Nltest Syntax

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

NLTest Syntax

NLTest uses the following syntax:

Art Imagenltest [**/server:**servername] [operation[parameter] ...

  • /server: ServerName
    Runs NLTest at the specified remote domain controller. If this parameter is not specified, the command is executed on the local computer (domain controller).

Operations

  • /query
    Reports on the state of the secure channel the last time it was used. This is the secure channel established by the NetLogon service.
  • /repl
    Forces a synchronization with the PDC. Only changes not yet replicated to the BDC are synchronized. This command is for NT 4.0 BDCs only and is not for Active Directory replication. Administrative rights are required to perform this command.
  • /sync
    Forces an immediate synchronization with the PDC of the entire SAM database. This command is for NT 4.0 BDCs only and is not for Active Directory replication. Administrative rights are required to perform this command.
  • /pdc_repl
    Forces the PDC to send a synchronize notification to all BDCs. This command is for NT 4.0 PDCs only and is not for Active Directory replication. Administrative rights are required to perform this command.
  • /sc_query: DomainName
    Reports on the state of the secure channel the last time it was used. This is the secure channel established by the NetLogon service. Also, lists the name of the domain controller that was queried on the secure channel.
  • ****/sc_reset:[ DomainName]
    Removes and then rebuilds the secure channel established by the NetLogon service. Administrative rights are required to perform this command.
  • ****/sc_verify:[ DomainName]
    Checks the status of the secure channel established by the NetLogon service. If the secure channel is not working, this operation removes the existing channel and builds a new one. Administrative rights are required to perform this command. This operation is only valid on Windows 2000 with Service Pack 2 and Windows Server 2003 domain controllers.
  • ****/sc_change_pwd:[ DomainName]
    Changes the password for the trust account of the specified domain. If this command is run on a domain controller, and an explicit trust relationship exists, then the password for the interdomain trust account is reset. Otherwise, the computer account password for the specified domain is changed. This command is only for computers that are Windows 2000, Windows XP, and Windows Server 2003.
  • ****/dclist:[ DomainName]
    Lists all domain controllers in the domain. In an NT 4.0 domain environment, this command uses the Browser service to retrieve the list of domains. In an Active Directory environment, this command first queries Active Directory for a list of domain controllers. If this is unsuccessful the Browser service is used.
  • ****/dcname:[ DomainName]
    Lists the primary domain controller or the primary domain controller emulator for DomainName.
  • ****/dsgetdc:[ DomainName]
    Queries the DNS server for a list of domain controllers and their corresponding IP addresses. Contacts each domain controller to check for connectivity. Use the following flags to filter the list of domain controllers or specify alternate names types in the syntax.
    • /PDC Returns only the PDC (NT 4.0) or domain controller designated as the PDC emulator (Windows 2000 or Windows Server 2003).

    • /DS Returns only those domain controllers that are Windows 2000 or Windows Server 2003 servers.

    • /DSP Requests that Windows 2000 or Windows Server 2003 domain controllers be returned. If no Windows 2000 or Windows Server 2003 server is found, then this operation returns NT domain controllers.

    • /GC Returns only those domain controllers designated as Global Catalog servers.

    • /KDC Returns only those domain controllers designated as Kerberos key distribution centers.

    • /TIMESERV Returns only those domain controllers designated as time servers.

    • /GTTIMESERV Returns only those domain controllers designated as master time servers.

    • /NetBIOS Use this command when specifying computer names in the syntax as NetBIOS names.

    • /DNS Use this command when specifying computer names in the syntax as FQDNs.

    • /IP Returns only domain controllers that have IP addresses. Domain controllers not using TCP/IP as their protocol stack are not returned.

    • /FORCE Forces the computer to run the command against the DNS server instead of looking in cache for the information.

  • /dnsgetdc: DomainName
    Queries the DNS server for a list of domain controllers and their corresponding IP addresses. Use the following flags to filter the list of domain controllers.
    • /PDC Returns only only those domain controllers that are PDCs (NT 4.0) or designated as PDC emulators.

    • /GC Returns only those domain controllers designated as Global Catalogs.

    • /KDC Returns only those domain controllers designated as Kerberos key distribution centers.

    • /WRITABLE Returns only those domain controllers that can accept changes to the directory database. All Active Directory domain controllers will be returned. Only NT 4.0 BDCs will not be returned with this command.

    • /LDAPONLY Returns servers that are running an LDAP application. With this command LDAP servers are returned that are not necessarily DCs.

    • /FORCE Forces the computer to run the command against the DNS server instead of looking in cache for the information.

    • **/SITE:**Sitename Sorts the returned records so that the ones pertaining to the site are listed first.

    • /SITESPEC Filters the returned records so only those pertaining to the site are displayed. This operation can only be used with the /SITE operation.

  • /dsgetfti: DomainName[ /UpdateTDO]
    Returns information about interforests trust(s). This operation is only for a Windows Server 2003 domain controller that is in the root of the forest. If no interforest trusts exist, this operation will return an error. /UpdateTDO Updates the locally stored information on the interforest trust.
  • /dsgetsite
    Returns the name of the site in which the domain controller resides.
  • /dsgetsitecov
    Returns the name of the site that the domain controller covers. A domain controller can cover a site that has no local domain controller of its own.
  • /parentdomain
    Returns the name of the parent domain of the server.
  • /dsregdns
    Refreshes the registration of all domain controller-specific DNS records.
  • /dsderegdns: DnsHostName
    Deregisters DNS host records from DNS for the host specified with the DnsHostName parameter./DOM: /DOMGUID: /DSAGUID:. Use the following flags to specify which records will be deregistered.
    • /DOM: Specifies a DNS domain name for the host to use when searching for records in the DNS server. If not specified, the suffix of the DnsHostName is assumed to be the DNS domain name

    • /DOMGUID: Deletes DNS records that are GUID based.

    • /DSAGUID Deletes DSA records that are GUID based.

  • /whowill: Domain/ User
    Finds the domain controller that has the specified user account. Use this command to determine whether the account information has been replicated to other domain controllers.
  • /finduser: User
    Finds which directly trusted domain to which the specified user account belongs. Use this operation to troubleshoot logon issues of older client operating systems.
  • /transport_notify
    Flushes the negative cache to force the discovery of a domain controller. Use this operation on NT 4.0 domain controllers only. This operation is done automatically when clients log on to Windows 2000 and Windows Server 2003 domain controllers.
  • /dbflag: HexadecimalFlags
    Sets a new debug flag. For most purposes, use 0x2000FFFF as the value for HexadecimalFlags. The entry in the Windows Server 2003registry for debug flags is HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DBFlag.
  • /user: UserName
    Displays many of the attributes for the specified user account that are maintained in the SAM account database. This operation will not work for user accounts stored in Active Directory.
  • /time: HexadecimalLSL HexadecimalMSL
    Converts Windows NT GMT time to ASCII. HexadecimalLSL is a hexadecimal value for least significant longword. HexadecimalMSL is a hexadecimal value for most significant longword.
  • /logon_query
    Queries the cumulative number of NTLM logon attempts at the console or over the network.
  • /domain_trusts
    Returns a list of trusted domains. /Primary /Forest /Direct_Out /Direct_In /All_Trusts /v. Use the following flags to filter the list of domains.
    • /Primary Returns only the domain to which the computer account belongs.

    • /Forest Returns only those domains that are in the same forest as the primary domain.

    • /Direct_Out Returns only the domains that are explicitly trusted with the primary domain.

    • /Direct_In Returns only the domains that explicitly trust the primary domain.

    • /All_Trusts Returns all trusted domains.

    • /v Displays verbose output including domain SIDs and GUIDs if available.

  • /dsquerydns
    Queries for the status of the last update for all DC-specific DNS records.
  • /bdc_query: DomainName
    Queries for a list of backup domain controllers in DomainName and displays their state of synchronization and replication status. This operation is only for NT 4.0 domain controllers.
  • /sim_sync: DomainName ServerName
    Simulates full synchronization replication. This operation is useful in test environments.
  • /list_deltas: FileName
    Displays the contents of the change log file FileName, which lists changes to the user account database. Netlogon.chg is the default name. This log file resides only on NT 4.0 BDCs.
  • /cdigest: Message /domain: DomainName
    Displays the current digest (calculation derived from the password) used by the client for the secure channel. Also, displays the digest based on the previous password. The secure channel is used for logons between client computers and a domain controller, or DC to DC for directory service replication. Use this operation in conjunction with the /sdigest operation to check trust account password synchronization.
  • /sdigest: Message /rid: RID_In_Hexadecimal
    Displays the current digest (calculation derived from the password) that the server is using for the secure channel. Also, displays the digest for the previous password. If the digest from the server matches the digest from the client (retrieved using the /cdigest operation), then the passwords used for the secure channel are synchronized. If the digests do not match, then a password change may not have replicated yet.
  • /shutdown: Reason[ Seconds]
    Performs a remote shutdown of the ServerName for Reason, a string, after Seconds, an integer. For a complete description, see the Platform SDK documentation for InitiateSystemShutdown.
  • /shutdown_abort
    Terminates a system shutdown.

See Also

Concepts

Nltest Overview
Nltest Examples
Alphabetical List of Tools
Spcheck Overview
Netdom Overview
Netdiag Overview
Netcap Overview
Httpcfg Overview
Dnslint Overview
Dnscmd Overview
Dhcploc Overview
Dcdiag Overview
Browstat Overview