域安全通道和信任关系-- Nltest.exe

本文详细介绍了NLTEST.EXE命令的各种用法及其参数说明,包括查询域控制器状态、强制同步、验证安全通道等操作,并提供了多个实际应用场景的示例。

文章来自 http://hi.baidu.com/kerving/blog/item/de133cd27263633a970a16fd.html

Sample Output Obtained by Typing "NLTEST.EXE" Without the Quotes

C:\NTRESKIT>nltest
Usage: nltest [/OPTIONS]
/SERVER:<ServerName> - Specify <ServerName> 

/QUERY - Query <ServerName> netlogon service 

/REPL - Force replication on <ServerName> BDC 

/SYNC - Force SYNC on <ServerName> BDC 

/PDC_REPL - Force UAS change message from <ServerName> PDC 

/SC_QUERY:<DomainName> - Query secure channel for <Domain> on <ServerName> 

/SC_RESET:<DomainName> - Reset secure channel for <Domain> on <ServerName> 

/DCLIST:<DomainName> - Get list of DC's for <DomainName> 

/DCNAME:<DomainName> - Get the PDC name for <DomainName> 

/DCTRUST:<DomainName> - Get name of DC is used for trust of <DomainName> 

/WHOWILL:<Domain>* <User> [<Iteration>] - See if <Domain> will log on <User> 

/FINDUSER:<User> - See which trusted <Domain> will log on <User> 

/TRANSPORT_NOTIFY - Notify of netlogon of new transport 

/RID:<HexRid> - RID to encrypt Password with 

/USER:<UserName> - Query User info on <ServerName> 

/TIME:<Hex LSL> <Hex MSL> - Convert NT GMT time to ASCII 

/LOGON_QUERY - Query number of cumulative logon attempts 

/TRUSTED_DOMAINS - Query names of domains trusted by workstation 

/BDC_QUERY:<DomainName> - Query replication status of BDCs for <DomainName> 

/SIM_SYNC:<DomainName> <MachineName> - Simulate full sync replication 

/LIST_DELTAS:<FileName> - display the content of given change log file 

/LIST_REDO:<FileName> - display the content of given redo log file

Additional Comments and Descriptions of the Nltest.exe Switches

/SERVER:<ServerName>: Remotes the Nltest.exe command to the specified server. If this switch is not specified, the command is run from the local computer. 

/QUERY Queries the local or specified server for a healthy secure channel to a domain controller, and the status of Directory Services replication with the PDC. This is very helpful in determining the general status of the Netlogon service. 

/REPL Force partial synchronization of the local or specified BDC. 

/SYNC Forces a full, immediate synchronization of the local or specified BDC. 

/PDC_REPL The specified PDC forces a change message to all BDCs. 

/SC_QUERY:<DomainName> Verifies the secure channel in the specified domain for a local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified. 

/SC_RESET:<DomainName> Resets the secure channel between the local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified. 

/DCLIST:<DomainName> Lists all the domain controllers, PDC, and BDCs in a given domain. 

/DCNAME:<DomainName> Lists the primary domain controller for a given domain. 

/DCTRUST:<DomainName> Queries and tests the secure channel every time the command is executed. Specify the domain for the local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified. 

/WHOWILL:<Domain><User> Queries the domain and indicates which Domain Controller has the account in their local user account database. This is very useful in determining if a given domain controller contains the user account. If the username specified is that of the currently logged on user, the user's current password is NOT sent to the domain controller. This is helpful in determining if duplicate accounts exist across several domains. 

/FINDUSER:<User> Queries explicit trusted domains for the user specified. This is very useful when determining what trusted domain controller or what trusted domain out of several trusted domains will authenticate a user's credentials when a Domain name is not specified in the Server Message Block (SMB) packet. Many down-level clients, such as Windows for Workgroups version 3.1 and the real-mode redirector in Windows 95, do not specify a domain name. 

/USER:<UserName> Displays many of the attributes for the specified user account that are maintained in the user account database. 

/LOGON_QUERY Specifies the number of attempted logon queries at the console, or over the network. 

/TRUSTED_DOMAINS Displays a list of explicit trusted domains. 

/BDC_QUERY:<DomainName> List the backup domain controllers in the specified Domain and provides the state of their synchronization. 

/LIST_DELTAS:<FileName> List information from the Netlogon.chg file specifying changes to the user account database. 

/LIST_REDO:<FileName> List information from the Netlogon.chg file specifying changes to the user account database.

Example Output from Nltest.exe

As an example, suppose the TESTD domain trusts the ESS domain, and a computer running Windows NT Workstation called TEST3 is a member of the TESTD domain. 

NLTEST can be used to show this trust relationship. 
C:\>nltest /trusted_domains
Trusted domain list:
ESS
The command completed successfully

To determine the domain controllers in the TESTD domain: 
C:\>nltest /dclist:testd
List of DCs in Domain testd
\\TEST2 (PDC)
\\TEST1
The command completed successfully

To determine the domain controllers in the ESS domain: 
C:\>nltest /dclist:ess
List of DCs in Domain ess
\\NET1 (PDC)
The command completed successfully

Below are the secure channels between each domain controller in TESTD and a DC in the ESS domain. 
C:\>nltest /server:test1 /sc_query:ess
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\NET1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\>nltest /server:test2 /sc_query:ess
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\NET1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

The workstation that is a member of the TESTD domain has an implicit trust with a domain controller. 
C:\>nltest /server:test3 /sc_query:testd
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\TEST2
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

To determine if a domain controller can authenticate a user account: 
C:\>nltest /whowill:ESS bob
[20:58:55] Mail message 0 sent successfully
(\MAILSLOT\NET\GETDC939)
[20:58:55] Response 0: S:\\NET1 D:ESS A:bob (Act found)
The command completed successfully

C:\>nltest /whowill:testd test
[21:26:13] Response 0: S:\\TEST2 D:TESTD A:test (Act found)
[21:26:15] Mail message 0 sent successfully
(\MAILSLOT\NET\GETDC295)
The command completed successfully

NLTEST can be used to find a trusted domain that has a given user account. 
C:\>nltest /finduser:sweppler
Domain Name: ESS
Trusted DC Name \\NET1
The command completed successfully

To verify the status of BDC synchronization: 
C:\>nltest /bdc_query:testd
Server : \\TEST1
SyncState : IN_SYNC
ConnectionState : Status = 0 0x0 NERR_Success
The command completed successfully

Nltest.exe can also be used to synchronize the accounts database from a command line or a batch job. 

To run the utility to synchronize the domain from a PDC, type: 

C:\ nltest /PDC_Repl 

To run the utility from a member server, backup domain controller, or Windows NT workstation, type 

C:\ nltest /Server:<PDCName> /PDC_Repl 

where PDCName is the actual name of the PDC, not the name of the domain) 

You will see the successful synchronization events in Event Viewer on the primary domain controller, as well as the backup domain controllers.

### 如何修复 Windows 工作站 Active Directory 主之间的信任关系故障 #### 验证 DNS 设置 确保在客户端上配置的所有 DNS 服务器都正确托管目标域控制器(DC)所需的区有效的记录。常见的错误配置包括: - 缺少目标 AD 的正向查找区[^2]。 - 缺少 `_msdcs` 正向查找区。 如果这些区缺失,则需创建相应的DNS区并添加必要的资源记录,特别是 LDAP SRV 主机 A 记录。 #### 检查特定 DNS 资源记录的存在性准确性 确认以下关键 DNS 资源记录是否存在且准确无误: - _msdcs.<林根> 区应包含目标中 DC 的轻型目录访问协议(LDAP) SRV 记录。 - 目标 AD 内的主机 A 记录应当指向正确的 IP 地址,并且该地址对应的网络接口可被客户端计算机访问。 对于任何发现的问题,更新或修正相应条目以确保其有效性。 #### 更新 Kerberos 票据授予票据(TGT) 当遇到与Kerberos认证有关的信任问题时,尝试刷新本地安全授权子系统服务(LSASS)缓存中的TGT: ```powershell klist purge ``` 此命令会清除当前用户的 TGT 并强制重新获取新的票证。 #### 使用 `netdom resetpwd` 或者 `nltest /reset` 来重置机器账户密码 这两种方法都可以用来重设工作站同AD主间的信任关系: ```cmd netdom resetpwd /s:<DC_IP_Address> /ud:Administrator /pd:* ``` 或者, ```cmd nltest /server:<Domain_Name> /reset ``` 执行上述任一操作之后重启工作站使更改生效。 #### 手动删除并重新加入 作为最后手段,在备份重要数据的前提下考虑卸载现有名成员身份再重新加入指定的Active Directory: 1. 断开现有的连接; 2. 将电脑设置为工作组模式; 3. 重启设备; 4. 加入正确的。 完成以上步骤后测试新建立起来的信任关系是否正常工作。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值