NLTEST to test the trust relationship between a workstation and domain

NLTEST to test the trust relationship between a workstation and domain



1.NLTEST can be used to show this trust relationship.

 

PS C:\> nltest /trusted_domains
List of domain trusts:
    0: GS gs.com (NT 5) (Direct Outbound) (Direct Inbound) ( Attr: 0x8 )
    1: CONTOSO contoso.com (NT 5) (Forest Tree Root) (Primary Domain) (Native)
The command completed successfully
 
2.To determine the domain controllers in the CONTOSO domain:
PS C:\> nltest /dclist:contoso
Get list of DCs in domain 'contoso' from '\\WIN-5Q4IM0060DO'.
    WIN-5Q4IM0060DO.contoso.com [PDC]  [DS] Site: IND-BLR
The command completed successfully
3.To determine the domain controllers in the CONTOSO domain:
PS C:\> nltest /dclist:contoso
Get list of DCs in domain 'contoso' from '\\WIN-5Q4IM0060DO'.
    WIN-5Q4IM0060DO.contoso.com [PDC]  [DS] Site: IND-BLR
The command completed successfully
4.Below are the secure channels between each domain controller in CONTOSO and a DC in the MICROSOFT domain.
C:\>nltest /server:test1 /sc_query:microsoft
 Flags: 0
 Connection Status = 0 0x0 NERR_Succmicrosoft
 Trusted DC Name \\NET1
 Trusted DC Connection Status Status = 0 0x0 NERR_Succmicrosoft
 The command completed succmicrosoftfully
 
 C:\>nltest /server:test2 /sc_query:microsoft
 Flags: 0
 Connection Status = 0 0x0 NERR_Succmicrosoft
 Trusted DC Name \\NET1
 Trusted DC Connection Status Status = 0 0x0 NERR_Succmicrosoft
 The command completed succmicrosoftfully
5.The workstation that is a member of the CONTOSO domain has an implicit trust with a domain controller.
C:\>nltest /server:Computer1 /sc_query:contoso
Flags: 0
Connection Status = 0 0x0 NERR_Succmicrosoft
Trusted DC Name \\TEST2
Trusted DC Connection Status Status = 0 0x0 NERR_Succmicrosoft
The command completed succmicrosoftfully

 

6.To determine if a domain controller can authenticate a user account:

PS C:\> nltest /whowill:contoso biz
[11:06:22] Mail message 0 sent successfully (\MAILSLOT\NET\GETDC834)
[11:06:22] Response 0: NetpDcAllocateCacheEntry: new entry 0x000000D83F9ADBD0 -> DC:WIN-5Q4IM0060DO DnsDomName:(null) Flags:0x0

S:WIN-5Q4IM0060DO D:CONTOSO A:biz (Act found)
The command completed successfully 


7.NLTEST can be used to find a trusted domain that has a given user account.

8.Determine SRV priorities and weights (Command for trusting and trusted domain)
PS C:\> nltest /dnsgetdc:contoso.com
List of DCs in pseudo-random order taking into account SRV priorities and weights:
Non-Site specific:
   win-5q4im0060do.contoso.com  fe80::e0a8:9c56:ba17:df5d%12  10.224.34.1
The command completed successfully
PS C:\> nltest /dnsgetdc:gs.com
List of DCs in pseudo-random order taking into account SRV priorities and weights:
Non-Site specific:
   ban-dc01.gs.com  10.224.34.10
The command completed successfully
PS C:\>
9.Determine the failures for all DC-specific DNS records
PS C:\> nltest /DSQUERYDNS
Flags: 0
Connection Status = 0 0x0 NERR_Success
There was no failure in the last update for all DC-specific DNS records
The command completed successfully
10.Reset the NETLON secure channel

nltest /sc_reset:<domainname>

 

 


Leave a Comment
  • Please add 4 and 6 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Richard Mueller edited Revision 16. Comment: Changed tag "hastoc" to "Has TOC"

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Great tool

  • User is not able to login; issue can be from any side. That can be server issue or can be user side issue. So how to find immediately that is server side or user side issue. Then only we can troubleshoot.

    For checking the server side issue use below command

    nltest /server:<servername> /sc_query:<domainname>

    For checking  the User side issueuse the below command

    nltest /whowill:domainname <samid>

  • Richard Mueller edited Revision 16. Comment: Changed tag "hastoc" to "Has TOC"

Page 1 of 1 (3 items)