How to check client domain secure channel
Eray ALTILI
Client-Domain Controller Trust Relationships
There are many reasons why the secure channel between a client and a domain
might break. One example is if you don't have the appropriate access
permissions, as shown in the following example:
[FATAL] Secure channel to domain 'RESKIT' is broken. [ERROR_ACCESS_DENIED]
> nltest /sc_query:reskit
nltest /sc_query:reskit
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED
The command completed successfully
To validate trust connections, you normally test the secure channel:
• Nltest /sc_query is used to query the status of the secure channel.
• Nltest /sc_reset < domain name > can be used to force renegotiations of
the secure channel.
• Nltest /sc_reset < domainname >\< computer name > can be used to force a
secure channel onto a particular domain controller.
Note
The results of an Nltest /sc_query are unreliable — it returns the status
of the channel when it was used last time and not the current status. The
recommended sequence of verifying the trust is to run nltest /sc_query. If
that returns success, run nltest /sc_reset:< domain >\< dcname returned by
/sc_query >.
To determine the cause of trust relationship problems
1.
Log on with a local account.
2.
Set Net Logon flags by using the Nltest tool as follows:
nltest /dbflag:0x2000ffff.
3.
Run nltest as follows : nltest /sc_reset:<domain name to which you think
your computer is joined > .
The % windir %\debug\netlogon.log explains why the secure channel setup is
not possible. One possible reason is that SYSVOL isn't ready on the
computer. By examining the Netlogon.log file, you can find the following
error:
08/30 10:15:19 [MAILSLOT] Returning paused to 'Reskit1' since: SysVol not
ready
Common trust failures are the following:
• No SAM Trust Account - typically means that the computer account does not
exist.
• Access denied — typically means that the trust passwords do not match. Be
cautious when you get access denied — you get the same error back if you
weren't granted permissions to run sc_query or sc_reset.
Note
Installing computers that use the same computer name is often the reason
for computer account problems, hence broken secure channels. The common way
to get around this problem is to perform the join again.
Another example of client-domain controller trust relationship problems:
D:>nltest /sc_query:reskit
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 1787 0x54b ERROR_NO_SAM_TRUST_ACCOUNT
The command completed successfully
The preceding example implies that the client assumes it has joined the
domain. However, the client is not able to find a computer account
registered for itself in the domain controller.
For more information about trust relationships, see "Active Directory
Logical Structure" in this book.
Top of page
Trust Relationship Diagnostic Tools
The Nltest command-line tool enables you to check trust relationships, as
well as the connectivity and traffic flow between a network client and a
domain controller. Nltest checks the secure channel to make sure that both
Windows 2000–based and Windows NT 4.0–based clients can connect to domain
controllers. The tool also discovers domains and sites. Further, you can
list the domain controllers and Global Catalog servers that are available.
It supports user operations to identify which domain controllers are
capable of logging on a specific user, as well as browsing specific user
information.
To ensure that cached information is not being used when a Windows
2000–based client discovers a domain controller, carry out the /force
command in the Nltest tool. At the command prompt, type nltest
/dsgetdc:<your domain name > /force and then press ENTER.
Note
Nltest /dsgetdc: is used to exercise the locator. Thus /dsgetdc:< domain
name > tries to find the domain controller for the domain. Using the force
flag forces domain controller location rather than using the cache. You can
also specify options such as /gc or /pdc to locate a Global Catalog or a
primary domain controller emulator. For finding the Global Catalog, you
must specify a "tree name," which is the DNS domain name of the root
domain.
If you receive the following error, ERROR_NO_LOGON_SERVERS while using the
Nltest tool to query the secure channel, this is usually indicative of the
inability to find a domain controller for that domain. Run nltest /dsgetdc:
<DomainName > : to verify whether you can locate a domain controller. If
you are unable to find a domain controller examine DNS registrations and
network connectivity.
For more information about verifying DNS registrations, see "Name
Resolution" later in this chapter.
The following example shows an unsuccessful attempt to find a domain
controller for the domain:
>nltest /SC_QUERY:reskit
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
The following example shows an unsuccessful attempt to locate the domain
controller for the domain using /dsgetdc switch:
:\>nltest /dsgetdc:reskit /force
DsGetDcName failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
The following example shows a successful attempt to find a domain
controller for the domain:
H:\>nltest /dsgetdc:reskit /force
DC: \\server1
Address: \\172.16.132.197
Dom Guid: ca21b03b-6dd3-11d1-8a7d-b8dfb156871f
Dom Name: reskit
Forest Name: reskit.com
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE
The command completed successfully
----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.