Netdom query

Applies To: Windows Server 2008, Windows Server 2008 R2

Queries the domain for information such as membership and trust.

Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

netdom query {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/ud: | /userd:}[<Domain>\]<User> {/pd: | /passwordd}{<Password>|*}] [/verify] [/reset] [/direct] {WORKSTATION|SERVER|DC|OU|PDC|FSMO|TRUST} [{/help | /?}]

Parameters

Parameter Description

{/d: | /domain:}<Domain>

Specifies the domain to query for the information. If you do not specify this parameter, then netdom query uses the domain to which the current computer belongs.

{/s: | /server:}<Server>

Specifies the name of the domain controller that performs the query.

{/ud: | /userd:}[<Domain>\]<User>

Specifies the user account that makes the connection with the domain that you specify in the /d or /domain parameter. If you do not specify this parameter, netdom query uses the current user account.

{/pd: | /passwordd}{<Password>|*}

Specifies the password of the user account that you specify in the /ud or /userd parameter. If you specify the value of this parameter as a wildcard character (*), this parameter prompts you for the password.

/verify

Specifies verification of the secure channel secrets for all enumerated memberships or trusts, and then displays them. Only users who are enterprise-level administrators can verify all secure channel secrets.

/reset

Specifies resynchronization of the secure channel secrets for all enumerated memberships or trusts that are currently broken. The /reset parameter implies the /verify parameter. Unless the user is an enterprise-level administrator, the user might not be able to reset all enumerated trusts or memberships.

/direct

Indicates that the query for trust relationships returns only direct trust relationships, rather than direct and indirect relationships. This parameter is valid only when you specify Domain in the /d parameter.

WORKSTATION|SERVER|DC|OU|PDC|FSMO|TRUST

Specifies the type of list to generate. The following list shows the possible objects:

  • WORKSTATION: Queries the domain for the list of workstations.

  • SERVER: Queries the domain for the list of servers.

  • DC: Queries the domain for the list of domain controllers.

  • OU: Queries the domain for the list of OUs under which the user that you specify can create a computer object.

  • PDC: Queries the domain for the current primary domain controller.

  • FSMO: Queries the domain for the current list of operations master role holders. These role holders are also known as flexible single master operations (FSMO).

  • TRUST: Queries the domain for the list of its trusts.

{/help | /?}

Displays help at the command prompt.

Examples

To list all the workstations in the domain Northamerica, type the following command at the command prompt:

netdom query /d:Northamerica WORKSTATION

To list all the servers in Northamerica, type the following command at the command prompt:

netdom query /d:Northamerica SERVER

To list all the domain controllers in the domain Northamerica, type the following command at the command prompt:

netdom query /d:Northamerica DC

To list all the OUs in devgroup.example.com, type the following command at the command prompt:

netdom query /d:devgroup.example.com OU

To list the PDC for Northamerica, type the following command at the command prompt:

netdom query /d:Northamerica PDC

To list the current PDC emulator for devgroup.example.com, type the following command at the command prompt:

netdom query /d:devgroup.example.com FSMO

You can use the Query operation with the /verify and /reset parameters to perform the Verify and Reset operations together. You can pipe the output of the Query operation to the netdom Verify or netdom Reset operation.

To list all servers and verify secure channel secret, type the following command at the command prompt:

netdom query /d:Northamerica SERVER /verify

To list all workstations and reset any unsynchronized secure channel secrets, type the following command at the command prompt:

netdom query /d:Northamerica WORKSTATION /reset

To list all the direct trust relationships for the domain Northamerica, type the following command at the command prompt:

netdom query /d:Northamerica /Ud:Northamerica\admin DOMAIN /Direct

To list all the direct and indirect trust relationships for the domain Northamerica, type the following command at the command prompt:

netdom query /d:Northamerica /Ud:Northamerica\admin DOMAIN

To list all trust relationships and check their status, type the following command at the command prompt:

netdom query /d:devgroup.example.com DOMAIN /verify

Additional references

Command-Line Syntax Key

Netdom

Netdom add

Netdom computername

Netdom join

Netdom move

Netdom remove

Netdom movent4bdc

Netdom renamecomputer

Netdom reset

Netdom resetpwd

Netdom trust

Netdom verify