[NLTEST To Test The Trust Relationship Between A Workstation And domain
Virginie Fayad
The Test-ComputerSecureChannel cmdlet verifies that the channel between the local computer and itsdomain is working correctly by checking the status of its trust relationships. If a connectionfails, you can use the Repair parameter to try to restore it.
Test-ComputerSecureChannel returns $True if the channel is working correctly and $False if it isnot. This result lets you use the cmdlet in conditional statements in functions and scripts. To getmore detailed test results, use the Verbose parameter.
NLTEST to test the trust relationship between a workstation and domain
Download ○○○ https://t.co/sL1zQtUQdZ
Specifies a user account that has permission to perform this action. Type a user name, such asUser01 or Domain01\User01, or enter a PSCredential object, such as one that the Get-Credentialcmdlet returns. By default, the cmdlet uses the credentials of the current user.
Nltest is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely ( =177813). To use nltest, you must run the nltest command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Nltest can test and reset the secure channel that the NetLogon service establishes between clients and the domain controller that logs them on. Clients using Kerberos authentication cannot use this secure channel.
A discrete communication channel, known as the secure channel, exists between trusted domains in a Windows NT 4.0 environment and parent domains and their immediate children in an Active Directory environment. In a Windows NT 4.0 environment, nltest uses these channels to authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication.
Nltest provides diagnostic features that you can use for troubleshooting Windows Server 2008 operating system configurations. However, because nltest is designed primarily for system administrators and support personnel, its output may be difficult to analyze. In this case, you can review the appropriate troubleshooting sections in the Windows Deployment and Resource Kits. Search for any of the keywords from the bulleted list in the nltest description above.
Forces synchronization with the primary domain controller (PDC). Nltest synchronizes only changes that are not yet replicated to the backup domain controller (BDC). You can use this parameter for Windows NT 4.0 BDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.
Forces an immediate synchronization with the PDC of the entire Security Accounts Manager (SAM) database. You can use this parameter for Windows NT 4.0 BDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.
Forces the PDC to send a synchronization notification to all BDCs. You can use this parameter for Windows NT 4.0 PDCs only, not for Active Directory replication. You must have administrative credentials to use this parameter.
Reports on the state of the secure channel the last time that you used it. (The secure channel is the one that the NetLogon service established.) This parameter lists the name of the domain controller that you queried on the secure channel, also.
Checks the status of the secure channel that the NetLogon service established. If the secure channel does not work, this parameter removes the existing channel, and then builds a new one. You must have administrative credentials to use this parameter. This parameter is only valid on domain controllers that run Windows 2000 with Service Pack 2 and later.
Changes the password for the trust account of a domain that you specify. If you run nltest on a domain controller, and an explicit trust relationship exists, then nltest resets the password for the interdomain trust account. Otherwise, nltest changes the computer account password for the domain that you specify. You can use this parameter only for computers that are running Windows 2000 and later.
Lists all domain controllers in the domain. In a Windows NT 4.0 domain environment, this parameter uses the Browser service to retrieve the list of domains. In an Active Directory environment, this command first queries Active Directory for a list of domain controllers. If this query is unsuccessful, nltest then uses the Browser service.
/DNS: Specifies computer names in the syntax as fully qualified domain names (FQDNs). If you do not specify a return format, the domain controller can return either NetBIOS or DNS format.
/Writable: Requires that the returned domain controller be writable; that is, host a writable copy of the directory service, for Windows 2000 and later DCs, or of SAM (for DCs in operating systems prior to Windows 2000). A DC in an operating system prior to Windows 2000 is writable only if it is a primary domain controller. All Windows 2000 domain controllers are writable
/Avoidself: When called from a domain controller, specifies that the returned domain controller name should not be the current computer. If the current computer is not a domain controller, this flag is ignored. This flag can be used to obtain the name of another domain controller in the domain.
/LDAPOnly: Specifies that the server returned is an LDAP server. The server returned is not necessarily a domain controller. No other services are implied to be present at the server. The server returned does not necessarily have a writable config container nor a writable schema container. The server returned may not necessarily be used to create or modify security principles. This flag may be used with the DS_GC_SERVER_REQUIRED flag to return an LDAP server that also hosts a global catalog server. The returned global catalog server is not necessarily a domain controller. No other services are implied to be present at the server. If this flag is specified, the DS_PDC_REQUIRED, DS_TIMESERV_REQUIRED, DS_GOOD_TIMESERV_PREFERRED, DS_DIRECTORY_SERVICES_PREFERED, DS_DIRECTORY_SERVICES_REQUIRED, and DS_KDC_REQUIRED flags are ignored.
/Backg: If the DS_FORCE_REDISCOVERY flag is not specified, this function uses cached domain controller data. If the cached data is more than 15 minutes old, the cache is refreshed by pinging the domain controller. If this flag is specified, this refresh is avoided even if the cached data is expired. This flag should be used if the DsGetDcName function is called periodically.
/Try_Next_Closest_Site: When this flag is specified, DsGetDcName attempts to find a domain controller in the same site as the caller. If no such domain controller is found, it will find a domain controller that can provide topology information and call DsBindToISTG to obtain a bind handle, then call DsQuerySitesByCost over UDP to determine the "next closest site," and finally cache the name of the site found. If no domain controller is found in that site, then DsGetDcName falls back on the default method of locating a domain controller.
If this flag is used in conjunction with a non-NULL value in the input parameter SiteName, then ERROR_INVALID_FLAGS is thrown. Also, the kind of search employed with DS_TRY_NEXT_CLOSEST_SITE is site-specific, so this flag is ignored if it is used in conjunction with DS_PDC_REQUIRED. Finally, DS_TRY_NEXTCLOSEST_SITE is ignored when used in conjunction with DS_RETURN_FLAT_NAME because that uses NetBIOS to resolve the name, but the domain of the domain controller found won't necessarily match the domain to which the client is joined.
This flag is Group Policy enabled. If you enable the "Try Next Closest Site" policy setting, Next Closest Site DC Location will be turned on for the machine across all available but un-configured network adapters. If you disable the policy setting, Next Closest Site DC Location will not be used by default for the machine across all available but un-configured network adapters. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, DsGetDcName honors the Next Closest Site behavior. If you do not configure this policy setting, Next Closest Site DC Location will be not be used by default for the machine across all available but un-configured network adapters. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used.
/Ret_DNS: Specifies that the names returned in the DomainControllerName and DomainName members of DomainControllerInfo should be DNS names. If a DNS name is not available, an error is returned. This switch cannot be specified with the /Ret_NETBIOS switch. This flag implies the DS_IP_REQUIRED flag.
/Ret_NETBIOS: Specifies that the names returned in the DomainControllerName and DomainName members of DomainControllerInfo should be flat names. If a flat name is not available, an error is returned. This switch cannot be specified with the /Ret_DNS switch.
/WRITABLE: Returns only those domain controllers that can accept changes to the directory database. This value returns all Active Directory domain controllers, but not Windows NT 4.0 BDCs.
/SITESPEC: Filters the returned records to display only those records that pertain to the site that you specify. This operation can only be used with the /SITE parameter.
795a8134c1