
parameter). The 'trusting' keyword indicates that the trust
object is to be created on the trusting domain. Valid only with
the /ADD option. The /PasswordT option is required.

/REAlm Indicates that the trust is to be created to a non-Windows
Kerberos realm. Valid only with the /ADD option. The
/PasswordT option is required.

/TRANSitive Valid only for a non-Windows Kerberos realm. Specifying "yes"
sets it to a transitive trust. Specifying "no" sets it to a
non-transitive trust. If neither is specified, then the current
transitivity state will be displayed.

/Kerberos Specifies that the Kerberos authentication protocol should be
verified between a domain or workstation and a target domain;
You must supply user accounts and passwords for both the object
and target domain.

/Force Valid with the /Remove option. Forces the removal of the trust
(and cross-ref) objects on one domain even if the other domain
is not found or does not contain matching trust objects. You
must use the full DNS name to specify the domain.
CAUTION: this option will completely remove a child domain.

/FilterSIDs Valid only on an existing direct, outbound trust. Set or clear
the SID filtering attribute. Default is "no". When "yes" is
specified, then only SIDs from the directly trusted domain
will be accepted for authorization data returned during
authentication. SIDS from any other domains will be removed.
Specifying /FilterSIDs without yes or no will display the
current state.

/NameSuffixes Valid only for a forest trust. Lists the routed name suffixes
for trust_name on the domain named by trusting_domain_name.
The /UserO and /PasswordO values can be used for
authentication. The /Domain parameter is not needed.

/ToggleSuffix Use with /NameSuffixes to change the status of a name suffix.
The number of the name entry, as listed by a preceding call to
/NameSuffixes, must be provided to indicate which name will
have its status changed. Names that are in conflict cannot have
their status changed until the name in the conflicting trust is
disabled. Always precede this command with a /NameSuffixes
command because LSA will not always return the names in the
same order.

--------------------------------------------------

NETDOM VERIFY machine /Domain:domain [UserO:user]
[/PasswordO:[password | *]]

NETDOM VERIFY Verifies the secure connection between a workstation and a domain
controller

machine is the name of the computer to be have the secure connection verified

/Domain Specifies the domain with which to verify the secure connection

/UserO User account used to make the connection with the machine to be
reset

/PasswordO Password of the user account specified By /UserO. A * means to prompt for the password

--------------------------------------------------------------

NETDOM RESETPWD /Server:domain-controller /UserD:user /PasswordD:[password | *]

NETDOM RESETPWD Resets the machine account password for the domain controller
on which this command is run. Currently there is no support for resetting
the machine password of a remote machine or a member server. All parameters
must be specified.

/Server Name of a specific domain controller that should have its
machine account password reset.

/UserD User account used to make the connection with the domain
controller specified by the /Server argument.

/PasswordD Password of the user account specified with /UserD. A * means
to prompt for the password