[ Team LiB ] Previous Section Next Section

26.8 Monitoring Trusts

New to Windows Server 2003 is the Trustmon WMI provider. The Trustmon provider allows you to query the list of trusts supported on a domain controller and determine if they are working correctly. The Trustmon provider consists of three classes, but the primary one is the Microsoft_DomainTrustStatus class, which represents each trust the domain controller knows about. The Trustmon provider is contained under the root\MicrosoftActiveDirectory namespace. Note that this namespace is different than for the Active Directory provider, which is contained under root\directory\ldap.

Table 26-6 provides a list of the property methods available to this class.

Table 26-6. Microsoft_DomainTrustStatus properties

Property

Description

Flatname

NetBIOS name for the domain.

SID

SID for the domain.

TrustAttributes

Flag indicating special properties of the trust. Can be any combination of the following:

  • 0x1 (Nontransitive)

  • 0x2 (Uplevel clients only)

  • 0x40000 (Tree parent)

  • 0x80000 (Tree root)

TrustDCName

Name of the domain controller the trust is set up with.

TrustDirection

Integer representing direction of the trust. Valid values include:

  • 1 (Inbound)

  • 2 (Outbound)

  • 3 (Bidirectional)

TrustedDomain

Naming of trusted domain.

TrustIsOK

Boolean indicating whether the trust is functioning properly.

TrustStatus

Integer representing the status for the trust. 0 indicates no failure.

TrustStatusString

Textual description of status for the trust.

TrustType

Integer representing the type of trust. Valid values include:

  • 1 (Downlevel)

  • 2 (Uplevel)

  • 3 (Kerberos realm)

  • 4 (DCE)

As you can see from Table 26-6, the Microsoft_DomainTrustStatus class provides just about all the information you'd want to know concerning a trust. The following example shows how easy it is to enumerate all the trusts using this class:

strComputer = "."
   
Set objWMI = GetObject("winmgmts:\\" & strComputer & _
                       "\root\MicrosoftActiveDirectory")
Set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus")
   
for each objTrust in objTrusts
    Wscript.Echo objTrust.TrustedDomain
    Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes
    Wscript.Echo " TrustedDCName: "     & objTrust.TrustedDCName
    Wscript.Echo " TrustedDirection: "  & objTrust.TrustDirection
    Wscript.Echo " TrustIsOk: "         & objTrust.TrustIsOK
    Wscript.Echo " TrustStatus: "       & objTrust.TrustStatus
    Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString
    Wscript.Echo " TrustType: "         & objTrust.TrustType
    Wscript.Echo ""
next

Next, let's illustrate a script that finds any trust that has some kind of failure. All we need to do is modify the WQL query in the previous example to include a where TrustIsOk = False clause. We then print out the TrustStatusString property, which will return a description of the failure.

strComputer = "."
   
Set objWMI = GetObject("winmgmts:\\" & strComputer & _
                       "\root\MicrosoftActiveDirectory")
Set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus " & _
                                 "where TrustIsOk = False ")
   
if objTrusts.Count = 0 then
   Wscript.Echo "There are no trust failures"
else 
    for each objTrust in objTrusts
       Wscript.Echo objTrust.TrustedDomain & " - " & objTrust.TrustStatusString
       Wscript.Echo ""
   Next
end if

One of the neat features of the Trustmon provider is that it is configurable. Through WMI you can modify what type of checks it does to determine trust failures and also how long to cache information it retrieves. All of this is done with the Microsoft_TrustProvider class. Table 26-7 contains a list of all property methods for this class.

Table 26-7. Microsoft_TrustProvider properties

Property

Description

TrustListLifetime

Number of minutes to cache the last trust enumeration (20 is the default).

TrustStatusLifetime

Number of minutes to cache the last trust status request (3 is the default).

TrustCheckLevel

Number representing the type of check to perform against each trust during enumeration (2 is the default). Valid values include:

  • 0 (Enumerate only)

  • 1 (Enumerate with SC_QUERY)

  • 2 (Enumerate with password check)

  • 3 (Enumerate with SC_RESET)

ReturnAll

Boolean indicating whether both trusting and trusted domains are enumerated. True is the default, which indicates to check both trusting and trusted domains.

Now we will show a simple script that changes the default settings for the Trustmon provider. In the following example, we set the TrustListLifetime to 15 minutes, the TrustStatusLifetime to 5 minutes, and the TrustCheckLevel to 1.

strComputer = "."
   
Set objTrustProv = GetObject("winmgmts:\\" & strComputer & _ 
                       "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@")
   
objTrustProv.TrustListLifetime   = 15   ` 15 minutes
objTrustProv.TrustStatusLifetime = 5    ` 5 minutes
objTrustProv.TrustCheckLevel     = 1    ` Enumerate with SC_QUERY
objTrustProv.Put_

The Trustmon provider is a great example of how to utilize WMI in the Active Directory space. What previously could only have been done with command-line utilities or MMC snap-ins can now be done programmatically very easily.

    [ Team LiB ] Previous Section Next Section