DOCUMENT:Q158148 09-AUG-2001 [winnt] TITLE :Domain Secure Channel Utility -- Nltest.exe PRODUCT :Microsoft Windows NT PROD/VER:WinNT:4.0 OPER/SYS: KEYWORDS:kbenv kbnetwork ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server version 4.0 ------------------------------------------------------------------------------- SUMMARY ======= The Microsoft Windows NT 4.0 Resource Kit contains a very powerful command-line utility to test secure channels between Windows NT computers that are members of a domain, and between domain controllers that are trusting other domains. Below is a detailed discussion. MORE INFORMATION ================ NLTEST Overview --------------- Nltest.exe is a very powerful command-line utility that can be used to test trust relationships and the state of domain controller replication in a Windows NT domain. A domain consist of domain controllers in which there is a single primary domain controller (PDC) and zero or more backup domain controllers (BDC). When the word Trust is used in the context of Windows NT, it describes a relationship between two Windows NT domains. Each domain involved has either the role of being the trusting domain, or the trusted domain. For any given trust relationship, there is a single discreet communication channel between each domain controller in the trusting domain and a domain controller in the trusted domain. For example if Domain "A" trusts Domain "B", then "B" is the trusted domain, and "A" is the trusting domain. In a another example, suppose Domain "I" trusts Domain "J", and Domain "J" trusts Domain "I". In this example, there are two distinct trust relationships between the domain controllers. Often, this is called the Complete Trust mode, or a 2-way trust. Yet, for secure channel diagnosis, it is best to think of these as two separate secure channels, between each domain controller in the trusting domain and a domain controller in the trusted domain. Trust relationships are not transitive. For example, suppose Domain "X" trusts Domain "Y", which in turn trusts Domain "Z". This does NOT imply Domain "X" trusts Domain "Z". The reason for this is that the administrator in each domain must grant explicit permission on either side of the trust relationship for it to take place. Another form of trust relationship is sometimes referred to as an "implicit" trust. In a single domain model, or in an environment where there are no "explicit" trust relationships between any two domains, the "implicit" trust relationship is active and functionally needed. This implicit trust exists between all computers running Windows NT that are members of a domain and a domain controller in their domain. Explicit trust relationships are established through User Manager For Domains. Implicit trust relationships are established by becoming a member of a domain. Nltest.exe can be used to test the trust relationship between a computer running Windows NT that is a member of a domain and a domain controller where its machine account resides. NLTEST can also verify the trust between the BDCs in a domain and their PDC. In domains where an explicit trust has been defined, NLTEST can test the trust relationship between all domain controllers in the trusting domain and a domain controller in the trusted domain. These sessions of communication are called Secure Channels and are used to authenticate Windows NT machine accounts. They are also used to authenticate User Accounts when a remote user connects to a network resource and the user account exists in a trusted Domain. This is called Pass-Through Authentication, and it allows a computer running Windows NT that has joined a domain to have access to the User Account Database in its domain and in any Trusted Domains. Nltest.exe can use the Browser Service to enumerate domain controllers. Therefore, if browsing is not working correctly, Nltest.exe may produce inconsistent results. The computer where Nltest.exe is run and those providing the browsing services need to share the same protocols that are used by the domain controllers to carry out their domain activity. In addition, the enumeration of the specified computer and domain names depend on the status of name-resolution, such as WINS server replication, IPX router configuration, or NetBEUI bridging. All of these trust relationships, and domain synchronization, can be monitored, tested, and verified by Nltest.exe. Sample Output Obtained by Typing "NLTEST.EXE" Without the Quotes ---------------------------------------------------------------- C:\NTRESKIT>nltest Usage: nltest [/OPTIONS] /SERVER: - Specify /QUERY - Query netlogon service /REPL - Force replication on BDC /SYNC - Force SYNC on BDC /PDC_REPL - Force UAS change message from PDC /SC_QUERY: - Query secure channel for on /SC_RESET: - Reset secure channel for on /DCLIST: - Get list of DC's for /DCNAME: - Get the PDC name for /DCTRUST: - Get name of DC is used for trust of /WHOWILL:* [] - See if will log on /FINDUSER: - See which trusted will log on /TRANSPORT_NOTIFY - Notify of netlogon of new transport /RID: - RID to encrypt Password with /USER: - Query User info on /TIME: - Convert NT GMT time to ASCII /LOGON_QUERY - Query number of cumulative logon attempts /TRUSTED_DOMAINS - Query names of domains trusted by workstation /BDC_QUERY: - Query replication status of BDCs for /SIM_SYNC: - Simulate full sync replication /LIST_DELTAS: - display the content of given change log file /LIST_REDO: - display the content of given redo log file Additional Comments and Descriptions of the Nltest.exe Switches --------------------------------------------------------------- /SERVER:: Remotes the Nltest.exe command to the specified server. If this switch is not specified, the command is run from the local computer. /QUERY Queries the local or specified server for a healthy secure channel to a domain controller, and the status of Directory Services replication with the PDC. This is very helpful in determining the general status of the Netlogon service. /REPL Force partial synchronization of the local or specified BDC. /SYNC Forces a full, immediate synchronization of the local or specified BDC. /PDC_REPL The specified PDC forces a change message to all BDCs. /SC_QUERY: Verifies the secure channel in the specified domain for a local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified. /SC_RESET: Resets the secure channel between the local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified. /DCLIST: Lists all the domain controllers, PDC, and BDCs in a given domain. /DCNAME: Lists the primary domain controller for a given domain. /DCTRUST: Queries and tests the secure channel every time the command is executed. Specify the domain for the local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified. /WHOWILL: Queries the domain and indicates which Domain Controller has the account in their local user account database. This is very useful in determining if a given domain controller contains the user account. If the username specified is that of the currently logged on user, the user's current password is NOT sent to the domain controller. This is helpful in determining if duplicate accounts exist across several domains. /FINDUSER: Queries explicit trusted domains for the user specified. This is very useful when determining what trusted domain controller or what trusted domain out of several trusted domains will authenticate a user's credentials when a Domain name is not specified in the Server Message Block (SMB) packet. Many down-level clients, such as Windows for Workgroups version 3.1 and the real-mode redirector in Windows 95, do not specify a domain name. /USER: Displays many of the attributes for the specified user account that are maintained in the user account database. /LOGON_QUERY Specifies the number of attempted logon queries at the console, or over the network. /TRUSTED_DOMAINS Displays a list of explicit trusted domains. /BDC_QUERY: List the backup domain controllers in the specified Domain and provides the state of their synchronization. /LIST_DELTAS: List information from the Netlogon.chg file specifying changes to the user account database. /LIST_REDO: List information from the Netlogon.chg file specifying changes to the user account database. Example Output from Nltest.exe ------------------------------ As an example, suppose the TESTD domain trusts the ESS domain, and a computer running Windows NT Workstation called TEST3 is a member of the TESTD domain. NLTEST can be used to show this trust relationship. C:\>nltest /trusted_domains Trusted domain list: ESS The command completed successfully To determine the domain controllers in the TESTD domain: C:\>nltest /dclist:testd List of DCs in Domain testd \\TEST2 (PDC) \\TEST1 The command completed successfully To determine the domain controllers in the ESS domain: C:\>nltest /dclist:ess List of DCs in Domain ess \\NET1 (PDC) The command completed successfully Below are the secure channels between each domain controller in TESTD and a DC in the ESS domain. C:\>nltest /server:test1 /sc_query:ess Flags: 0 Connection Status = 0 0x0 NERR_Success Trusted DC Name \\NET1 Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully C:\>nltest /server:test2 /sc_query:ess Flags: 0 Connection Status = 0 0x0 NERR_Success Trusted DC Name \\NET1 Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully The workstation that is a member of the TESTD domain has an implicit trust with a domain controller. C:\>nltest /server:test3 /sc_query:testd Flags: 0 Connection Status = 0 0x0 NERR_Success Trusted DC Name \\TEST2 Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully To determine if a domain controller can authenticate a user account: C:\>nltest /whowill:ESS bob [20:58:55] Mail message 0 sent successfully (\MAILSLOT\NET\GETDC939) [20:58:55] Response 0: S:\\NET1 D:ESS A:bob (Act found) The command completed successfully C:\>nltest /whowill:testd test [21:26:13] Response 0: S:\\TEST2 D:TESTD A:test (Act found) [21:26:15] Mail message 0 sent successfully (\MAILSLOT\NET\GETDC295) The command completed successfully NLTEST can be used to find a trusted domain that has a given user account. C:\>nltest /finduser:sweppler Domain Name: ESS Trusted DC Name \\NET1 The command completed successfully To verify the status of BDC synchronization: C:\>nltest /bdc_query:testd Server : \\TEST1 SyncState : IN_SYNC ConnectionState : Status = 0 0x0 NERR_Success The command completed successfully Nltest.exe can also be used to synchronize the accounts database from a command line or a batch job. To run the utility to synchronize the domain from a PDC, type: " C:\ nltest /PDC_Repl " (without the quotation marks) To run the utility from a member server, backup domain controller, or Windows NT workstation, type " C:\ nltest /Server: /PDC_Repl " (without the quotation marks) where PDCName is the actual name of the PDC, not the name of the domain) You will see the successful synchronization events in Event Viewer on the primary domain controller, as well as the backup domain controllers. Additional query words: reskit secure channel ====================================================================== Keywords : kbenv kbnetwork Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 Version : WinNT:4.0 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.