域安全通道和信任关系-- Nltest.exe

文章来自 http://hi.baidu.com/kerving/blog/item/de133cd27263633a970a16fd.html

Sample Output Obtained by Typing "NLTEST.EXE" Without the Quotes

C:\NTRESKIT>nltest
Usage: nltest [/OPTIONS]

/SERVER:<ServerName> - Specify <ServerName> 

/QUERY - Query <ServerName> netlogon service 

/REPL - Force replication on <ServerName> BDC 

/SYNC - Force SYNC on <ServerName> BDC 

/PDC_REPL - Force UAS change message from <ServerName> PDC 

/SC_QUERY:<DomainName> - Query secure channel for <Domain> on <ServerName> 

/SC_RESET:<DomainName> - Reset secure channel for <Domain> on <ServerName> 

/DCLIST:<DomainName> - Get list of DC's for <DomainName> 

/DCNAME:<DomainName> - Get the PDC name for <DomainName> 

/DCTRUST:<DomainName> - Get name of DC is used for trust of <DomainName> 

/WHOWILL:<Domain>* <User> [<Iteration>] - See if <Domain> will log on <User> 

/FINDUSER:<User> - See which trusted <Domain> will log on <User> 

/TRANSPORT_NOTIFY - Notify of netlogon of new transport 

/RID:<HexRid> - RID to encrypt Password with 

/USER:<UserName> - Query User info on <ServerName> 

/TIME:<Hex LSL> <Hex MSL> - Convert NT GMT time to ASCII 

/LOGON_QUERY - Query number of cumulative logon attempts 

/TRUSTED_DOMAINS - Query names of domains trusted by workstation 

/BDC_QUERY:<DomainName> - Query replication status of BDCs for <DomainName> 

/SIM_SYNC:<DomainName> <MachineName> - Simulate full sync replication 

/LIST_DELTAS:<FileName> - display the content of given change log file 

/LIST_REDO:<FileName> - display the content of given redo log file

Additional Comments and Descriptions of the Nltest.exe Switches

/SERVER:<ServerName>: Remotes the Nltest.exe command to the specified server. If this switch is not specified, the command is run from the local computer. 

/QUERY Queries the local or specified server for a healthy secure channel to a domain controller, and the status of Directory Services replication with the PDC. This is very helpful in determining the general status of the Netlogon service. 

/REPL Force partial synchronization of the local or specified BDC. 

/SYNC Forces a full, immediate synchronization of the local or specified BDC. 

/PDC_REPL The specified PDC forces a change message to all BDCs. 

/SC_QUERY:<DomainName> Verifies the secure channel in the specified domain for a local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified. 

/SC_RESET:<DomainName> Resets the secure channel between the local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified. 

/DCLIST:<DomainName> Lists all the domain controllers, PDC, and BDCs in a given domain. 

/DCNAME:<DomainName> Lists the primary domain controller for a given domain. 

/DCTRUST:<DomainName> Queries and tests the secure channel every time the command is executed. Specify the domain for the local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified. 

/WHOWILL:<Domain><User> Queries the domain and indicates which Domain Controller has the account in their local user account database. This is very useful in determining if a given domain controller contains the user account. If the username specified is that of the currently logged on user, the user's current password is NOT sent to the domain controller. This is helpful in determining if duplicate accounts exist across several domains. 

/FINDUSER:<User> Queries explicit trusted domains for the user specified. This is very useful when determining what trusted domain controller or what trusted domain out of several trusted domains will authenticate a user's credentials when a Domain name is not specified in the Server Message Block (SMB) packet. Many down-level clients, such as Windows for Workgroups version 3.1 and the real-mode redirector in Windows 95, do not specify a domain name. 

/USER:<UserName> Displays many of the attributes for the specified user account that are maintained in the user account database. 

/LOGON_QUERY Specifies the number of attempted logon queries at the console, or over the network. 

/TRUSTED_DOMAINS Displays a list of explicit trusted domains. 

/BDC_QUERY:<DomainName> List the backup domain controllers in the specified Domain and provides the state of their synchronization. 

/LIST_DELTAS:<FileName> List information from the Netlogon.chg file specifying changes to the user account database. 

/LIST_REDO:<FileName> List information from the Netlogon.chg file specifying changes to the user account database.

Example Output from Nltest.exe

As an example, suppose the TESTD domain trusts the ESS domain, and a computer running Windows NT Workstation called TEST3 is a member of the TESTD domain. 

NLTEST can be used to show this trust relationship. 

C:\>nltest /trusted_domains
Trusted domain list:
ESS
The command completed successfully

To determine the domain controllers in the TESTD domain: 

C:\>nltest /dclist:testd
List of DCs in Domain testd
\\TEST2 (PDC)
\\TEST1
The command completed successfully

To determine the domain controllers in the ESS domain: 

C:\>nltest /dclist:ess
List of DCs in Domain ess
\\NET1 (PDC)
The command completed successfully

Below are the secure channels between each domain controller in TESTD and a DC in the ESS domain. 

C:\>nltest /server:test1 /sc_query:ess
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\NET1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\>nltest /server:test2 /sc_query:ess
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\NET1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

The workstation that is a member of the TESTD domain has an implicit trust with a domain controller. 

C:\>nltest /server:test3 /sc_query:testd
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\TEST2
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

To determine if a domain controller can authenticate a user account: 

C:\>nltest /whowill:ESS bob
[20:58:55] Mail message 0 sent successfully
(\MAILSLOT\NET\GETDC939)
[20:58:55] Response 0: S:\\NET1 D:ESS A:bob (Act found)
The command completed successfully

C:\>nltest /whowill:testd test
[21:26:13] Response 0: S:\\TEST2 D:TESTD A:test (Act found)
[21:26:15] Mail message 0 sent successfully
(\MAILSLOT\NET\GETDC295)
The command completed successfully

NLTEST can be used to find a trusted domain that has a given user account. 

C:\>nltest /finduser:sweppler
Domain Name: ESS
Trusted DC Name \\NET1
The command completed successfully

To verify the status of BDC synchronization: 

C:\>nltest /bdc_query:testd
Server : \\TEST1
SyncState : IN_SYNC
ConnectionState : Status = 0 0x0 NERR_Success
The command completed successfully

Nltest.exe can also be used to synchronize the accounts database from a command line or a batch job. 

To run the utility to synchronize the domain from a PDC, type: 

C:\ nltest /PDC_Repl 

To run the utility from a member server, backup domain controller, or Windows NT workstation, type 

C:\ nltest /Server:<PDCName> /PDC_Repl 

where PDCName is the actual name of the PDC, not the name of the domain) 

You will see the successful synchronization events in Event Viewer on the primary domain controller, as well as the backup domain controllers.