Nltest |
Applies To: Windows Server 2008 R2,Windows Server 2008,Windows Server 2003 with SP1,Windows Server 2003,Windows Server 2003 R2
Performs network administrative tasks.
Nltest is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813). To use nltest, you must run the nltest command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Nltest.exe
You can use nltest to:
- Get a list of domain controllers
- Force a remote shutdown
- Query the status of trust
- Test trust relationships and the state of domain controller replication in a Windows domain
- Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers
Nltest can test and reset the secure channel that the NetLogon service establishes between clients and the domain controller that logs them on. Clients using Kerberos authentication cannot use this secure channel.
Note |
You must run nltest from the command prompt. |
Concepts
A discrete communication channel, known as the secure channel, exists between trusted domains in a Windows NT 4.0 environment and parent domains and their immediate children in an Active Directory environment. In a Windows NT 4.0 environment, nltest uses these channels to authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication.
Nltest provides diagnostic features that you can use for troubleshooting Windows Server 2008 operating system configurations. However, because nltest is designed primarily for system administrators and support personnel, its output may be difficult to analyze. In this case, you can review the appropriate troubleshooting sections in the Windows Deployment and Resource Kits. Search for any of the keywords from the bulleted list in the nltest description above.
Syntax
Copy Code |
|
nltest [/server:<servername>] [<operation>[<parameter>] |
- /server: <ServerName>
- Runs nltest at a remote domain controller that you specify. If you do not specify this parameter, nltest runs on the local computer, which is the domain controller.
Parameters
Parameter |
Description |
/query |
Reports on the state of the secure channel the last time you used it. (The secure channel is the one that the NetLogon service established.) |
/repl |
Forces synchronization with the primary domain controller (PDC). Nltest synchronizes only changes that are not yet replicated to the backup domain controller (BDC). You can use this parameter for Windows NT 4.0 BDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter. |
/sync |
Forces an immediate synchronization with the PDC of the entire Security Accounts Manager (SAM) database. You can use this parameter for Windows NT 4.0 BDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter. |
/pdc_repl |
Forces the PDC to send a synchronization notification to all BDCs. You can use this parameter for Windows NT 4.0 PDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter. |
/sc_query: <DomainName> |
Reports on the state of the secure channel the last time that you used it. (The secure channel is the one that the NetLogon service established.) This parameter lists the name of the domain controller that you queried on the secure channel, also. |
/sc_reset:[ <DomainName>] |
Removes, and then rebuilds, the secure channel that the NetLogon service established. You must have administrative credentials to use this parameter. |
/sc_verify:[ <DomainName>] |
Checks the status of the secure channel that the NetLogon service established. If the secure channel does not work, this parameter removes the existing channel, and then builds a new one. You must have administrative credentials to use this parameter. This parameter is only valid on domain controllers that run Windows 2000 with Service Pack 2 and later. |
/sc_change_pwd:[ <DomainName>] |
Changes the password for the trust account of a domain that you specify. If you run nltest on a domain controller, and an explicit trust relationship exists, then nltest resets the password for the interdomain trust account. Otherwise, nltest changes the computer account password for the domain that you specify. You can use this parameter only for computers that are running Windows 2000 and later. |
/dclist:[ <DomainName>] |
Lists all domain controllers in the domain. In a Windows NT 4.0 domain environment, this parameter uses the Browser service to retrieve the list of domains. In an Active Directory environment, this command first queries Active Directory for a list of domain controllers. If this query is unsuccessful, nltest then uses the Browser service. |
/dcname:[ <DomainName>] |
Lists the primary domain controller or the PDC emulator for DomainName. |
/dsgetdc:[ <DomainName>] |
Queries the Domain Name System (DNS) server for a list of domain controllers and their corresponding IP addresses. This parameter also contacts each domain controller to check for connectivity. The following list shows the values that you can use to filter the list of domain controllers or specify alternate names types in the syntax.
|
/dnsgetdc: <DomainName> |
Queries the DNS server for a list of domain controllers and their corresponding IP addresses. The following list shows the values that you can use to filter the list of domain controllers.
|
/dsgetfti: <DomainName>[ /UpdateTDO] |
Returns information about interforest trusts. You use this parameter only for a Windows Server 2008 domain controller that is in the root of the forest. If no interforest trusts exist, this parameter returns an error. The /UpdateTDO value updates the locally stored information on the interforest trust. |
/dsgetsite |
Returns the name of the site in which the domain controller resides. |
/dsgetsitecov |
Returns the name of the site that the domain controller covers. A domain controller can cover a site that has no local domain controller of its own. |
/parentdomain |
Returns the name of the parent domain of the server. |
/dsregdns |
Refreshes the registration of all DNS records that are specific to a domain controller that you specify. |
/dsderegdns: <DnsHostName> |
Deregisters DNS host records for the host that you specify in the DnsHostName parameter. The following list shows the values that you can use to specify which records nltest deregisters.
|
/whowill: <Domain>/ <User> |
Finds the domain controller that has the user account that you specify. You can use this parameter to determine whether nltest has replicated the account information to other domain controllers. |
/finduser: <User> |
Finds the directly-trusted domain that the user account that you specify belongs to. You can use this parameter to troubleshoot logon issues of older client operating systems. |
/transport_notify |
Flushes the negative cache to force the discovery of a domain controller. You can use this parameter for Windows NT 4.0 domain controllers only. This operation is done automatically when clients log on to Windows 2000 and Windows Server 2003 domain controllers. |
/dbflag: <HexadecimalFlags> |
Sets a new debug flag. For most purposes, use 0x2000FFFF as the value for HexadecimalFlags. The entry in the Windows Server 2003 registry for debug flags is HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DBFlag. |
/user: <UserName> |
Displays many of the attributes that you maintain in the SAM account database for the user that you specify. You cannot use this parameter for user accounts that are stored in an Active Directory database. |
/time: <HexadecimalLSL> <HexadecimalMSL> |
Converts Windows NT Greenwich Mean Time (GMT) time to ASCII. HexadecimalLSL is a hexadecimal value for least significant longword. HexadecimalMSL is a hexadecimal value for most significant longword. |
/logon_query |
Queries the cumulative number of NTLM logon attempts at a console or over a network. |
/domain_trusts |
Returns a list of trusted domains. /Primary /Forest /Direct_Out /Direct_In /All_Trusts /v. The following list shows the values that you can use to filter the list of domains.
|
/dsquerydns |
Queries for the status of the last update for all DNS records that are specific to a domain controller that you specify. |
/bdc_query: <DomainName> |
Queries for a list of BDCs in DomainName, and then displays their state of synchronization and replication status. You can use this parameter only for Windows NT 4.0 domain controllers. |
/sim_sync: <DomainName> <ServerName> |
Simulates full synchronization replication. This is a useful parameter for test environments. |
/list_deltas: <FileName> |
Displays the contents of the FileName change log file, which lists changes to the user account database. Netlogon.chg is the default name for this log file, which resides only on Windows NT 4.0 BDCs. |
/cdigest: <Message> /domain: <DomainName> |
Displays the current digest that the client uses for the secure channel. (The digest is the calculation that nltest derives from the password.) This parameter displays the digest that is based on the previous password, also. Nltest uses the secure channel for logons between client computers and a domain controller, or for directory service replication between domain controllers. You can use this parameter in conjunction with the /sdigest parameter to check the synchronization of trust account passwords. |
/sdigest: <Message> /rid: <RID_In_Hexadecimal> |
Displays the current digest that the server uses for the secure channel. (The digest is the calculation that nltest derives from the password.) This parameter displays the digest for the previous password, also. If the digest from the server matches the digest from the client, then nltest synchronizes the passwords that it uses for the secure channel. If the digests do not match, then nltest might not have replicated the password change yet. |
/shutdown: <Reason>[ <Seconds>] |
Remotely shuts down the server that you specify in ServerName. You use a string to specify the reason for the shutdown in the Reason value., and you use an integer to specify the amount of time before the shutdown occurs in the Seconds value. For a complete description, see the Platform SDK documentation for InitiateSystemShutdown. |
/shutdown_abort |
Terminates a system shutdown. |
{/help | /?} |
Displays help at the command prompt. |
Examples
Example 1: Verify domain controllers in a domain
The following example uses the /dclist parameter to create a list of domain controllers of the domain fourthcoffee.com
nltest /dclist:fourthcoffee
This command displays output similar to the following:
Copy Code |
|
Get list of DCs in domain 'ntdev' from '\\fourthcoffee-dc-01'. |
Example 2: Advanced information about users
The following example shows detailed information about a specific user.
nltest /user:"TestAdmin"
This command displays output similar to the following:
Copy Code |
|
User: User1 |
Example 3: Verify trust relationship with a specific server
The following example verifies that the a-dc1 server has a valid trust relationship with the domain.
nltest.exe /server:fourthcoffee-dc-01 /sc_query:fourthcoffee
This command displays output similar to the following:
Copy Code |
|
Flags: 30 HAS_IP HAS_TIMESERV |
Note |
The DNS_DC and DNS_DOMAIN flags indicate the format of the information returned in the request (as opposed to a flag like GC or TIMESERV, which tell you something about the domain controller returning the information). Specifically, the presence of them indicates the returned domain controller name and domain name, respectively, were in DNS format. The absence of them indicates the returned domain controller name and domain name were in NetBIOS format. |
Example 4: Determine the PDC emulator for a domain
The following example identifies the domain controller that Windows NT 4.0–based computers see as the PDC emulator for a domain.
nltest /dcname:fourthcoffee
This command displays output similar to the following:
Copy Code |
|
PDC for Domain fourthcoffee is \\fourthcoffee-dc-01 |
You can see that a-dcp is the PDC emulator for your domain.
Example 5: Show trust relationships for a domain
The following example lists the established trust relationships for your domain.
nltest /domain_trusts
This command displays output similar to the following:
Copy Code |
|
List of domain trusts: |
This example shows that one domain trusts itself but not other domains.