重置信任一方的信任密码Resetting a trust password on one side of the trust

适用于: Windows Server 2016、Windows Server 2012 和 2012 R2、Windows Server 2008 和 2008 R2Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2

如果林恢复与安全漏洞相关,请使用以下过程在信任的一方重置信任密码。If the forest recovery is related to a security breach, use the following procedure to reset a trust password on one side of the trust. 这包括子域和父域之间的隐式信任,以及此域 (信任域) 与受信任域) (其他域之间的显式信任。This includes implicit trusts between child and parent domains as well as explicit trusts between this domain (the trusting domain) and another domain (the trusted domain).

仅重置信任域信任域上的密码,也称为传入信任 (此域所属) 。Reset the password on only the trusting domain side of the trust, also known as the incoming trust (the side where this domain belongs). 然后,在信任的受信任域端使用相同的密码,也称为传出信任。Then, use the same password on the trusted domain side of the trust, also known as the outgoing trust. 还原每个其他 (受信任的) 域中的第一个 DC 时,重置传出信任的密码。Reset the password of the outgoing trust when you restore the first DC in each of the other (trusted) domains.

重置信任密码可确保 DC 不会在其域外复制可能损坏的 Dc。Resetting the trust password ensures that the DC does not replicate with potentially bad DCs outside its domain. 在还原每个域中的第一个 DC 时,通过设置相同的信任密码,可以确保此 DC 与每个已恢复的 Dc 进行复制。By setting the same trust password while restoring the first DC in each of the domains, you ensure that this DC replicates with each of the recovered DCs. 通过安装 AD DS 恢复的域中的后续 Dc 会在安装过程中自动复制这些新密码。Subsequent DCs in the domain that are recovered by installing AD DS will automatically replicate these new passwords during the installation process.

在信任的一方重置信任密码To reset a trust password on one side of the trust

  1. 在命令提示符下,键入以下命令,然后按 Enter:At a command prompt, type the following command, and then press ENTER:

    netdom experthelp trust
    
  2. 使用此命令提供的语法来重置信任密码。Use the syntax that this command provides for using the NetDom tool to reset the trust password. 例如,如果林中有两个域(父和子),并且你在父域中的还原 DC 上运行此命令,请使用以下命令语法:For example, if there are two domains in the forest—parent and child—and you are running this command on the restored DC in the parent domain, use the following command syntax:

    netdom trust parent domain name /domain:child domain name /resetOneSide /passwordT:password /userO:administrator /passwordO:*
    

    在子域中运行此命令时,请使用以下命令语法:When you run this command in the child domain, use the following command syntax:

    netdom trust child domain name /domain:parent domain name /resetOneSide /passwordT:password /userO:administrator /passwordO:*
    

    备注

    在信任的双方, passwordT 应为相同的值。passwordT should be the same value on both sides of the trust. 仅运行此命令一次 (与 netdom resetpwd 命令) ,因为它会自动重置密码两次。Run this command only once (unlike the netdom resetpwd command) because it automatically resets the password twice.

后续步骤Next Steps