文章来自 http://hi.baidu.com/kerving/blog/item/de133cd27263633a970a16fd.html
Sample Output Obtained by Typing "NLTEST.EXE" Without the Quotes
C:\NTRESKIT>nltestUsage: nltest [/OPTIONS]
/SERVER:<ServerName> - Specify <ServerName>
/QUERY - Query <ServerName> netlogon service
/REPL - Force replication on <ServerName> BDC
/SYNC - Force SYNC on <ServerName> BDC
/PDC_REPL - Force UAS change message from <ServerName> PDC
/SC_QUERY:<DomainName> - Query secure channel for <Domain> on <ServerName>
/SC_RESET:<DomainName> - Reset secure channel for <Domain> on <ServerName>
/DCLIST:<DomainName> - Get list of DC's for <DomainName>
/DCNAME:<DomainName> - Get the PDC name for <DomainName>
/DCTRUST:<DomainName> - Get name of DC is used for trust of <DomainName>
/WHOWILL:<Domain>* <User> [<Iteration>] - See if <Domain> will log on <User>
/FINDUSER:<User> - See which trusted <Domain> will log on <User>
/TRANSPORT_NOTIFY - Notify of netlogon of new transport
/RID:<HexRid> - RID to encrypt Password with
/USER:<UserName> - Query User info on <ServerName>
/TIME:<Hex LSL> <Hex MSL> - Convert NT GMT time to ASCII
/LOGON_QUERY - Query number of cumulative logon attempts
/TRUSTED_DOMAINS - Query names of domains trusted by workstation
/BDC_QUERY:<DomainName> - Query replication status of BDCs for <DomainName>
/SIM_SYNC:<DomainName> <MachineName> - Simulate full sync replication
/LIST_DELTAS:<FileName> - display the content of given change log file
/LIST_REDO:<FileName> - display the content of given redo log file
/QUERY - Query <ServerName> netlogon service
/REPL - Force replication on <ServerName> BDC
/SYNC - Force SYNC on <ServerName> BDC
/PDC_REPL - Force UAS change message from <ServerName> PDC
/SC_QUERY:<DomainName> - Query secure channel for <Domain> on <ServerName>
/SC_RESET:<DomainName> - Reset secure channel for <Domain> on <ServerName>
/DCLIST:<DomainName> - Get list of DC's for <DomainName>
/DCNAME:<DomainName> - Get the PDC name for <DomainName>
/DCTRUST:<DomainName> - Get name of DC is used for trust of <DomainName>
/WHOWILL:<Domain>* <User> [<Iteration>] - See if <Domain> will log on <User>
/FINDUSER:<User> - See which trusted <Domain> will log on <User>
/TRANSPORT_NOTIFY - Notify of netlogon of new transport
/RID:<HexRid> - RID to encrypt Password with
/USER:<UserName> - Query User info on <ServerName>
/TIME:<Hex LSL> <Hex MSL> - Convert NT GMT time to ASCII
/LOGON_QUERY - Query number of cumulative logon attempts
/TRUSTED_DOMAINS - Query names of domains trusted by workstation
/BDC_QUERY:<DomainName> - Query replication status of BDCs for <DomainName>
/SIM_SYNC:<DomainName> <MachineName> - Simulate full sync replication
/LIST_DELTAS:<FileName> - display the content of given change log file
/LIST_REDO:<FileName> - display the content of given redo log file
Additional Comments and Descriptions of the Nltest.exe Switches
/SERVER:<ServerName>: Remotes the Nltest.exe command to the specified server. If this switch is not specified, the command is run from the local computer.
/QUERY Queries the local or specified server for a healthy secure channel to a domain controller, and the status of Directory Services replication with the PDC. This is very helpful in determining the general status of the Netlogon service.
/REPL Force partial synchronization of the local or specified BDC.
/SYNC Forces a full, immediate synchronization of the local or specified BDC.
/PDC_REPL The specified PDC forces a change message to all BDCs.
/SC_QUERY:<DomainName> Verifies the secure channel in the specified domain for a local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified.
/SC_RESET:<DomainName> Resets the secure channel between the local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified.
/DCLIST:<DomainName> Lists all the domain controllers, PDC, and BDCs in a given domain.
/DCNAME:<DomainName> Lists the primary domain controller for a given domain.
/DCTRUST:<DomainName> Queries and tests the secure channel every time the command is executed. Specify the domain for the local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified.
/WHOWILL:<Domain><User> Queries the domain and indicates which Domain Controller has the account in their local user account database. This is very useful in determining if a given domain controller contains the user account. If the username specified is that of the currently logged on user, the user's current password is NOT sent to the domain controller. This is helpful in determining if duplicate accounts exist across several domains.
/FINDUSER:<User> Queries explicit trusted domains for the user specified. This is very useful when determining what trusted domain controller or what trusted domain out of several trusted domains will authenticate a user's credentials when a Domain name is not specified in the Server Message Block (SMB) packet. Many down-level clients, such as Windows for Workgroups version 3.1 and the real-mode redirector in Windows 95, do not specify a domain name.
/USER:<UserName> Displays many of the attributes for the specified user account that are maintained in the user account database.
/LOGON_QUERY Specifies the number of attempted logon queries at the console, or over the network.
/TRUSTED_DOMAINS Displays a list of explicit trusted domains.
/BDC_QUERY:<DomainName> List the backup domain controllers in the specified Domain and provides the state of their synchronization.
/LIST_DELTAS:<FileName> List information from the Netlogon.chg file specifying changes to the user account database.
/LIST_REDO:<FileName> List information from the Netlogon.chg file specifying changes to the user account database.
NLTEST can be used to show this trust relationship.
To determine the domain controllers in the TESTD domain:
To determine the domain controllers in the ESS domain:
Below are the secure channels between each domain controller in TESTD and a DC in the ESS domain.
The workstation that is a member of the TESTD domain has an implicit trust with a domain controller.
To determine if a domain controller can authenticate a user account:
NLTEST can be used to find a trusted domain that has a given user account.
To verify the status of BDC synchronization:
Nltest.exe can also be used to synchronize the accounts database from a command line or a batch job.
To run the utility to synchronize the domain from a PDC, type:
C:\ nltest /PDC_Repl
To run the utility from a member server, backup domain controller, or Windows NT workstation, type
C:\ nltest /Server:<PDCName> /PDC_Repl
where PDCName is the actual name of the PDC, not the name of the domain)
/QUERY Queries the local or specified server for a healthy secure channel to a domain controller, and the status of Directory Services replication with the PDC. This is very helpful in determining the general status of the Netlogon service.
/REPL Force partial synchronization of the local or specified BDC.
/SYNC Forces a full, immediate synchronization of the local or specified BDC.
/PDC_REPL The specified PDC forces a change message to all BDCs.
/SC_QUERY:<DomainName> Verifies the secure channel in the specified domain for a local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified.
/SC_RESET:<DomainName> Resets the secure channel between the local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified.
/DCLIST:<DomainName> Lists all the domain controllers, PDC, and BDCs in a given domain.
/DCNAME:<DomainName> Lists the primary domain controller for a given domain.
/DCTRUST:<DomainName> Queries and tests the secure channel every time the command is executed. Specify the domain for the local or remote workstation, server, or BDC. This can be run for a PDC if an explicit trust relationship exists between two domains and the trusted domain is specified.
/WHOWILL:<Domain><User> Queries the domain and indicates which Domain Controller has the account in their local user account database. This is very useful in determining if a given domain controller contains the user account. If the username specified is that of the currently logged on user, the user's current password is NOT sent to the domain controller. This is helpful in determining if duplicate accounts exist across several domains.
/FINDUSER:<User> Queries explicit trusted domains for the user specified. This is very useful when determining what trusted domain controller or what trusted domain out of several trusted domains will authenticate a user's credentials when a Domain name is not specified in the Server Message Block (SMB) packet. Many down-level clients, such as Windows for Workgroups version 3.1 and the real-mode redirector in Windows 95, do not specify a domain name.
/USER:<UserName> Displays many of the attributes for the specified user account that are maintained in the user account database.
/LOGON_QUERY Specifies the number of attempted logon queries at the console, or over the network.
/TRUSTED_DOMAINS Displays a list of explicit trusted domains.
/BDC_QUERY:<DomainName> List the backup domain controllers in the specified Domain and provides the state of their synchronization.
/LIST_DELTAS:<FileName> List information from the Netlogon.chg file specifying changes to the user account database.
/LIST_REDO:<FileName> List information from the Netlogon.chg file specifying changes to the user account database.
Example Output from Nltest.exe
As an example, suppose the TESTD domain trusts the ESS domain, and a computer running Windows NT Workstation called TEST3 is a member of the TESTD domain.NLTEST can be used to show this trust relationship.
C:\>nltest /trusted_domains Trusted domain list: ESS The command completed successfully
To determine the domain controllers in the TESTD domain:
C:\>nltest /dclist:testd List of DCs in Domain testd \\TEST2 (PDC) \\TEST1 The command completed successfully
To determine the domain controllers in the ESS domain:
C:\>nltest /dclist:ess List of DCs in Domain ess \\NET1 (PDC) The command completed successfully
Below are the secure channels between each domain controller in TESTD and a DC in the ESS domain.
C:\>nltest /server:test1 /sc_query:ess Flags: 0 Connection Status = 0 0x0 NERR_Success Trusted DC Name \\NET1 Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully C:\>nltest /server:test2 /sc_query:ess Flags: 0 Connection Status = 0 0x0 NERR_Success Trusted DC Name \\NET1 Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully
The workstation that is a member of the TESTD domain has an implicit trust with a domain controller.
C:\>nltest /server:test3 /sc_query:testd Flags: 0 Connection Status = 0 0x0 NERR_Success Trusted DC Name \\TEST2 Trusted DC Connection Status Status = 0 0x0 NERR_Success The command completed successfully
To determine if a domain controller can authenticate a user account:
C:\>nltest /whowill:ESS bob [20:58:55] Mail message 0 sent successfully (\MAILSLOT\NET\GETDC939) [20:58:55] Response 0: S:\\NET1 D:ESS A:bob (Act found) The command completed successfully C:\>nltest /whowill:testd test [21:26:13] Response 0: S:\\TEST2 D:TESTD A:test (Act found) [21:26:15] Mail message 0 sent successfully (\MAILSLOT\NET\GETDC295) The command completed successfully
NLTEST can be used to find a trusted domain that has a given user account.
C:\>nltest /finduser:sweppler Domain Name: ESS Trusted DC Name \\NET1 The command completed successfully
To verify the status of BDC synchronization:
C:\>nltest /bdc_query:testd Server : \\TEST1 SyncState : IN_SYNC ConnectionState : Status = 0 0x0 NERR_Success The command completed successfully
Nltest.exe can also be used to synchronize the accounts database from a command line or a batch job.
To run the utility to synchronize the domain from a PDC, type:
C:\ nltest /PDC_Repl
To run the utility from a member server, backup domain controller, or Windows NT workstation, type
C:\ nltest /Server:<PDCName> /PDC_Repl
where PDCName is the actual name of the PDC, not the name of the domain)
You will see the successful synchronization events in Event Viewer on the primary domain controller, as well as the backup domain controllers.