Introduction to the use of domain safety channel utilities nltest.exe (top)

tool:

This tool can be found in the Microsoft Windows NT 4.0 Resource Toolkit, and if you have a Windows 2003 installation disk, there is a toolkit installer installed in the installation of Support Tools in the Support Tools directory of the installation disk. There are also nltest.exe tools.

Introduction:

NLtest.exe is a very powerful command line tool that can be used to test trust relationships and domain controller replication in the Windows NT domain. One domain consists of a standalone primary domain controller (PDC) and zero or more backup domain controller (BDC).

When trust in the Windows NT contextual relationship, it describes the relationship between the two Windows NT domains. Each containing domain or waiting for a trust domain role, or a trusted domain role. For any given trust relationship, there is only one consecutive communication channel between each domain controller waiting for the trust domain and each domain controller of the trusted domain. For example, if domain A trust domain B, B is a trusted domain, and A is waiting for the trust domain. Another example, assumes that domain C trust domain D, and the domain D is also trusted to domain C. In this case, there are two distinct trust relationships between domain controllers, usually we call it complete trust mode, or Dual route mode. However, in order to diagnose the safety channel, it is best to believe that there are two separate security channels between each domain controller waiting for the trust domain and the domain controller of the trusted domain.

Trust relationship is not deliverable, for example, assume that domain E trust domain f, domain F trust domain G, does not represent domain E to trust domain G. This is because administrators in each domain must be explicitly authorized between two domains of trust relationships.

Another form of trust relationship is that it is sometimes referenced into an implicit trust. In an independent domain mode, or in an environment where there is no clear trust relationship between any two domains, implicit trust relationship is active and functional. This implicit trust relationship exists between domain controllers in a domain and all member computers in the domain. Clear trust relationship is established in domain user management. Implicit trust relationship is established when becoming a domain member.

NLTest.exe can be used to test the domain controller in a domain and the trust relationship between the domain members running Windows NT. NLtest.exe can also be used to trust between the main domain controller (PDC) and the backup domain controller (BDC). In a domain that clearly specifies the trust relationship, NLTest.exe can be used to test the trust relationship between all domain controllers and a domain controller in the trusted domain.

These communications meetings are called a secure channel and to verify the Windows NT computer account. Also used to verify that a remote user is connected to a network resource and this user account exists in a user account in a trusted domain, which is called pass authentication and allows the access to the domain to run Windows NT. Data of user accounts in or trusted domains.

NLTest.exe can use the browser service to enumerate the domain controller. Therefore, if the browser service does not work correctly, NLTest.exe will return an uncoordinated result. Run NLTest.exe and the computer that provides a browser service will share the same protocol for domain controller to carry domain activity records. In particular, the enumeration of the specified computer and domain name relies on the status of naming decisions, such as Win server replication, IPX routing configuration, or NetBeui bridging.

All trust relationships and domain synchronization can be monitored, tested, and inspected under nltest.exe.

Sample output after entering the nltest.exe of the input belt /? Parameter in the command line:

/ Server:

Specify ServerName / Query - Query Netlogon Service

Query ServerName Netlogon Services / Repl - Force Partial Sync on BDC Force Backup Domain Controller BDC Local Synchronization / Sync - Force Full Sync ON BDC

Mandatory backup domain controller BDC all synchronization / PDC_REPL - Force UAS Change Message from PDC

Forced UAS from Main Dome Controller PDC Change Message / SC_Query: - Query Secure Channel for ON

Domains on Security Channel / SC_RESET: [/ ] - RESET Secure Channel for on to

Reset Security Channel to / SC_VERIFY: - Verify Secure Channel for ON

Inspection Security channel / sc_change_pwd: - Change a second channel password for on

Change Security Channel Password / Dclist: - Get List of DC's for

Get the domain controller of / DCNAME: - get the pdc name for

Get Main domain controller name / dsgetdc: - call dsgetdcname / PDC / DS / DSP / GC / KDC / TIMESERV / GTIMESERV / NETBIOS / DNS / IP / Force / Writable / AvoidselF / LDA PONLY / BACKG / Site: / Account: / RET_DNS / RET_NETBIOS

Calling DsGetDcName / DNSGETDC: - Call DsGetDcOpen / Next / Close / PDC / GC / KDC / WRITABLE / LDAPONLY / FORCE / SITESPEC call DsGetDcOpen, DsGetDcNext or DsGetDcClose / DSGETFTI: - Call DsGetForestTrustInformation / UPDATE_TDO call DsGetForestTrustInformation / DSGETSITE - Call Dsgetsitename

Call dsgetsitename / dsgetsitecov - Call Dsgetdcsitecoverage

Call dsgetdcsitecoverage / parentdomain - get the name of the parent domain of this machine Get this machine's parent domain name / Whowill: * [] - See iF Will Log on

View domain Whether you want to log in to users / Finduser: - See Which Trusted Domain Will Log ON

Which domain is willing to log in? Users / Transport_Notify - Notify Netlogon of New Transport

Note new transmission NetLogon events / dbflag: - New debug flag

New Tags / User: - Query User Info ON

Query User Information / Time: - Convert NT GMT Time TO ASCII

Convert NT GMT time is ASCII code / logon_query - Query Number of Cumulative Logon Attempts

Query Trial Digital / Domain_TrUns - Query Domain Trus on / Primary /

FOREST

/ DIRECT_OUT / DIRECT_IN / ALL_TRUSTS / V

Query the domain trust / DSREGDNS - Force Registration of All DC-Specific DNS Records / DSREGDNS - FORCE Registration

Forced Registration All DC Specified DNS Record / DSDEREGDNS: - Deregister DC-Specific DNS Records for Specified DC / DOM: / DOMGUID: / DSAGUID:

Cancel DC-specified DNS record / dsquerydns - Query the status of the last update for all DC-Specific DNS RE CORDS Query all DC specified DNS record last updated status / bdc_query: - query replication status of bdcs for

Query Backup Domain Controller BDCS Copy Status / Sim_Sync: - Simulate Full Sync Replication

Simulation fully synchronized copy / list_deltas: - Display The Content of Given Change Log File

Display content / cdigest: / domain: - get client digest

Get a client's summary information / sdigest: / rid: - Get Server Digest

Summary of the server / Summary / Shutdown: [] - Shutdown for Close / Shutdown_abort - Abort A System Shutdown

Interrupt system is closed

Here are some extra parameters description