NLTEST.exe (Windows 2008 or via AD DS)

Network Location Test - List domain controllers(DCs), Force a remote shutdown, Query the status of trust,
test trust relationships and the state of domain controller replication.

Syntax
      NLTEST [/server:servername] [operation[parameter]

Key
   /server: ServerName 
            Run nltest at a remote domain controller: ServerName.
            default = the local computer (a domain controller).

   /query   Report on the state of the secure channel the last time you used it.
            (The secure channel is the one that the NetLogon service established.)

   /repl    Force synchronization with the primary domain controller (PDC).
            Nltest synchronizes only changes that are not yet replicated to the backup
            domain controller (BDC). NT 4.0 BDCs only, not for Active Directory replication.
            You must have administrative credentials to use this parameter.

   /sync    Force an immediate synchronization with the PDC of the entire SAM database.
            NT 4.0 BDCs only, not for Active Directory replication.
            You must have administrative credentials to use this parameter.

   /pdc_repl Force the PDC to send a synchronization notification to all BDCs.
            NT 4.0 PDCs only, not for Active Directory replication.
            You must have administrative credentials to use this parameter.

   /sc_query: DomainName
             Report on the state of the secure channel the last time that you used it.
            (The secure channel is the one that the NetLogon service established.)
            This parameter lists the name of the domain controller that you queried on the
            secure channel, also.

   /sc_reset:[ DomainName]
            Remove, and then rebuild, the secure channel that the NetLogon service established.
            You must have administrative credentials to use this parameter.

   /sc_verify:[ DomainName]
            Check the status of the secure channel that the NetLogon service established.
            If the secure channel does not work, this parameter removes the existing channel, and
            then builds a new one. You must have administrative credentials to use this parameter.

   /sc_change_pwd:[ DomainName]
            Change the password for the trust account of a domain that you specify.
            If you run nltest on a domain controller, and an explicit trust relationship exists,
            then nltest resets the password for the interdomain trust account.
            Otherwise, nltest changes the computer account password for the domain that you specify.

   /dclist:[ DomainName]
            List all DCs in the domain.
            This command first queries Active Directory for a list of DCs.
            If this query is unsuccessful, nltest then uses the Browser service (if netbios is enabled).

   /dcname:[ DomainName]
            List the primary domain controller or the PDC emulator for DomainName.

   /dsgetdc:[ DomainName]
            Query the Domain Name System (DNS) server for a list of DCs and their
            IP addresses. This parameter also contacts each domain controller to check for connectivity.
            The following list shows the values that you can use to filter the list of DCs
            or specify alternate names types in the syntax.

            /PDC: Return only the PDC (Windows NT 4.0) or domain controllers designated as the PDC
                  emulator (Windows 2000 and later).
            /DS:  Return only those DCs that are Windows 2000 and later.
            /DSP: Return only Windows 2000 and later DCs. If the query finds no such server,
                  then return Windows NT 4.0 DCs.
            /GC:  Return only those DCs that are designated as global catalog servers.
            /KDC: Return only those DCs that are designated as Kerberos key distribution centers.
            /TIMESERV: Return only those DCs that are designated as time servers.
            /GTTIMESERV: Return only DCs designated as master time servers.
            /WS: /NetBIOS: Specifies computer names in the syntax as NetBIOS names.
            /DNS: Specify computer names in the syntax as fully qualified domain names (FQDNs).
                  If you do not specify a return format, the DC can return either NetBIOS or DNS format.
            /IP:  Return only DCs that have IP addresses. i.e. return only TCP/IP DCs.
            /FORCE: Force the computer to run the command against the DNS server instead of looking in
                    the cache for the information.
            /Writable: Require that the returned DC be writable; All Windows 2000 DCs are writable
            /Avoidself: When called from a DC, specifies that the returned DC name should
                        not be the current computer. If the current computer is not a DC, this flag is ignored.
                        This flag can be used to obtain the name of another DC in the domain.
            /LDAPOnly: Specifies that the server returned is an LDAP server. The server returned is not
                       necessarily a DC. This flag can be used with the DS_GC_SERVER_REQUIRED flag
                       to return an LDAP server that also hosts a global catalog server.
                       If this flag is specified, the DS_PDC_REQUIRED, DS_TIMESERV_REQUIRED, 
                       DS_GOOD_TIMESERV_PREFERRED, DS_DIRECTORY_SERVICES_PREFERED,
                       DS_DIRECTORY_SERVICES_REQUIRED, and DS_KDC_REQUIRED flags are ignored.
            /Backg: If the DS_FORCE_REDISCOVERY flag is not specified, this function uses cached DC data.
                    If the cached data is more than 15 minutes old, the cache is refreshed by pinging
                    the DC. If this flag is specified, this refresh is avoided even if the cached data
                    is expired. This flag should be used if the DsGetDcName function is called periodically.
            /DS_6: Require that the returned DC be running Windows Server 2008 or later.
            /DS_8: Require that the returned domain controller be running Windows Server 2012 or later.
            /Try_Next_Closest_Site: When this flag is specified, DsGetDcName attempts to find a DC in
                                    the same site as the caller.
            /Ret_DNS: Specifies that the names returned in the DomainControllerName and DomainName members
                      of DomainControllerInfo should be DNS names.
            /Ret_NETBIOS: Specifies that the names returned in the DomainControllerName and DomainName members
                          of DomainControllerInfo should be flat names.

   /dnsgetdc: DomainName
            Query the DNS server for a list of domain controllers and their corresponding IP addresses.
            values that you can use to filter the list of DCs:
               /PDC: Return only those DCs that are PDCs (Windows NT 4.0) or designated as PDC emulators.
               /GC:  Return only those DCs that you designate as global catalogs.
               /KDC: Return only those DCs that you designate as Kerberos key distribution centers.
               /WRITABLE: Return only those DCs that can accept changes to the directory database.
                          This value returns all Active Directory DCs, but not Windows NT 4.0 BDCs.
               /LDAPONLY: Return servers that are running a Lightweight Directory Access Protocol (LDAP) application.
                          The servers can include LDAP servers that are not DCs.
               /FORCE:    Run the command against the DNS server instead of looking in cache.
               /SITE Sitename: Sort to list first the records that pertain to Sitename.
               /SITESPEC:      Filter the returned records to display only Sitename, used only with /SITE.

   /dsgetfti: DomainName[ /UpdateTDO]
            Return information about interforest trusts. You use this parameter only for a Windows Server 2008
            domain controller that is in the root of the forest. If no interforest trusts exist, this parameter
            returns an error. The /UpdateTDO value updates the locally stored information on the interforest trust.

   /dsgetsite
            Return the name of the site in which the DC resides.

   /dsgetsitecov
            Return the name of the site that the DC covers. A DC can cover a site
            that has no local DC of its own.

   /parentdomain
            Return the name of the parent domain of the server.

   /dsregdns
            Refreshe the registration of all DNS records that are specific to a DC that you specify.


   /dsderegdns: DnsHostName
            Deregisters DNS host records for the host that you specify in the DnsHostName parameter.
            values you can use to specify which records nltest deregisters:
               /DOM:  Specify a DNS domain name for the host to use when you search for records on the DNS server.
                      If you do not specify this value, nltest uses the DNS domain name as the suffix of the
                      DnsHostName parameter.
               /DSAGUID: Deletes Directory System Agent (DSA) records that are based on a GUID.
               DOMGUID: Deletes DNS records that are based on a globally unique identifier (GUID).

   /whowill: Domain/ User
            Find the DC that has the user account that you specify. Use this parameter to determine
            whether nltest has replicated the account information to other DCs.

   /finduser: User
            Find the directly-trusted domain that the user account User belongs to.
            Use this parameter to troubleshoot logon issues of older client operating systems.

   /transport_notify    Flushe the negative cache to force the discovery of a domain controller.
                        You can use this parameter for Windows NT 4.0 domain controllers only.
                        This operation is done automatically when clients log on to Windows 2000 and
                        Windows Server 2003 domain controllers.
   /dbflag: HexadecimalFlags
            Set a new debug flag. For most purposes, use 0x2000FFFF as the value for HexadecimalFlags.
            The entry in the Windows Server 2003 registry for debug flags is
            HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DBFlag.

   /user: UserName
            Display many of the attributes that you maintain in the SAM account database for the user that
            you specify. You cannot use this parameter for user accounts that are stored in an AD database.

   /time: HexadecimalLSL HexadecimalMSL
            Convert Windows NT Greenwich Mean Time (GMT) time to ASCII. HexadecimalLSL is a hex value for
            least significant longword. HexadecimalMSL is a hexa value for most significant longword.

   /logon_query
            Query the cumulative number of NTLM logon attempts at a console or over a network.

   /domain_trusts
            Returns a list of trusted domains. /Primary /Forest /Direct_Out /Direct_In /All_Trusts /v.
            values that you can use to filter the list of domains:
               /Primary: Return only the domain to which the computer account belongs.
               /Forest: Return only those domains that are in the same forest as the primary domain.
               /Direct_Out: Return only the domains that are explicitly trusted with the primary domain.
               /Direct_In: Return only the domains that explicitly trust the primary domain.
               /All_Trusts: Return all trusted domains.
               /v: Display verbose output, including any domain SIDs and GUIDs that are available.

   /dsquerydns
            Query for the status of the last update for all DNS records that are specific to a DC.

   /bdc_query: DomainName
            Query for a list of BDCs in DomainName, and then display their state of synchronization
            and replication status. You can use this parameter only for Windows NT 4.0 domain controllers.

   /sim_sync: DomainName ServerName
            Simulate full synchronization replication. This is a useful parameter for test environments.

   /list_deltas: FileName
            Display the contents of the FileName change log file, which lists changes to the user account 
            database. Netlogon.chg is the default name for this log file, which resides only on Windows NT 4.0 BDCs.

   /cdigest: Message /domain: DomainName
            Display the current digest that the client uses for the secure channel.
            (The digest is the calculation that nltest derives from the password.)
            This parameter displays the digest that is based on the previous password, also. Nltest uses
            the secure channel for logons between client computers and a domain controller, or for
            directory service replication between domain controllers. You can use this parameter in
            conjunction with the /sdigest parameter to check the synchronization of trust account passwords.

   /sdigest: <Message> /rid: RID_In_Hexadecimal
            Display the current digest that the server uses for the secure channel.
            (The digest is the calculation that nltest derives from the password.)
            This parameter displays the digest for the previous password, also. If the digest from the
            server matches the digest from the client, then nltest synchronizes the passwords that it
            uses for the secure channel. If the digests do not match, then nltest might not have replicated
            the password change yet.

   /shutdown: Reason [Seconds]
            Remotely shut down the server that you specify in ServerName.
            Use a string to specify the reason for the shutdown in the Reason value.
            Use an integer value of Seconds before the shutdown will occur.
            (see InitiateSystemShutdown in the Platform SDK documentation.)

   /shutdown_abort
            Terminate a system shutdown.

  {/help | /?}   Display help at the command prompt.

Examples

Verify domain controllers in a domain:

nltest /dclist:ss64dom

Show detailed information about a specific user:

nltest /user:"user64"

Verify trust relationship with a specific server:

nltest /server:ss64-DC01 /sc_query:ss64dom

lags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\ss64-DC01.ss64.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

“..If it disagrees with experiment it is wrong. In that simple statement is the key to science. It does not make any difference how beautiful your guess is. It does not make any difference how smart you are, who made the guess, or what his name is – if it disagrees with experiment it is wrong” ~ Richard Feynman

Related commands:

RepAdmin - Diagnose Active Directory replication problems between domain controllers.
DcDiag - Analyze the state of domain controllers and report any problems.
DsMgt - Manage password operations over unsecured connections, AD Lightweight Directory Services application partitions, flexible single master operations (FSMO), and clean up AD metadata.
SetSpn - Read, modify, or delete the Service Principal Names (SPN) for an Active Directory service account.


Copyright © SS64.com 1999-2017
Some rights reserved