Useful Commands For Windows Administartors

USEFUL COMMANDS FOR WINDOWS ADMINISTARTORS
Enter the password for USA-Chicago\admin and press Enter.
The user must have credentials for both domains. The /pd parameter can be used to specify the password for
Northamerica\admin and the /po parameter can How many users are logged on/connected to a server?
Sometimes we may need to know how many users are logged on to a (file) server, like maybe when there is a performance
degradation.
At the server's console itself, with native commands only:
NET SESSION | FIND /C "\\"
Remotely, with the help of SysInternals' PSTools:
PSEXEC \\servername NET SESSION | FIND /C "\\"
By replacing FIND /C "\\" by FIND "\\" (removing the /C switch) you'll get a list of logged on users instead of just the number of
users.
Back to the index
Who is logged on to a computer?
We often need to know who is currently logged on to a remote computer.

With native Windows commands only:
NBTSTAT -a remotecomputer | FIND "<03>" | FIND /I /V "remotecomputer"
The first name in the list usually is the logged on user (try playing with the NET NAME command to learn more about the names
displayed by NBTSTAT).
This is the fastest way to find the logged on user name, and the results that you do get are correct, but NBTSTAT won't always
return a user name, even when a user is logged on.
Using WMIC (Windows XP Professional and later):
WMIC /Node:remotecomputer ComputerSystem Get UserName
This is arguably the most reliable (native) command to find out who is logged on.
With the help of SysInternals' PSTools:
PSLOGGEDON -L \\remotecomputer
or:
PSEXEC \\remotecomputer NET CONFIG WORKSTATION | FIND /I " name "
or:
PSEXEC \\remotecomputer NET NAME
or:
PSEXEC \\remotecomputer NETSH DIAG SHOW COMPUTER /V | FIND /i "username"
or:
FOR /F %%A IN ('REG Query \\remotecomputer\HKU | FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]*$"') DO (

FOR /F "tokens=3 delims=\" %%B IN ('REG Query "\\remotecomputer\%%A\Volatile Environment"') DO (
SET LoggedinUser=%%B
NETSH and WMIC are for XP or later, and are the most reliable of all commands shown here.
WMIC requires WMI enabled remote computers and Windows XP on the administrator's computer; NETSH requires Windows XP
on the remote computers.
PSLOGGEDON is a more accurate solution than NBTSTAT, but it will return the last logged on user if no one is currently logged on.
The NET and NBTSTAT commands show more or less identical results, but the NBTSTAT command is much faster.
The REG command is accurate, but may need to be modified depending on the version used. As displayed here, the code is
written for REG.EXE 3.0 (XP).
If you want to search lots of computers for logged on users, I recommend you try NBTSTAT first (fast, but it won't always return
the user name!), and only switch to NETSH, REG or WMIC (accurate) if NBTSTAT doesn't return a user name.
Credits: Ji Janyka (WMIC command) and Matthew W. Helton (NETSH command).
Back to the index
What is this collegue's login name?
My collegues often forget to mention their logon account name when calling the helpdesk, and the helpdesk doesn't always ask
either. I suppose they expect me to know all 1500+ accounts by heart.
With (native) Windows Server 2003 commands only:
DSQUERY USER -name *lastname* | DSGET USER -samid -display

Windows Server 2003's "DSTools" will work fine in Windows 2000 and XP too, when copied.
Note: Keep in mind, however, that some Windows Server 2003 Active Directory functionality is not available in Windows 2000
Active Directories.
Back to the index
What is the full name for this login name?
With the native NET command:
NET USER loginname /DOMAIN | FIND /I " name "
With (native) Windows Server 2003 commands:
DSQUERY USER -samid *loginname* | DSGET USER -samid -display

The NET command may seem more universal, because it requires neither Active Directory nor Windows Server 2003
Note: commands, but it is language dependent!
For non-English Windows you may need to modify FIND's search string.
Back to the index
What groups is this user a member of?
In Windows NT 4 and later, users usually are members of global groups. These global groups in turn are members of (domain)
local groups. Access permissions are given to (domain) local groups.
To check if a user has access to a resource, we need to check group membership recursively.
DSQUERY USER -samid loginname | DSGET USER -memberof -expand
Back to the index
What permissions does a user have on this directory?
One could use the previous command to check what permissions a user has on a certain directory.
However, sometimes SHOWACLS from the Windows Server 2003 Resource Kit Tools is a better alternative:
CD /D d:\directory2check
SHOWACLS /U:domain\userid
Back to the index
When did someone last change his password?
NET USER loginname /DOMAIN | FIND /I "Password last set"
Back to the index
How do I reset someone's password?
NET USER loginname newpassword /DOMAIN
DSQUERY USER -samid loginname | DSMOD USER -pwd newpassword

To prevent the new password from being displayed on screen replace it with an asterisk (*); you will then be prompted
Note:
(twice) to type the new password "blindly".
Back to the index
Is someone's account locked?
NET USER loginname /DOMAIN | FIND /I "Account active"
The account is either locked ("Locked") or active ("Yes").
Back to the index
How to unlock a locked account
NET USER loginname /DOMAIN /ACTIVE:YES
or, if the password needs to be reset as well:
NET USER loginname newpassword /DOMAIN /ACTIVE:YES

Back to the index
List all domains and workgroups in the network
NET VIEW /DOMAIN
Back to the index
List all computers in the network
NET VIEW
or, to list the names only:
FOR /F "skip=3 delims=\ " %%A IN ('NET VIEW') DO ECHO.%%A
delims is a backslash, followed by a tab and a space.
Back to the index
List all domain controllers
With native Windows 2000 commands:
NETDOM QUERY /D:MyDomain DC
NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.
With (native) Windows Server 2003 commands (Active Directory only):
DSQUERY Server
or, if you prefer host names only (tip by Jim Christian Flatin):
DSQUERY Server -o rdn
Back to the index
Find the primary domain controller
NETDOM QUERY /D:MyDomain PDC
or, to find the FSMO with (native) Windows Server 2003 commands (Active Directory only):
NETDOM QUERY /D:mydomain.com FSMO
Back to the index

List all member servers
NETDOM QUERY /D:MyDomain SERVER
Back to the index
List all workstations
NETDOM QUERY /D:MyDomain WORKSTATION
Back to the index
Delete a computer account
NETDOM /DOMAIN:MyDomain MEMBER \\computer2Bdeleted /DELETE
Back to the index
"I need an up-to-date list of disk space usage for all servers, on my desk in 5 minutes"
Sounds familiar?
With (native) Windows XP Professional or Windows Server 2003 commands:
FOR /F %%A IN (servers.txt) DO (

WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv | MORE /E +2 >>
SRVSPACE.CSV
)
The only prerequisites are:
1. SRVSPACE.CSV should not exist or be empty,

2. a list of server names in a file named SERVERS.TXT, one server name on each line,
3. and WMIC.EXE, which is native in Windows XP Professional, Windows Server 2003 and Vista.
The CSV file format is ServerName,DeviceID,FileSystem,FreeSpace,Size (one line for each harddisk partition on each server).
If you have a strict server naming convention, SERVERS.TXT itself can be generated with the NET command:
FOR /F "delims=\ " %%A IN ('NET VIEW ^| FINDSTR /R /B /C:"\\\\SRV\-"') DO (>>SERVERS.TXT ECHO.%%A)
Notes: (1) assuming server names start with "SRV-"; modify to match your own naming convention.
(2) delims is a backslash, followed by a tab and a space.
Back to the index
List all drivers on any PC

With (native) Windows XP Professional or Windows Server 2003 commands:
DRIVERQUERY /V /FO CSV > %ComputerName%.csv
Or, for remote computers:
DRIVERQUERY /S remote_PC /V /FO CSV > remote_PC.csv
Back to the index
List all printers on any PC
With (native) Windows XP+ commands:
WMIC /Node:remote_PC Path Win32_Printer Get DeviceID
Back to the index
List all local administrators
With (native) Windows NT 4+ commands:
NET LOCALGROUP Administrators
Or, to remove header and footer lines:
FOR /F "delims=[]" %%A IN ('NET LOCALGROUP Administrators | FIND /N "----"') DO SET HeaderLines=%%A
FOR /F "tokens=*" %%A IN ('NET LOCALGROUP Administrators') DO SET FooterLine=%%A
NET LOCALGROUP Administrators | MORE /E +%HeaderLines% | FIND /V "%FooterLine%"
Back to the index
Locate rogue DHCP servers
Never had an "illegal" router wreaking havoc on your network yet...?
With a (native) Windows Server 2003 command:
DHCPLOC -p local_IP_address [ valid_DHCP_server1 [ valid_DHCP_server2 [ .. ] ] ]
DHCPLOC.EXE is native in Windows Server 2003, and will run in Windows XP if copied/installed.
I didn't test this in Windows Server 2003 yet, but in Windows XP you need to press "d" to start the discovery, or "q" to quit.
Back to the index
Disable Windows Firewall for domain only
Disable the firewall only when the computer (e.g. a laptop) is connected to the domain:
NETSH Firewall Set OpMode Mode = DISABLE Profile = DOMAIN
Back to the index
Completely disable Windows Firewall (not recommended)
Disable the firewall comletely (not recommended unless an alternative enterprise firewall is used that requires you to do so):
SC [ \\Remote_computer ] Stop SharedAccess

SC [ \\Remote_computer ] Config SharedAccess start= disabled
Back to the index
Dnslint Overview
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Dnslint.exe: DNS Lint
This command-line tool allows you to verify Domain Name System (DNS) records for a specified domain name. Use DNSLint to
help diagnose potential causes of incorrect delegation and other common DNS problems.
Concepts
Incorrect delegation
System Administrators use DNS delegations to assign the authority for a DNS subdomain to a set of DNS servers. These
delegations help administrators implement a DNS infrastructure that is scalable, flexible, and easy to administer.
Incorrect delegation is a common problem with DNS structures. This can occur when the authority for a DNS subdomain has
been delegated to a particular DNS server that either does not exist, or does not have authority over the subdomain.
Incorrect delegation problems are compounded when other DNS issues are present in a DNS infrastructure. For example, if DNS
domain information is not identical on all authoritative DNS servers, data returned from the servers may differ, leading to
intermittent name resolution difficulties. In another scenario, if a Mail Exchange (MX) record exists but the corresponding glue
record is missing, then e-mail delivery to that domain may be erratic.
Prior to the development of DNSLint, the nslookup utility was frequently used to diagnose and troubleshoot these types of DNS
issues. Nslookup allows users to manually traverse a DNS infrastructure, inspecting the various DNS records. However, DNSLint
offers quicker verification that record-level data is correct.
For more information about DNS, see DNS or Concepts in Microsoft Management Console Help.
For more information about troubleshooting DNS, see the chapter Troubleshooting DNS in the Networking Guide of the
Windows Server 2003 Resource Kit.
Common Active Directory DNS Problems
Verifying a particular set of DNS records on multiple DNS servers can help diagnose and fix problems caused by missing or
incorrect DNS records.
For example, when clients are experiencing problems logging on to the domain, verifying that the SRV records that clients use to
find LDAP and Kerberos servers are available and accurate, can help determine if DNS is a cause of the problem.
Another scenario example is where you receive reports that customers are having problems accessing your Web site on the
Internet. It would be nice to have a tool that quickly checks all the DNS records that are involved with the Web farm on all of the
DNS servers that are supposed to have these records. You could quickly determine if there are missing or incorrect DNS records
that may be related to the problem.
In a third example, you could be experiencing problems with e-mail delivery. You can send e-mail, but you are not receiving e-
mail. Name resolution could be the problem? To confirm this theory or eliminate it as a possibility, you need to check all of the
DNS records on all of the DNS servers that are used to resolve the IP address of the e-mail server.
System Requirements
DNSLint runs on a source computer and acts on a target computer. The target computer can be the same computer as the source
computer, or it can be a different computer.
Source Computer Requirements

Windows 2000, Windows XP, or Windows Server 2003
Dnslint Syntax
DNSLint Syntax
DNSLint uses the following syntax:
dnslint /d domain_name | /ad | /ql {text_file | autocreate} [/v] [/r report_name] [/y] [/no_open] [/s
alternate_DNS_server_ip_address] [/c SMTP|POP|IMAP] [/t] [/test_tcp]
Parameters
/d domain
Specifies the domain to test. This is a required parameter.
/ad
Tests the DNS records used by Active Directory for replication. This is a required parameter. The /s parameter is required with this
parameter.
/ql {text_file | autocreate}
Sends DNS queries based on input from a text file containing a list of DNS names. The command dnslint /ql autocreate creates
an example textfile. The /ql parameter supports A, PTR, CNAME, SRV, and MX DNS record types. This is a required parameter.
The /ql parameter will accept either a text file name or the autocreate option, not both.
/v
Turns on verbose output.
/r report_name
Specifies a name for the DNSLint report file. The default report name is DNSLint Report.htm.
Note
DNSLint always appends an .htm extension to the file, even if you specify an extension. For example, if you specify
report_name=my_file.rpt, the resulting file will be called my_file.rpt.htm.
/y
Overwrites any existing report file without prompting the user.
/no_open
Prevents the DNSLint report from opening after it is generated.
/s alternate_DNS_server_ip_address
This parameter supplies an alternate DNS server, forcing DNSLint to bypass InterNIC. This parameter is useful for testing domain
structures that are not availible from the InterNIC database.
/c SMTP|POP|IMAP
Used to perform connectivity tests on well-known e-mail ports when e-mail servers are found while inspecting DNS servers. See
"Remarks" for more information.
/t
Used to request a plain text file with the same name as the DNSLint report file. (The default filename is DNLint Report.htm,
unless the /r parameter is used to specify a different name.)
/test_tcp
Used to test TCP port 53 as well as UDP port 53. Unless this parameter is specified, DNSLint test the UDP port only.
Notes
You must always specify one of the following parameters: /d, /ad, and /ql. However, they cannot be used together.
The /c parameter cannot be used with the /ad or /ql parameters.
When using the /ad parameter, /s must also be used.
The /test_tcp parameter cannot be used with the /ql parameter.
Sample Usage
dnslint /d fourthcoffee.com
dnslint /ad /s 10.193.36.201
dnslint /ql my_dns_list.txt
dnslint /ql autocreate
dnslint /v /d fourthcoffee.com
dnslint /r newfile /d fourthcoffee.com
dnslint /y /d fourthcoffee.com
dnslint /no_open /d fourthcoffee.com
dnslint /s 10.193.36.201 /d labs.fourthcoffee.com
Dnslint Examples
DNSLint Examples
Example 1: Sample DNSLint Output with No Errors
The following command instructs DNSLint to traverse the woodgrovebank.com domain, and return all relevant data about its
DNS structure. This domain has no structural errors.
dnslint /d woodgrovebank.com
The link below shows a sample DNSLint report generated in response to this command.
DNSLint Report Example 1

DNSLint Report
System Date: Wed May 29 09:47:25 2002
Command run:
dnslint /d woodgrovebank.com
Domain name tested:
woodgrovebank.com
The following 6 DNS servers were identified as authoritative for the domain:
DNS server: dns1.cp.woodgrovebank.net
IP Address: 10.46.138.20
Responding to queries: YES
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: dns.cp.woodgrovebank.net
Hostmaster: msnhst.woodgrovebank.com
Zone serial number: 2002052802
Zone expires in: 83.33 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 7200 seconds
Additional authoritative (NS) records from server:
dns1.cp.woodgrovebank.net 10.46.138.20
dns1.dc.woodgrovebank.net 10.68.128.151
dns1.sj.woodgrovebank.net 10.46.97.11
dns1.tk.woodgrovebank.net 10.46.232.37
dns3.jp.woodgrovebank.net 10.46.72.123
dns3.uk.woodgrovebank.net 10.199.144.151
Host (A) records for domain from server:

10.46.197.100
10.46.197.102
10.46.230.218
10.46.230.219
10.46.230.220
Mail Exchange (MX) records from server (preference/name/IP address):
10 maila.woodgrovebank.com 10.107.3.124
10 mailb.woodgrovebank.com 10.107.3.122
10 mailc.woodgrovebank.com 10.107.3.126
DNS server: dns1.tk.woodgrovebank.net
IP Address: 10.46.232.37

10.46.230.219
10.46.230.220
10.46.197.100
10.46.197.102
10.46.230.218
DNS server: dns3.uk.woodgrovebank.net
IP Address: 10.199.144.151

10.46.197.102
10.46.230.218
10.46.230.219
10.46.230.220
10.46.197.100
DNS server: dns3.jp.woodgrovebank.net
IP Address: 10.46.72.123

10.46.197.102
10.46.230.218
10.46.230.219
10.46.230.220
10.46.197.100
DNS server: dns1.dc.woodgrovebank.net
IP Address: 10.68.128.151

10.46.230.218
10.46.230.219
10.46.230.220
10.46.197.100
10.46.197.102
DNS server: dns1.sj.woodgrovebank.net
IP Address: 10.46.97.11

10.46.197.100
10.46.197.102
10.46.230.218
10.46.230.219
10.46.230.220
Example 2: Sample DNSLint Output with Errors
DNSLint Report
System Date: Tue May 14 15:37:16 2002
Command run:
dnslint /d lab.fourthcoffee.com /s 10.46.138.
Domain name tested:
lab.fourthcoffee.com
The following 1 DNS servers were identified as authoritative for the domain:
DNS server: User Supplied DNS Server
IP Address: 10.46.138.20
Responding to queries: NO
Answering authoritatively for domain: Unknown
SOA record data from server: Authoritative name server: Unknown
Hostmaster: Unknown Zone serial number: Unknown
Zone expires in: Unknown Refresh period: Unknown
Retry delay: Unknown Default (minimum) TTL: Unknown
Notes
One or more DNS servers may not be authoritative for the domain
One or more DNS servers did not respond to queries

One or more zone files may have expired
SOA record data was unavailable and/or missing on one or more DNS servers
The following command instructs DNSLint to traverse the lab.fourthcoffee.com domain. The command uses the /s parameter
because lab.fourthcoffee.com is a private domain. As it turns out, this domain contains errors in its structure.
dnslint /d lab.fourthcoffee.com /s 10.46.138.20
The link below shows a sample DNSLint report generated in response to this command.
Dcdiag Overview
Tool Location
The Dcdiag command-line tool is included when you install Windows Server 2003 Support Tools from the product CD or from the
Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=100114). For more information about how to install
Windows Support Tools, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?LinkId=62270).
Dcdiag.exe: Domain Controller Diagnostic Tool
This command-line tool analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in
troubleshooting. As an end-user reporting program, Dcdiag encapsulates detailed knowledge of how to identify abnormal
behavior in the system. Dcdiag displays command output at the command line.
Dcdiag consists of a framework for executing tests and a series of tests to verify different functional areas of the system. This
framework selects which domain controllers are tested according to scope directives from the user, such as enterprise, site, or
single server.
Corresponding UI
There is no corresponding user interface (UI) for this tool.
Concepts
All domain controllers in the same domain are peers of one another and any domain controller can make directory updates.
However, given the way in which directory updates are replicated from one domain controller to another, it is possible that
difficulties can arise. For example, if the necessary domain controllers are not connected by a replication topology, the
appropriate domain controllers do not receive directory updates when replication occurs.
Also, in order for the (Domain Controller) Locator to find a domain controller, it must have accurate information so that it can
properly locate the resource. If a domain controller is incorrectly advertised, the Locator is unable to find it.
System Requirements
The following are the system requirements for DCDiag:
Windows Server 2003 or Windows XP Professional
Dcdiag Syntax
DCDiag Syntax
DCDiag uses the following syntax:
dcdiag /s: DomainController [/n:NamingContext] [/u:Domain\UserName /p:{* | Password | ""}] [{/a | /e}] [{/q | /v}] [/i]
[/f:LogFile] [/ferr:ErrLog] [/c [/skip:Test]] [/test:Test] [/fix] [{/h | /?}] [/ReplSource:SourceDomainController]
Parameters
/s: DomainController
Uses DomainController as the home server. This parameter is required. It is ignored for DcPromo and RegisterInDns tests which
can only be run locally.
/n: NamingContext
Uses NamingContext as the naming context to test. Domains may be specified in NetBIOS, DNS or distinguished name format.
/u: Domain\UserName /p:{* | Password | ""}
Uses Domain\UserNameDCDiag uses the process's or users default credentials. If alternate credentials are needed, use the
following options to provide those credentials for binding with Password as the password. Use "" for an empty or null password,
or the wildcard character (*) to prompt for the password.
/a
Tests all the servers on this site.
/e
Tests all the servers in the entire enterprise. Overrides /a.
/q
Quiet. Prints only error messages.
/v
Verbose. Prints extended information.
/i
Ignores superfluous error messages.
/fix
Only affects the MachineAccount test. It causes the test to fix the SPNs (Service Principal Names) on the domain controller's
Machine Account Object.
/f: LogFile
Redirects all output to LogFile. The /f parameter operates independently of /ferr.
/ferr: ErrLog
Redirects fatal error output to a separate file ErrLog. The /ferr parameter operates independently of /f.
/c
Comprehensive. Runs all tests except DCPromo and RegisterInDNS, including non-default tests. Optionally, can be used with
/skip to skip specified tests. The following tests are not run by default:
Topology
CutoffServers
OutboundSecureChannels
{ /h | /?}
Displays a syntax screen at the command prompt.
/test: Test
Runs only this test. The nonskippable test Connectivity is also run. Should not be run in the same command with /skip.
Note
All tests except DcPromo and RegisterInDNS must be run on computers that have been promoted to domain controller.
The test CheckSecurityError is available only in the version of Dcdiag that is included with Windows Support Tools in
Windows Server 2003 Service Pack 1 (SP1) and must be run on a domain controller that is running Windows Server 2003
with SP1.
/ReplSource: SourceDomainController
Option for /test:CheckSecurityError. Tests the connection between the domain controller on which you run the command and
the source domain controller. SourceDomainController is the DNS name, NetBIOS name, or distinguished name of a real or
potential "from" server that is represented by a real or potential connection object.
DNS Syntax
The new DNS tests in Windows Server 2003 SP1 use the following syntax:
dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUpdate | /DnsRecordRegistration |

/DnsResolveExtName [/DnsInternetName:InternetName] | /DnsAll] [/f:LogFile] [/ferr:ErrLog] /s:DomainController [/e] [/v]
Parameters
/test:DNS [DNS test]
Performs the specified DNS test. If no test is specified, defaults to /DnsAll.
/DnsBasic
Performs basic DNS tests, including network connectivity, DNS client configuration, service availability, and zone existence.
/DnsForwarders
Performs the /DnsBasic tests, and also checks the configuration of forwarders.
/DnsDelegation
Performs the /DnsBasic tests, and also checks for proper delegations.
/DnsDynamicUpdate
Performs /DnsBasic tests, and also determines if dynamic update is enabled in the Active Directory zone.
/DnsRecordRegistration
Performs the /DnsBasic tests, and also checks if the address (A), canonical name (CNAME) and well-known service (SRV)
resource records are registered. In addition, creates an inventory report based on the test results.
/DnsResolveExtName [/DnsInternetName:InternetName]
Performs the /DnsBasic tests, and also attempts to resolve InternetName. If /DnsInternetName is not specified, attempts to
resolve the name www.microsoft.com. If /DnsInternetName is specified, attempts to resolve the Internet name supplied by the
user.
/DnsAll
Performs all tests, except for the DnsResolveExtName test, and generates a report.
/f: LogFile
Redirects all output to LogFile. The /f parameter operates independently of /ferr.
/ferr: ErrLog
Redirects fatal error output to a separate file ErrLog. The /ferr parameter operates independently of /f.
/s: DomainController
Runs the tests against DomainController.
/e
Runs all tests specified by /test:DNS against all domain controllers in the Active Directory forest.
/v
Verbose. Presents extended information about successful test results, in addition to information about errors and warnings.
When the /v parameter is not used, provides only error and warning information. Use the /v switch when errors or warnings are
reported in the summary table.
Dcdiag Examples
DCDiag Examples
Example 1: A normal DC
In this example, you want to examine the domain controller so you can verify that it is healthy and functioning properly. Type the
following command at the command prompt:
C:\Program Files\Support Tools>dcdiag /s:reskit-DC1 /u:<username> /p:*
Substitute the actual account user name for <username>. If you want to specify the domain of the user, use
<domainname>\<username>. For example, if you want to specify a user account named AlanS from the Contoso domain,
type /u:Contoso\AlanS to specify the user account. If you use an asterisk (*) for the password, the tool will prompt you for a
password. If you want to type the password, you can substitute the actual user account password for the asterisk. However,
the password will appear on the screen when you type it.
Output similar to the following appears:
Copy Code
Domain Controller Diagnosis
Performing initial setup:

Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\RESKIT-DC1

Starting test: Connectivity
......................... RESKIT-DC1 passed test Connectivity
Doing primary tests

Starting test: Replications
......................... RESKIT-DC1 passed test Replications
Starting test: NCSecDesc
......................... RESKIT-DC1 passed test NCSecDesc
Starting test: NetLogons
......................... RESKIT-DC1 passed test NetLogons
Starting test: Advertising
......................... RESKIT-DC1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... RESKIT-DC1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... RESKIT-DC1 passed test RidManager
Starting test: MachineAccount
......................... RESKIT-DC1 passed test MachineAccount
Starting test: Services
......................... RESKIT-DC1 passed test Services
Starting test: ObjectsReplicated
......................... RESKIT-DC1 passed test ObjectsReplicated
Starting test: frssysvol
......................... RESKIT-DC1 passed test frssysvol
Starting test: kccevent
......................... RESKIT-DC1 passed test kccevent
Starting test: systemlog
......................... RESKIT-DC1 passed test systemlog
Running partition tests on : Schema

Starting test: DeadCRTest
......................... Schema passed test DeadCRTest
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration

......................... Configuration passed test DeadCRTest
......................... Configuration passed test CheckSDRefDom
Running partition tests on : RESKIT-DOM

......................... RESKIT-DOM passed test DeadCRTest
......................... RESKIT-DOM passed test CheckSDRefDom
Running enterprise tests on : RESKIT-DOM.reskit.com
Starting test: Intersite
......................... RESKIT-DOM.reskit.com passed test Intersite
Starting test: FsmoCheck
......................... RESKIT-DOM.reskit.com passed test FsmoCheck
Example 2: Failed DNS registration
In this example, you have noticed that one of the domain controllers is not replicating properly. After verifying that the domain
controller is operational and can be pinged by IP address, use DCDiag to do an enterprise check. Type the following command at
the command prompt:
C:\Program Files\Support Tools>dcdiag /s:reskit-DC1 /u:<username> /p:* /e
Output similar to the following displays:
Copy Code



The host 7594898c-8ba4-4496-a01a-b0f2cadd28a6._msdcs.RESKIT-DOM.reskit.com could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(7594898c-8ba4-4496-a01a-b0f2cadd28a6._msdcs.RESKIT-DOM.reskit.com)
couldn't be resolved, the server name
(reskit-DC2.reskit-sib.RESKIT-DOM.reskit.com) resolved
to the IP address (172.26.220.34) and was pingable. Check that the IP
address is registered correctly with the DNS server.
......................... RESKIT-DC2 failed test Connectivity
Doing primary tests

[Replications Check,RESKIT-DC1] A recent replication attempt failed:
From RESKIT-DC2 to RESKIT-DC1
Naming Context: CN=Configuration,DC=RESKIT-DOM,DC=reskit,DC=com
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2001-12-21 02:19:04.
The last success occurred at 2001-12-21 01:57:43.
1 failures have occurred since the last success.
The source remains down. Please check the machine.
......................... RESKIT-DC1 passed test systemlog

Skipping all tests, because server RESKIT-DC2 is
not responding to directory service requests



Running partition tests on : reskit-sib

......................... reskit-sib passed test DeadCRTest
......................... reskit-sib passed test CheckSDRefDom

Note
If you receive output from diagnostic testing similar to the previous example, there is probably a DNS registration issue. For
additional diagnostic procedures and potential resolutions, see Troubleshooting DNS (http://go.microsoft.com/fwlink/?
LinkID=48893). Also, see Troubleshooting Active DirectoryRelated DNS Problems (http://go.microsoft.com/fwlink/?
LinkId=130597).
Example 3: Failed Netlogon Service

In this example, the Netlogon Service has failed on one of the domain controllers. To troubleshoot, type the following command:
C:\Program Files\Support Tools>dcdiag /s:reskit-DC1 /u:<username> /p:*

Copy Code


Doing primary tests

Fatal Error:DsGetDcName (RESKIT-DC1) call failed, error 1722
The Locator could not find the server.
......................... RESKIT-DC1 failed test Advertising
NETLOGON Service is stopped on [RESKIT-DC1]
......................... RESKIT-DC1 failed test Services
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2001 01:28:25
Event String: The time provider NtpClient is configured to
Time Generated: 12/21/2001 01:40:30
Time Generated: 12/21/2001 01:43:30
Time Generated: 12/21/2001 01:58:46
Time Generated: 12/21/2001 02:02:11
Time Generated: 12/21/2001 02:05:11
Time Generated: 12/21/2001 02:10:51
Time Generated: 12/21/2001 02:13:51
......................... RESKIT-DC1 failed test systemlog




Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1717
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1717
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1717
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1717
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1717
A KDC could not be located - All the KDCs are down.
......................... RESKIT-DOM.reskit.com failed test FsmoCheck
Note
If you receive output from diagnostic testing similar to the previous example, see the list of related Knowledge Base articles
on the Windows Operating System Event ID 5179 Netlogon page (http://go.microsoft.com/fwlink/?LinkId=130599) for
additional troubleshooting information. Also, see Troubleshooting Active DirectoryRelated DNS Problems
(http://go.microsoft.com/fwlink/?LinkID=130597).
Example 4: Unresponsive or inaccessible server

In this example, you have no ticed replication problems. To resolve the issue, type the following at the command line:
C:\Program Files\Support Tools>dcdiag /s:reskit-DC1 /u:<username> /p:* /e
Copy Code



Server RESKIT-DC2 resolved to this IP address 172.26.220.34,
but the address couldn't be reached(pinged), so check the network.
The error returned was: Error due to lack of resources.
This error more often means that the targeted server is
shutdown or disconnected from the network
......................... RESKIT-DC2 failed test Connectivity
Doing primary tests

[Replications Check,RESKIT-DC1] A recent replication attempt failed:
From RESKIT-DC2 to RESKIT-DC1
Naming Context: CN=Configuration,DC=RESKIT-DOM,DC=reskit,DC=com
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2001-12-21 02:19:04.
The last success occurred at 2001-12-21 01:57:43.
1 failures have occurred since the last success.
The source remains down. Please check the machine.
Time Generated: 12/21/2001 01:28:25
Time Generated: 12/21/2001 01:40:30
Time Generated: 12/21/2001 01:43:30
Time Generated: 12/21/2001 01:58:46
Time Generated: 12/21/2001 02:02:11
Time Generated: 12/21/2001 02:05:11
Time Generated: 12/21/2001 02:10:51
Time Generated: 12/21/2001 02:13:51
Time Generated: 12/21/2001 02:18:58
......................... RESKIT-DC1 failed test systemlog

Skipping all tests, because server RESKIT-DC2 is
not responding to directory service requests



Running partition tests on : reskit-sib

......................... reskit-sib passed test DeadCRTest
......................... reskit-sib passed test CheckSDRefDom

Netdom Overview
Netdom.exe: Windows Domain Manager
This command-line tool enables administrators to manage Windows Server 2003 and Windows 2000 domains and trust
relationships from the command line.
You can use NetDom to:

Join a Windows XP Professional-based computer to a Windows Server 2003 or Windows 2000 or Windows NT 4.0
domain.
Provide an option to specify the organizational unit for the computer account.
Generate a random computer password for initial join.
Manage computer accounts for domain member workstations and member servers. Management operations include:
Add, Remove, Query.
An option to specify the organizational unit for the computer account.
An option to move an existing computer account for a member workstation from one domain to another while
maintaining the security descriptor on the computer account.
Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:
From a Windows 2000 or Windows Server 2003 domain to a Windows NT 4.0 domain.
From a Windows 2000 or Windows Server 2003 domain to a Windows 2000 or Windows Server 2003 domain
in another enterprise (an "uplevel" external trust).
Between two Windows 2000 or Windows Server 2003 domains in an enterprise (a shortcut trust).
The Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos realm.
Verify and/or reset the secure channel for the following configurations:
Member workstations and servers.
BDCs in a Windows NT 4.0 domain.
Specific Windows Server 2003 or Windows 2000 replicas.
Manage trust relationships between domains, including the following operations:
Enumerate trust relationships (direct and indirect).
View and change some attributes on a trust.
Note
You must run NetDom from the command window.
Corresponding UI
Much of the functionality of NetDom can be accessed from the Microsoft Management Console Active Directory Users and
Computers snap-in, which is part of Windows Server 2003. More functionality can be accessed from the Active Directory:
Domains and Trust snap-in which is the corresponding UI for NetDoms Trust Management functionality.
Concepts
A trust relationship is a defined affiliation between domains that enables pass-through authentication.
A one-way trust relationship between two domains means that one domain (the trusting domain) allows users who have
accounts on the other domain (the trusted domain), access to its resources.
The one-way trust relationship described here is helpful in master domain models, but it is not the only kind of trust relationship.
When two one-way trusts are established between domains, it is known as a two-way trust. In two-way trusts, each domain
treats the users from the trusted (and trusting) domain as its own users.
System Requirements
The following are the system requirements for NetDom:

Windows Server 2003 or Windows XP Professional
Note
The Windows Server 2003 Administration Tools Pack must be installed on computers running Windows XP
Professional for Netdom.exe to work. This tools pack is installed by default for computers running Windows
Server 2003.
Netdom Examples
NetDom Examples
Example 1: Add a Workstation or Member Server to a Windows NT 4.0 Domain

To add the workstation mywksta to the Windows NT 4.0 domainreskita, type the following at the command line:
netdom add /d:reskita mywksta /ud:mydomain\admin /pd:password
Example 2: Add a Workstation or Member Server to a Windows Server 2003 Domain

To add the workstation mywksta to the Windows Server 2003 domain devgroup.example.com in the organizational unit (OU)
Dsys/workstations, type the following at the command prompt:
netdom add/d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com
Note
If the /ou parameter is not specified, the account is created in the Computers container.
Example 3: Move a Windows NT 4.0 BDC to a new domain

To join myBDC to the Windows NT 4.0 domain reskita type the following at the command prompt:
netdom mybdc moveNT4BDC /domain:reskita
Example 4: Add an alternate name for a Windows Server 2003 domain controller
To give an alternate name for the domain controller DC in the example.com domain, use the following syntax:
netdom computername dc /add:altDC.example.com
A name must first exist as an alternate before it can be made the primary name of a computer.
Example 5: Rename a domain controller in a Windows Server 2003 domain

To rename the domain controller DC to altDC in the example.com domain use the following syntax:
netdom computername dc /makeprimary:altdc.example.com
To rename a member server you must choose one of the existing alternate names for the computer and make it the new primary
name.
Example 6: Rename a Member Server

To rename the member server member to member1, type the following at the command prompt:
netdom renamecomputer member /newname:member1.example.com /userd:administrator

Example 7: Join a Workstation or Member Server to a Domain
To join mywksta to the devgroup.example.com domain in the Dsys/workstations organizational unit, type the following at the
command prompt:
netdom join /d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com
Besides adding the computer account to the domain, the workstation is modified to contain the appropriate shared secret to
complete the join operation.
Example 8: Remove a Workstation or Member Server from a Domain

To remove mywksta from the mydomain domain and make the workstation a part of a workgroup, type the following at the
command prompt:
netdom remove /d:mydomain mywksta /ud:mydomain\admin /pd:password
Example 9: Move a Workstation or Member Server from One Domain to Another

To move mywksta from its current domain into the mydomain domain, type the following at the command prompt:
netdom move /d:mydomain mywksta /ud:mydomain\admin /pd:password
If the destination is a Windows 2000 domain, the Security ID history (SIDHistory) for the workstation is updated, retaining the
security permissions that the computer account had previously.
Example 10: Reset the secure channel for a workstation, member server, or Windows NT 4.0 BDC
To reset the secure channel secret maintained between mywksta and devgroup.example.com (regardless of OU), type the
following at the command prompt:
netdom reset /d:devgroup.example.com mywksta
To reset the secure channel between the Windows NT 4.0 PDC for Northamerica and the backup domain controller NABDC, type
the following at the command prompt:
netdom reset /d:Northamerica NABDC
Example 11: Force a Secure Channel Session Between a Member and a Specific Domain Controller
Members often establish secure channel sessions with non-local domain controllers. To force a secure channel session between a
member and a specific domain controller by using the /server parameter with the reset operation, type the following at the
command prompt:
netdom reset /d:devgroup.example.com mywksta /Server:mylocalbdc
Example 12: Verify a Workstation or Member Server Secure Channel

To verify the secure channel secret is maintained between mywksta and devgroup.example.com, type the following at the
command prompt:
netdom verify /d:devgroup.example.com mywksta
Example 13: Establish a One-Way Trust Relationship

When used with the trust operation, the /d:Domain parameter always refers to the trusted domain.
To set the Windows NT 4.0 resource domain USA-Chicago to trust the Windows NT 4.0 account domain Northamerica, type the
netdom trust /d:Northamerica USA-Chicago /add /Ud:Northamerica\admin /Pd:* /Uo:USA-Chicago\admin /Po:*

Press Enter and the following prompt is displayed:
Password for Northamerica\admin:
Enter the password for Northamerica\admin and press Enter. The following prompt is displayed:
Password for USA-Chicago\admin:
be used to specify the password for USA-Chicago\admin. If passwords are not provided on the command line, the user is
prompted for both.
If you then want to specify a two-way trust, type the following at the command prompt
netdom trust /d:marketing.example.com engineering.example.com /add /twoway /Uo:admin@engineering.example.com

/Ud:admin@marketing.example.com:
Example 14: Establish a One-Way Trust Relationship from a Windows Domain to a Non-Windows Kerberos Realm
To establish a one-way trust where Northamerica trusts the non-Windows Kerberos realm ATHENA, type the following at the
command prompt:
netdom trust /d:ATHENA Northamerica /add /PT:password /realm
The /d parameter specifies the trusted domain and the /realm parameter indicates that this is a non-Windows Kerberos realm.
The order of the domains is not important. Credentials to the Windows 2000 domain can be supplied if needed.
Note
Verifying a specific trust relationship requires credentials unless the user has domain administrator privileges on both
domains.
If you want to set the Kerberos realm ATHENA to trust the Northamerica domain, type the following at the command prompt:
netdom trust /d:Northamerica ATHENA /add
Note
To make the trust two-way, you can specify the /twoway parameter.
Non-Windows Kerberos trusts are created as non-transitive. If you want to change the trust from ATHENA to Northamerica as
transitive, type the following at the command prompt:
netdom trust Northamerica /d:ATHENA /trans:yes
To display the transitive state, type the following at the command prompt:
netdom trust Northamerica /d:ATHENA /trans
The order of the two domains above is not important. Either can be the non-Windows Kerberos domain.
Example 15: Break a One-Way Trust Relationship

To undo the trust that USA-Chicago has for Northamerica, type the following at the command prompt:
netdom trust /d:Northamerica USA-Chicago /remove

Example 16: Break a Two-Way Trust Relationship
To break a two-way trust relationship, type the following at the command prompt:
netdom trust /d:marketing.example.com Engineering.example.com /remove /twoway /Uo:admin@engineering.example.com

/Ud:admin@marketing.example.com
Example 17: Verify a Specific Trust Relationship

To verify the one-way trust that USA-Chicago has for Northamerica, type the following at the command prompt:
netdom trust /d:Northamerica USA-Chicago /verify
To verify a two-way trust between the Northamerica and Europe domains, type the following at the command prompt:
netdom trust /d:Northamerica EUROPE /verify /twoway
The /verify parameter checks that the appropriate shared secrets are synchronized between the two items involved in the trust.
Example 18: Reset a Specific Trust Relationship

To reset the secure channel for the one-way trust between Northamerica and USA-Chicago, type the following at the command
prompt:
netdom trust /d:Northamerica USA-Chicago /Ud:Northamerica\admin /reset
The /reset parameter synchronizes the appropriate shared secrets if they are not already synchronized.
Example 19: Verify Kerberos Functionality

To verify Kerberos authentication between a workstation and a service located in the domain devgroup.example.com, type the
netdom trust /d:devgroup.example.com /verify /KERBEROS
When you use the NetDom trust operation with the /verify /kerberos parameters, it seeks a session ticket for the Kerberos
Admin service in the target domain. If successful, you can conclude that all Kerberos operations (for example KDC referrals) are
operating correctly between the workstation and the target domain.
Note
This operation cannot be executed remotely. It must be run on the workstation being tested.
Example 20: View All Workstation Members in a Domain

To list all the workstations in the domain Northamerica, type the following at the command prompt:
netdom query /d:Northamerica WORKSTATION
Example 21: View All Server Members in a Domain

To list all of the servers in Northamerica, type the following at the command prompt:
netdom query /d:Northamerica SERVER
Example 22: View All Domain Controller Members in a Domain

To list all the domain controllers in the domain Northamerica, type the following at the command prompt:
netdom query /d:Northamerica DC

Example 23: View All Organizational Unit Members in a Domain
To list all of the OUs in devgroup.example.com, type the following at the command prompt:
netdom query /d:devgroup.example.com OU
Example 24: List the Primary Domain Controller Member in a Domain

To list the PDC for Northamerica, type the following at the command prompt:
netdom query /d:Northamerica PDC
Example 25: List the Primary Domain Controller Emulator in a Domain

To list the current PDC emulator for devgroup.example.com, type the following at the command prompt:
netdom query /d:devgroup.example.com FSMO
Example 26: Perform Secure Channel Batch Repair

You can use the query operation with the /verify and /reset parameters to perform these operations together. You can pipe the
output of the query operation to the NetDom verify or NetDom reset operation.
To list all servers and verify secure channel secret, type the following at the command prompt:
netdom query /d:Northamerica SERVER /verify
To list all workstations and reset any unsynchronized secure channel secrets, type the following at the command prompt:netdom
query /d:Northamerica WORKSTATION /reset
Example 27: View Domain Trusts

To view all the direct trust relationships for the domain Northamerica, type the following at the command prompt:
netdom query /d:Northamerica /Ud:Northamerica\admin DOMAIN /Direct
To view all the direct and indirect trust relationships for the domain Northamerica, type the following at the command prompt:
netdom query /d:Northamerica /Ud:Northamerica\admin DOMAIN
To view all trust relationships and check their status, type the following at the command prompt:
netdom query /d:devgroup.example.com DOMAIN /verify
Example 28: List the routed name suffixes for the trust between my TestDomain and the trustpartnerdomain
Note
The /d parameter is not needed for this operation which is an exception from other trust operations.
To list the routed name suffixes for the trust between my TestDomain abd the trustpartnerdomain, type the following at the
command prompt:
netdom trust myTestDomain /namesuffixes:trustpartnerdomain
This will list out all the routed name suffixes for the trust between myTestDomain and the trustpartnerdomain. The trust must be
either a Cross Forest trust or Non-Windows Realm Trust with the Forest Transitive attribute set.
Sample Output
Copy Code
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /namesuffixes:powermatic
Name, Type, Status, Notes
1. *.flotsam.org, Name Suffix, Enabled
2. *.powermatic.nttest.microsoft.com, Name Suffix, Enabled
3. *.jetsam.com, Name Suffix, Enabled
4. *.blah.com, Name Suffix, Conflicting, With shasandom2.nttest.microsoft.com
5. unisaw.powermatic.nttest.microsoft.com, Domain DNS name, Enabled
6. UNISAW, Domain NetBIOS name, Enabled, For unisaw.powermatic.nttest.microsoft.
com
7. s-1-5-21-1550512861-723516995-420396236, Domain SID, Enabled, For unisaw.powe
rmatic.nttest.microsoft.com
8. powermatic.nttest.microsoft.com, Domain DNS name, Enabled
9. POWERMATIC, Domain NetBIOS name, Enabled, For powermatic.nttest.microsoft.com
10. s-1-5-21-1390067357-1757981266-527237240, Domain SID, Enabled, For powermati
c.nttest.microsoft.com
The command completed successfully.

Example 29: Enable/disable the first routed name suffix in the list generated by the previous command
Note
/ToggleSuffix must be used with /NameSuffixes. Use /NameSuffixes immediately before using /ToggleSuffix because
the order in which the name suffixes are listed may change.
To enable/disable the first routed name suffix in the list generated by the previous command, type the following at the command
prompt:
netdom trust myTestDomain /namesuffixes:foresttrustpartnerdomain /togglesuffix:1
Sample Output
Note
The output generated reflects the routed name suffix list after the Toggling.
Copy Code
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:powermatic /ts:1
1. *.flotsam.org, Name Suffix, Admin-Disabled

2. *.powermatic.nttest.microsoft.com, Name Suffix, Enabled
3. *.jetsam.com, Name Suffix, Enabled
4. *.blah.com, Name Suffix, Conflicting, With shasandom2.nttest.microsoft.com
5. unisaw.powermatic.nttest.microsoft.com, Domain DNS name, Enabled
6. UNISAW, Domain NetBIOS name, Enabled, For unisaw.powermatic.nttest.microsoft.
com
7. s-1-5-21-1550512861-723516995-420396236, Domain SID, Enabled, For unisaw.powe
rmatic.nttest.microsoft.com
8. powermatic.nttest.microsoft.com, Domain DNS name, Enabled
9. POWERMATIC, Domain NetBIOS name, Enabled, For powermatic.nttest.microsoft.com
10. s-1-5-21-1390067357-1757981266-527237240, Domain SID, Enabled, For powermati
c.nttest.microsoft.com
Example 30: Adding/Removing TLN Suffixes

To add the DNS name suffix blah.com to the Forest Trust Info with trustpartnerdomain, type the following at the command
prompt:
Netdom trust myTestDomain /d:trustPartnerDomain /AddTln:blah.com
Note
This is only allowed for a trust with a Forest Transitive, Non-Windows Realm Trust. This is also true for:
Netdom trust myTestDomain /d:trustPartnerDomain /RemoteTln:blah.com
Netdom trust myTestDomain /d:trustPartnerDomain /AddTLNEx:something.blah.com (must have a TLN entry

present for the parent Naming context, in this case blah.com, otherwise operation will be disallowed)
Netdom trust myTestDomain /d:trustPartnerDomain /RemoveTLNEx:something.blah.com
List the name suffixes on a Non-Windows Realm Trust
Copy Code
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:blah.mit.org
1. *.bowwow.com, Name Suffix, Enabled
2. *.meow.com, Name Suffix, Enabled

Add another TLN
Copy Code
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:blah.mit.org /addtln:
dude.com
The TLN or Exclusion was successfully added to the Forest Trust Info.

Add an invalid TLN exclusion
Copy Code
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:blah.mit.org /addtlne
x:dude.com
The Forest Trust Info for the specified trust could not be stored.
The parameter is incorrect.
Try "NetDom HELP" for more information.

Add an valid TLN exclusion
Copy Code
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /d:blah.mit.org /addtlne
x:cool.dude.com
The TLN or Exclusion was successfully added to the Forest Trust Info.

View the result of previous operations
Copy Code
C:\nt\ds\netapi\netdom\obj\i386>netdom trust shasandom2 /ns:blah.mit.org
1. *.cool.dude.com, Exclusion
2. *.bowwow.com, Name Suffix, Enabled
3. *.meow.com, Name Suffix, Enabled
4. *.dude.com, Name Suffix, Enabled
Netdom Syntax

NetDom Syntax
NetDom uses the following general syntaxes:
NetDom Operation [Computer] [{/d: | /domain:}Domain] [Options]
NetDom help Operation
NetDom add
Adds a workstation or server account to the domain.
Syntax
NetDom add Computer {/d: | /domain:}Domain [{/ud: | /userd:}[Domain\]User {/pd: | /passwordd:}{Password|*}] [{/s: | /serv
er:}Server] [/ou:OUPath] [/dc] [/help | /?]
Parameters
Computer
Specifies the name of the computer to be added.
{/d: | /domain:} Domain
Specifies the domain in which to create the account. If this parameter is omitted, then the domain that the current computer
belongs to is used.
{/ud: | /userd:}[ Domain\] User
Specifies the user account that makes the connection with the domain that is specified in the /d or /domain parameter. If this
parameter is omitted, the current user account is used.
{/pd: | /passwordd:}{ Password|*}
Specifies the password of the user account that is specified in the /ud or /userd parameter. Use the wildcard character (*) to be
prompted for the password.
{/s: | /server:} Server
Specifies the name of a domain controller that performs the add.
/ou: OUPath
Specifies the organizational unit (OU) under which to create the account. This must be the full RFC 1779 distinguished name of
the OU. If omitted, the account is created under the default OU for machine objects for that domain.
/dc
Specifies that a domain controller's machine account is to be created. This allows the computer accounts for new Windows 2000,
Windows Server 2003 domain controllers, and new Windows NT 4.0 backup domain controllers (BDCs) to be pre-created. If
installing a new Windows NT 4.0 BDC into an existing Windows 2000 or Windows Server 2003 domain, the computer account
must be pre-created. This parameter cannot be used with the /ou parameter.
{/help | /?}
Displays command-line help for the add operation.

Sample Usage
netdom add /d:reskit.ms.com mywksta
netdom add /d:reskit.ms.com mynt4dc /dc
NetDom computername
Manages the primary and alternate names for a computer. This command can safely rename Windows Server 2003 and
Windows 2000 domain controllers as well as member servers.
Syntax
NetDom computername Computer [usero:User [/passwordo:[Password|*]] [userd:User [/passwordd:[Password|*]]

{/add:NewAltDNSName | /remove:AltDNSName | /makeprimary:ComputerDNSName | /enumerate[:{ALTERNATENAMES | PRI
MARYNAME | ALLNAMES}] | /verify | {/help | /?}}
Parameters
Computer
Specifies the name of the computer to be added.
/usero:[domain\]UserName
Specifies the user account to be used for the originating domain.
/passwordo:[Password | *]
Specifies the password to be used for the originating domain. If the wildcard character (*) is used, then the user will be
/userd:[Domain\]UserName
Specifies the user account to be used for the destination domain.
/passwordd:[Password | *]
Specifies the password to be used for the destination domain. If the wildcard character (*) is used, then the user will be
/add: NewAltDNSName
Specifies that a new alternate name should be created. The name must be a fully qualified domain name (computer name
followed by primary DNS suffix, such as comp1.example.com).
/remove: AltDNSName
Specifies that an existing alternate name should be deleted. The name must be a fully qualified domain name (computer name
followed by primary DNS suffix, such as comp1.example.com).
/makeprimary: ComputerDNSName
Specifies that an existing alternate name should be made into the primary name. The name must be a fully qualified domain
name (computer name followed by primary DNS suffix, such as comp1.example.com).
/enumerate[:{ALTERNATENAMES | PRIMARYNAME | ALLNAMES}]
Lists the primary and/or any alternate names. The following valid values can be specified:
Value Description
ALTERNATENAMES Lists the alternate names only.
PRIMARYNAME Lists the primary name only.
ALLNAMES Lists the primary and any alternate names. This is the default.
/verify
Checks if there is a DNS A record and an Service Principal Name (SPN) for each computer name.
{/help | /?}
Displays command-line help for the computername operation.
Sample Usage
netdom computername reskit /enumerate:primaryname
NetDom join
Joins a workstation or member server to a domain. The act of joining a computer to a domain creates an account for the
computer on the domain, if it does not already exist.
Syntax
NetDom join Computer {/d: | /domain:}Domain [/ou:OUPath] [{/ud: | /userd:}[Domain\]User [{/pd: | /passwordd:}{Password|
*}]] [{/uo: | /usero}User [{/po: | /passwordo}{Password|*}] [/reboot[:Delay]] [/help | /?]
Parameters
Note
When joining a computer running Windows NT 4.0 or earlier to the domain, the operation is not transacted. This means
that a failure during the operation might leave the computer in an undetermined state with respect to the domain to
which it was meant to join.
Computer
Specifies the name of the computer to be joined.
{/d: | /domain:}Domain
Specifies the domain to which the account is joined. If this parameter is omitted, then the domain that the current computer
belongs to is used.
/ou: OUPath
{/ud: | /userd:}[Domain\]User
Specifies the user account that makes the connection with the domain specified in the /d or /domain parameter. If this
{/pd: | /passwordd:}{Password|*}
{/uo: | /usero}User
Specifies the user account that makes the connection with the computer to be joined. If this parameter is omitted, the current
user account is used.
{/po: | /passwordo}{Password|*}
Specifies the password of the user account that is specified in the /uo or /usero parameter. Use the wildcard character (*) to be
/reboot[:Delay]
Specifies that the computer shuts down and automatically reboots after the join has completed. The Delay value is the number
of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.
{/help | /?}
Displays command-line usage for the join operation.
Sample Usage
netdom join /d:reskit.ms.com mywksta
NetDom move
Moves a workstation or member server to a new domain. The act of moving a computer to a new domain creates an account for
the computer on the domain, if it does not already exist.
Syntax
NetDom move Computer {/d: | /domain:}Domain [/ou:OUPath] [{/ud: | /userd}[Domain\]User [{/pd: | /passwordd}
{Password|*}] [{/uo: | /usero}[Domain\]User [{/po: | /passwordo}{Password|*}]] [{/uf: | /userf}[Domain\]User [{/pf: | /passw
ordf}{Password|*}]] [/reboot[:Delay]] [{/help | /?}]
Parameters
Notes
When moving a computer running Windows NT 4.0 or earlier to the domain, the operation is not transacted. This
means that a failure during the operation might leave the computer in an undetermined state with respect to the
domain of its intended move.
When moving a computer to a new domain, the old computer account in the previous domain is not deleted. If
credentials are supplied for the former domain, the old computer account is disabled.
The act of moving a computer to a new domain will create an account for the computer on the domain if it does not
already exist.
Computer
Specifies the name of the computer to be moved.
Specifies the domain to which the account is moved. If the parameter is omitted, then the domain that the current computer
belongs to is used.
/ou: OUPath
{/ud: | /userd}[Domain\]User
{/pd: | /passwordd}{Password|*}
Specifies the password of the user account that is specified in the /ud or /userd parameter. Use an asterisk (*) to be prompted
for the password.
{/uo: | /usero}User
Specifies the user account to make the connection with the computer to be moved. If this parameter is omitted, the current user
account is used.
{/uf: | /userf}User
Specifies the user account to make the connection with the computer's former domain (of which the computer had been a
member prior to the move). This parameter is used to disable the old computer account.
{/pf: | /passwordf}{Password|*}
Specifies the password of the user account that is specified in the /uf or /userf parameter. Use the wildcard character (*) to be
/reboot[:Delay]
Specifies that the computer shuts down and automatically reboots after the move has completed. The Delay value is the number
of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.
{/help | /?}
Displays command-line usage for the move operation.
Sample Usage
netdom move /d:newdomain mywksta
NetDom query
Queries the domain for information such as membership and trust.
Syntax
NetDom query {/d: | /domain:}Domain [{/s: | /server:}Server] [{/ud: | /userd:}[Domain\]User {/pd: | /passwordd}{Password|
*}] [/verify] [/reset] [/direct] {WORKSTATION|SERVER|DC|OU|PDC|FSMO|TRUST} [{/help | /?}]
Parameters
Specifies the domain to query for the information. If this parameter is omitted, then the domain that the current computer
belongs to is used.
{/s: | /server:}Server
Specifies the name of a domain controller that performs the query.
Specifies the user account that makes the connection with the domain in the /d or /domain parameter. If this parameter is
omitted, the current user account is used.
/verify
Specifies verification of the secure channel secrets for all enumerated memberships or trusts, and displays them. Unless the user
is an enterprise-level administrator, it will not be possible to verify all secure channel secrets.
/reset
Specifies resynchronization ofthe secure channel secrets for all enumerated memberships or trusts which are currently broken.
The /reset parameter implies the /verify parameter. Unless the user is an enterprise-level administrator, it might not be possible
to reset all enumerated trusts or memberships.
/direct
Indicates that the query for trust relationships returns only direct trust relationships, rather than direct and indirect relationships.
This parameter is valid only when Domain is specified with the /d parameter.
WORKSTATION|SERVER|DC|OU|PDC|FSMO|TRUST
Specifies the type of list to generate.
Object Description
WORKSTATION Queries the domain for the list of workstations.
SERVER Queries the domain for the list of servers.
DC Queries the domain for the list of domain controllers.
OU Queries the domain for the list of OUs under which the specified user can create a machine object.
PDC Queries the domain for the current primary domain controller.
FSMO Queries the domain for the current list of operations master (also know as flexible single master operations
or FSMO) owners.
TRUST Queries the domain for the list of its trusts.

{/help | /?}
Displays command-line usage for the query operation.
Sample Usage
netdom query /d:reskit.ms.com DC
NetDom remove
Removes a workstation or server from the domain.
Syntax
NetDom remove Computer {/d: | /domain:}Domain [{/ud: | /userd:}[Domain\]User [{/pd: | /passwordd}{Password|*}]] [{/uo:
| /usero}User [{/po: |/passwordo}{Password|*}]] [/reboot[:Delay]] [{/help | /?}]
Parameters
Computer
Specifies the name of the computer to be removed.
Specifies the domain from which the account is to be removed. If this parameter is omitted, then the domain that the current
computer belongs to is used.
{/ud: | /userd:}[ Domain\]User
Specifies the user account that makes the connection with the domain in the /d or /domain parameter. If this parameter is
omitted, then the current user account is used.
{/uo: | /usero}User
Specifies the user account to make the connection with the computer to be removed. If this parameter is omitted, then the
current user account is used.
{/po: |/passwordo}{Password|*}
Specifies the password of the user account that is specified in the /uoor /usero parameter. Use the wildcard character (*) to be
/reboot[:Delay]
Specifies that the computer shuts down and automatically restarts after the remove operation has completed. The Delay value is
the number of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.
{/help | /?}
Displays command-line usage for the remove operation.
Sample Usage
netdom remove /d:reskit.ms.com mywksta
NetDom movent4bdc
Renames a Windows NT 4.0 backup domain controller to reflect a domain name change. This can assist in Windows NT 4.0
domain renaming efforts.
Syntax
netdom movent4bdc Computer [{/d: | /domain:}Domain] [/reboot[:Delay]] [{/help | /?}]
Parameters
Computer
Specifies the name of the backup domain controller to rename.
Specifies the new name of the domain.
/reboot[:Delay]
Specifies that the computer shuts down and automatically reboots after the rename operation has completed. The Delay value is
{/help | /?}
Displays command-line usage for the movent4bdc operation.
Sample Usage
netdom movent4bdc /d:newdomain BDC51
NetDom renamecomputer
Renames a domain computer and its corresponding domain account. Use this command to rename domain workstations and
member servers only. To rename domain controllers, use the NetDom computername command.
Syntax
NetDom renamecomputer Computer /newname:NewComputerName /userd:[Domain\]UserName [/passwordd:[Password | *]

] /usero:[Domain\]UserName [/passwordo:[Password | *]] [/reboot[:Delay]] [{/help | /?}]
Parameters
Computer
Specifies the name of the computer to rename.
/newname: NewComputerName
Specifies the new name of the computer.
/userd:[domain\]UserName
Specifies the user account to be used for the destination domain.
/passwordd:[password | *]
Specifies the password of the user account that is specified in the /ud or /userd parameter. If the wildcard character (*) is used,
then the user will be prompted for the password.
/usero:[domain\]UserName
Specifies the user account to be used for the originating domain.
/passwordo:[password| *]
Specifies the password of the user account that is specified in the /uo or /usero parameter. If the wildcard character (*) is used,
then the user will be prompted for the password.
/force[:Delay]
The user will be prompted for confirmation unless the /force parameter is specified.
/reboot[:Delay]
Specifies that the computer shuts down and automatically reboots after the rename operation has completed. The Delay value is
{/help | /?}
Displays command-line usage for the renamecomputer operation.
Note
Do not use renamecomputer to rename Windows Server 2003 or Windows 2000 domain controllers. Using the
renamecomputer operation to rename a domain controller may result in the domain controller no longer functioning as
a domain controller on the network. To rename Windows Server 2003 and Windows 2000 servers and domain
controllers, use the computername operation.
NetDom reset
Resets the secure connection between a workstation and a domain controller.
Syntax
NetDom reset Computer {/d: | /domain:}Domain [{/s: | /server:}Server] [{/uo: | /usero:}User {/po: | /passwordo}{Password|
*}] [{/help | /?}]
Parameters
Computer
Specifies the name of the computer for which the connection is to be reset.
Specifies the domain with which to establish the secure connection. If this parameter is omitted, then the domain that the
current computer belongs to is used.
Specifies the name of the domain controller to use to establish the secure connection.
{/uo: | /usero:}User
Specifies the user account that makes the connection with the computer to be reset. If this parameter is omitted, then the
current user account is used.
{/help | /?}
Displays command-line usage for the reset operation.
Sample Usage
netdom reset /d:reskit.ms.com redmond
NetDom resetpwd
Resets the machine account password for a Domain Controller.
Syntax
NetDom resetpwd {/s: | /server:}Server {/ud: | /userd:}[Domain\]User {/pd: | /passwordd:}{Password|*}] [{/help | /?}]
Parameters
Specifies the name of the domain controller to use for setting the machine account password.
Specifies the user account that makes the connection with the domain specified in the /s parameter. This must be in
Domain\User format. If this parameter is omitted, then the current user account is used.
{/pd: | /passwordd:}{Password|*}
Specifies the password of the user account that is specified in the /ud parameter. Use the wildcard character (*) to be prompted
for the password.
{/help | /?}
Displays command-line usage for the resetpwd operation.
NetDom trust
Establishes, verifies, or resets a trust relationship between domains.
Syntax
NetDom trust TrustingDomainName {/d: | /domain:} TrustedDomainName [{/ud: | /userd:}[Domain\]User [{/pd: | /passwordd
:}{Password|*}] [{/uo: | /usero:}User] [{/po: | /passwordo:}{Password|*}] [/verify] [/reset]
[/passwordt:NewRealmTrustPassword] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]]
[/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:TrustName
[/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive] [/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN]
[/RemoveTLNEX][{/help | /?}]
Parameters
TrustingDomainName
Specifies the name of the trusting domain.
{/d: | /domain:}TrustedDomainName
Specifies the name of the trusted domain. If this parameter is omitted, then the domain that the current computer belongs to is
used.
{/ud: | /userd:}[Domain\]User]
parameter is omitted, then the current user account is used.
/pd:{Password|*}
Specifies the password of the user account that is specified in the /ud or /userd: parameter. Use the wildcard character (*) to be
{/uo: | /usero:}User
Specifies the user account that makes the connection with the trusting domain. If this parameter is omitted, then the current
user account is used.
{/po: | /passwordo:}{ Password|*}
/verify
Verifies the secure channel secrets upon which a specific trust is based.
/reset
Resets the trust secret between trusted domains or between the domain controller and the workstation.
/passwordt: NewRealmTrustPassword
Specifies a new trust password. This parameter is valid only with the /add parameter, and only if one of the domains specified is
a non-Windows Kerberos realm. The trust password is set on the Windows domain only, which means that credentials are not
needed for the non-Windows domain.
/add
Specifies to create a trust.
/realm
Indicates that the trust is created to a non-Windows Kerberos realm. The /realm parameter is valid only with the /add and
/passwordt parameters.
/remove
Specifies to break a trust.
/force
Removes both the trusted domain object and the cross-reference object for the specified domain from the forest. Use this option
to clean up decommissioned domains that are no longer in use, and cannot be removed by using the Active Directory Installation
wizard. This problem can occur if the domain controller for that domain was disabled or damaged and there were no domain
controllers, or if it was not possible to recover the domain controller from backup media. This parameter is valid only when the
/remove parameter is specified.
/twoway
Specifies establishment ofa two-way trust relationship rather than a one-way trust relationship.
/kerberos
Specifies exercisingthe Kerberos protocol between a workstation and a target domain. This parameter is valid only when the
/verify parameter is specified.
/transitive[:{YES|NO}]
Specifies whether to set a transitive or non-transitive trust. This parameter is valid only for a non-Windows Kerberos realm. Non-
Windows Kerberos trusts are created as non-transitive. If no value is specified, then the current transitivity state is displayed.
Value Description
YES Sets the realm to a transitive trust.
NO Sets the realm to a non-transitive trust.
/oneside:{TRUSTED| TRUSTING}
Denotes that the trust object should only be created or removed on one domain.
Value Description
TRUSTED Indicates that the trust object is created or removed on the trusted domain specified by the /d or /domain
parameter).
TRUSTING Indicates that the trust object is to be created or removed on the trusting domain. Valid only with the /add or
/REMove parameter. The /passwordt parameter is required when using with the /ADD or /REMove option
/quarantine[:{YES | NO}]
Sets or clears the domain quarantine attribute. If no value is specified then the current quarantine state is displayed.
Value Description
YES Specifies that only SIDs from the directly trusted domain will be accepted for authorization data returned during
authentication. SIDS from any other domains will be removed.
NO Specifies that any SID will be accepted for authorization data returned during authentication. This is the default value.
/namesuffixes: TrustName
Lists the routed name suffixes for TrustName on the domain named by TrustingDomainName. The /usero and /passwordo
parameters can be used for authentication. The /domain parameter is not required.
/togglesuffix:#
Changes the status of a name suffix. Used with the /namesuffixes parameter. The number of the name entry specified by the
/namesuffixes parameter must be provided to indicate which name will have its status changed. Names that are in conflict
cannot have their status changed until the name in the conflicting trust is disabled. Always precede this command with the
/namesuffixes parameter because LSA will not always return the names in the same order.
/EnableSIDistory
Specifying yes allows users who migrate to the trusted forest from any other forest to use SID history to access resources in this
forest. Valid only for an outbound forest trust. This should be done only if the trusted forest administrators can be trusted
enough to specify SIDs of this forest in the SID history attribute of their users appropriately. Specifying no would disable the
ability of the migrated users in the trusted forest to use SID history to access resources in this forest. Specifying
/EnableSIDHistory without yes or no will display the current state.
/ForestTRANsitive
Specifying yes marks this trust as forest transitive. Specifying no marks this trust as not forest transitive. Specifying
/ForestTRANsitive without yes or no will display the current state of this trust attribute. Valid only for non-Windows real trusts
and can only be performed on the root domain for a forest.
/SelectiveAUTH
Specifying no disables selective authentification across this trust. Specifying /SelectiveAUTH without yes or no displays the
currrent state of this trust attribute. Specifying yes enables selective authentification across this trust. Valid only on outbound
forest and external trusts.
/AddTLN
Adds the specified top level name (DNS name suffix) to the forest trust info for the specified trust. Valid only for a forest
transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes
operation for a list of name suffixes.
/AddTLNEX
Adds the specified top level name exclusion(DNS name suffix) to the forest trust info for the specified trust. Valid only for a forest
/RemoveTLN
Removes the specified top level name (DNS name suffix) from the forest trust info from the specified trust. Valid only for a forest
/RemoveTLNEX
Removes the specified top level name exclusion (DNS Name Suffix) from the forest trust info from the specified trust. Valid only
for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the
/NameSuffixes operation for a list of name suffixes.
{/help | /?}
Displays command-line usage for the trust operation.
Sample Usage
netdom trust /d:masterdom resourcedom
NetDom verify
Verifies the secure connection between a workstation and a domain controller.
Syntax
NetDom verify Computer {/d: | /domain:}Domain [{/uo: | usero}User {/po: | /passwordo}{Password|*}] [{/help | /?}]
Parameters
Computer
Specifies the name of the computer whose secure connection is verified.
Specifies the domain with which to verify the secure connection. If this parameter is omitted, then the domain that the current
computer belongs to is used.
{/uo: | usero}User
Specifies the domain with which to verify the secure connection. If this parameter is omitted, then the current user account is
used.
{/help | /?}
Displays command-line usage for the verify operation.
Netdiag Examples
NetDiag Examples
Sample Scenario
In this scenario, you have a problem connecting to a network resource. You receive only a "Network path not found" error
message and no further assistance. You have no idea where to start troubleshooting the problem.
Assuming that the reason for the failure in this case is that the DNS server is down, the solution can be found with NetDiag.
At the command line, type:
netdiag
When executed in this scenario, NetDiag performs tests on each network adapter, and a set of global tests. The tests on the
network adapters are performed in the following order:
Netcard queries test
IpConfig test
Autoconfiguration test (APIPA)
Default gateway test
NetBT name test
WINS Service test
Next in this example NetDiag performs a set of global tests in the following order:
Domain membership test
NetBT transports test
Autonet address test (APIPA)
IP loopback ping test
Default gateway test
NetBT name test
Winsock test
DNS test
Redir and Browser test
DC discovery test
DC list test
Trust relationship test
Kerberos test
LDAP test
Bindings test
WAN configuration test
Modem configuration test
IP Security test
The results of these tests show that the network adapter protocol, bindings, and IP address tests succeed. The DNS ping test fails
and reports that the DNS server cannot be contacted.
With this information, the administrator knows that either the DNS server address is incorrect, or the DNS server is not
responding. Because the DNS address is also displayed as output, you can easily verify whether it is correct.
After the problem is isolated, the administrator can perform additional troubleshooting to determine why the DNS server is
down.
For more information on interpreting output from the NetDiag tool see the Interpreting NetDiag Output topic on the Netdiag
Remarks page.
Sample NetDiag Output
Copy Code
.......................................
Computer Name: RKSRVR-2

DNS Host Name: rksrvr-2.reskita.microsoft.com
System info : Windows 2000 Server (Build 2467)
Processor : x86 Family 6 Model 6 Stepping 0, GenuineIntel
List of installed hotfixes :
Q147222
Netcard queries test . . . . . . . : Passed

[WARNING] The net card 'Intel(R) PRO/100+ Management Adapter' may not be working.
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : rksrvr-2

IP Address . . . . . . . . : 10.10.1.51
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 10.10.1.77
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Skipped

[WARNING] No gateways defined for this adapter.
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Skipped

There are no WINS servers configured for this interface.
Adapter : Local Area Connection 2
Netcard queries test . . . : Failed

NetCard Status: DISCONNECTED
Some tests will be skipped on this interface.
Host Name. . . . . . . . . : rksrvr-2

Autoconfiguration IP Address : 169.254.74.217
Subnet Mask. . . . . . . . : 255.255.0.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . :
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed

List of NetBt transports currently configured:
NetBT_Tcpip_{A2D04C22-3BB8-4FA0-B7DA-414DC1DD08A7}
NetBT_Tcpip_{56079E37-8246-4712-8B36-F503FF6F9873}
2 NetBt transports currently configured.
Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Failed
[FATAL] NO GATEWAYS ARE REACHABLE.

You have no connectivity to other network segments.
If you configured the IP protocol manually then
you need to add at least one valid gateway.
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Failed

[WARNING] Cannot find a primary authoritative DNS server for the name
'bdover.reskita.microsoft.com.'. [ERROR_TIMEOUT]
The name 'bdover.reskita.microsoft.com.' may not be registered in DNS.
[WARNING] The DNS entries for this DC cannot be verified right now on DNS
server 10.10.1.77, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC registered.
Redir and Browser test . . . . . . : Passed

List of NetBt transports currently bound to the Redir
The redir is bound to 2 NetBt transports.
List of NetBt transports currently bound to the browser

The browser is bound to 2 NetBt transports.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Failed

Secure channel for domain 'RESKITA' is to '\\a-dcp.reskita.microsoft.com'.
[FATAL] Cannot set secure channel for domain 'RESKITA' to PDC emulator. [ERR
OR_NO_LOGON_SERVERS]
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed

[WARNING] Failed to query SPN registration on DC 'a-dcp.reskita.microsoft.com'.
[WARNING] Failed to query SPN registration on DC 'a-dc1.reskita.microsoft.com'.
[WARNING] Failed to query SPN registration on DC 'a-dc3.reskita.microsoft.com'.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped

No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed

Service status is: Started
Service startup is: Automatic
IPSec service is available, but no policy is assigned or active
Note: run "ipseccmd /?" for more detailed information

The command completed successfully
Netdiag Syntax
NetDiag Syntax
NetDiag uses the following syntax:
netdiag [/q] [/v] [/l] [/debug] [/d:DomainName] [/fix] [/DcAccountEnum] [/test:TestName] [/skip:TestName] [/?]
Parameters
/q
Specifies quiet output (errors only).
/v
Specifies verbose output.
/l
Sends output to Netdiag.log. This log file is created in the same directory where Netdiag.exe was run.
/debug
Specifies even more verbose output. With this parameter, NetDiag takes a few minutes to complete.
/d: DomainName
Finds a domain controller in the specified domain.
/fix
Fixes minor problems.
/DcAccountEnum
Enumerates domain controller computer accounts.
/test: TestName
Runs only the listed test(s). TCP/IP must be bound to one or more adapters before running any of the tests. Nonskippable tests
are still run. A detailed explanation of the switches can be found on the Netdiag Remarks page.
Valid TestName values are:
Value Description
Autonet Automatic Private IP Addressing (APIPA) address test. Tests whether APIPA is in use for the network
adapters.
Bindings Bindings test. Lists all bindings, including interface name, lower module name, upper module name,
whether the binding is currently enabled, and the owner of the binding.
Browser Redirector and Browser test. Lists the protocols bound to the Browser service and the redirector.
DcList Domain controller list test. Obtains a list of domain controllers for the domain.
DefGw Default gateway test. Attempts to contact each configured default gateway.
DNS DNS test. Tests the availability of the configured DNS servers and verifies the current client's DNS
registrations.
DsGetDc Domain controller discovery test. First finds a generic domain controller from directory service, then finds
the primary domain controller. Then, finds a Windows 2000 domain controller (DC). If the tested domain is
the primary domain, checks whether the domain GUID stored in Local Security Authority (LSA) is the same
as the domain GUID stored in the DC. If not, the test returns a fatal error; if the /fix option is on, DsGetDC
tries to fix the GUID in LSA.
IpConfig IP address configuration test. Enumerates the TCP/IP configuration information for each network adapter.
IpLoopBk IP address loopback ping test. Pings the IP loopback address of 127.0.0.1 for each adapter.
IPSec IP Security test. Tests whether IP Security is enabled and displays a list of active IP Security policies for the
computer.
IPX IPX test. Lists statistics for the IPX protocol installed on the computer.
Kerberos Kerberos test. Checks whether the Kerberos package information is up-to-date.
Ldap Lightweight Directory Access Protocl (LDAP) test. Contacts all available domain controllers and determines
which LDAP authentication protocol is in use.
Member Domain membership test. Checks to confirm details of the primary domain, including computer role,
domain name, and domain GUID. Checks to see if NetLogon service is started, adds the primary domain to
the domain list, and queries the primary domain security identifier (SID).
Modem Modem diagnostics test. Lists configuration information for each modem found.
NbtNm NetBT name test. Similar to the nbtstat -n command. It checks that the workstation service name <00> is
equal to the computer name. It also checks that the messenger service name <03>, and server service
name <20> are present on all interfaces and that none of these names are in conflict.
Ndis Netcard queries test. Lists the network adapter configuration details, including the adapter name,
configuration, media, globally unique identifier (GUID), and statistics. If this test shows an unresponsive
network adapter, the remaining tests are aborted.
NetBTTransports NetBT transports test. Lists the transport protocols that are bound to NetBT.
Netstat Netstat information test. Lists protocol statistics and current TCP/IP connections.
Netware Netware test. Queries the nearest Netware server for current login information.
Route Routing table test. Lists static routes and whether they are persistent.
Trust Trust relationship test. Tests trust relationships to the primary domain only if the computer is a member
workstation, member server, or a Backup Domain Controller (BDC) domain controller that is not a PDC
emulator. Checks that the primary domain security identifier (SID) is correct. Contacts an active DC.
Connects to the SAM server on the DC. Uses the domain SID to open the domain to verify whether the
domain SID is correct. Queries info of the secure channel for the primary domain. If the computer is a
BDCDC, reconnects to the PDC emulator. If the computer is a member workstation or server, sets secure
channel to each DC on the DC list for this domain.
WAN Wide Area Network (WAN) configuration test. Lists settings and status on each COM port currently in use.
WINS Windows Internet Name Service (WINS) service test. Tests the availability of the configured WINS server
and the validity of the client registrations.
Winsock Winsock test. Lists protocols and ports available to the WinSock service.
/skip: TestName
Skips the test specified by TestName. Nonskippable tests will still run. Valid TestName values are:
Value Description
Autonet Automatic Private IP Addressing (APIPA) address test.
Bindings Bindings test.
Browser Redir and Browser test.
DcList Domain controller list test.
DefGw Default gateway test.
DNS DNS test.
DsGetDc Domain controller discovery test.
IpConfig IP address configuration test.
IpLoopBk IP address loopback ping test.
IPX IPX test.
Kerberos Kerberos test.
Ldap Lightweight Directory Access Protocol (LDAP) test.
Modem Modem diagnostics test.
NbtNm NetBT name test.
Netstat Netstat information test.
Netware Netware test.
Route Routing table test.
Trust Trust relationship test.
WAN Wide Area Network (WAN) configuration test.
WINS Windows Internet Name Service (WINS) test.
Winsock Winsock test.
Nltest Examples
NLTest Examples
Example 1: Verify DCs in a domain
In this example, the /dclist parameter is used to create a list of domain controllers of the domain fourthcoffee.com
nltest /dclist:fourthcoffee
Output displays similar to the following:
Copy Code
Get list of DCs in domain 'ntdev' from '\\fourthcoffee-dc-01'.
fourthcoffee-dc-01.forthcoffee.com [DS] Site: Rome
fourthcoffee-dc-03.forthcoffee.com [DS] Site: LasVegas
fourthcoffee-dc-04.forthcoffee.com [DS] Site: LA
fourthcoffee-dc-09.forthcoffee.com [DS] Site: NYC
fourthcoffee-dc-12.forthcoffee.com [DS] Site: Paris
fourthcoffee-dc-24.forthcoffee.com [DS] Site: Chattaroy
fourthcoffee-dc-32.forthcoffee.com [DS] Site: Haifa
fourthcoffee-dc-99.forthcoffee.com [DS] Site: Redmond
fourthcoffee-dc-63.forthcoffee.com [PDC] [DS] Site: London
Example 2: Advanced information about users
In this example, you want to find out detailed information about a certain user. At the command prompt, type:
nltest /user:"TestAdmin"
Copy Code
User: User1
Rid: 0x3eb
Version: 0x10002
LastLogon: 2ee61c9a 01c0e947 = 5/30/2001 13:29:10
PasswordLastSet: 9dad5428 01c0e577 = 5/25/2001 17:05:47
AccountExpires: ffffffff 7fffffff = 9/13/30828 19:48:05
PrimaryGroupId: 0x201
UserAccountControl: 0x210
CountryCode: 0x0
CodePage: 0x0
BadPasswordCount: 0x0
LogonCount: 0x33
AdminCount: 0x1
SecurityDescriptor: 80140001 0000009c 000000ac 00000014 00000044 00300002 000000
02 0014c002 01050045 00000101 01000000 00000000 0014c002 000f07ff 00000101 05000
000 00000007 00580012 00000003 00240000 00020044 00000501 05000000 00000015 22cd
b7b4 7112b3f1 2b3be507 000003eb 00180000 000f07ff 00000201 05000000 00000020 000
00220 00140000 0002035b 00000101 01000000 00000000 00000201 05000000 00000020 00
000220 00000201 05000000 00000020 00000220
AccountName: User1
Groups: 00000201 00000007
LmOwfPassword: fb890c9c 5c7e7e09 ee58593b d959c681
NtOwfPassword: d82759cc 81a342ac df600c37 4e58a478
NtPasswordHistory: 00011001
LmPasswordHistory: 00010011
The detailed information provided can be used to troubleshoot many issues.
Example 3: Verify trust relationship with a specific server
In this example, you want to verify that the server a-dc1 has a valid trust relationship with the domain. At the command prompt,
type:
nltest.exe /server:fourthcoffee-dc-01 /sc_query:fourthcoffee
Copy Code
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\fourthcoffee-dc-01.forthcoffee.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Example 4: Determine the PDC emulator for a domain
In this example, you want to determine which DC in your domain the Windows NT 4.0based computers are looking to as the
PDC. At the command prompt, type:
nltest /dcname:fourthcoffee
Copy Code
PDC for Domain fourthcoffee is \\fourthcoffee-dc-01
You can see that a-dcp is the PDC emulator for your domain.
Example 5: Show trust relationships for a domain
In this example, you want to view the established trust relationships for your domain. At the command prompt, type:
nltest /domain_trusts
Copy Code
List of domain trusts:
0: forthcoffee forthcoffee.com (NT 5) (Forest Tree Root) (Primary Domain)
This example shows that one domain is trusting itself and no others.
Nltest Syntax
NLTest Syntax
NLTest uses the following syntax:
nltest [/server:servername] [operation[parameter] ...
/server: ServerName
Runs NLTest at the specified remote domain controller. If this parameter is not specified, the command is executed on the local
computer (domain controller).
Operations
/query
Reports on the state of the secure channel the last time it was used. This is the secure channel established by the NetLogon
service.
/repl
Forces a synchronization with the PDC. Only changes not yet replicated to the BDC are synchronized. This command is for NT 4.0
BDCs only and is not for Active Directory replication. Administrative rights are required to perform this command.
/sync
Forces an immediate synchronization with the PDC of the entire SAM database. This command is for NT 4.0 BDCs only and is not
for Active Directory replication. Administrative rights are required to perform this command.
/pdc_repl
Forces the PDC to send a synchronize notification to all BDCs. This command is for NT 4.0 PDCs only and is not for Active
Directory replication. Administrative rights are required to perform this command.
/sc_query: DomainName
Reports on the state of the secure channel the last time it was used. This is the secure channel established by the NetLogon
service. Also, lists the name of the domain controller that was queried on the secure channel.
/sc_reset:[ DomainName]
Removes and then rebuilds the secure channel established by the NetLogon service. Administrative rights are required to
perform this command.
/sc_verify:[ DomainName]
Checks the status of the secure channel established by the NetLogon service. If the secure channel is not working, this operation
removes the existing channel and builds a new one. Administrative rights are required to perform this command. This operation
is only valid on Windows 2000 with Service Pack 2 and Windows Server 2003 domain controllers.
/sc_change_pwd:[ DomainName]
Changes the password for the trust account of the specified domain. If this command is run on a domain controller, and an
explicit trust relationship exists, then the password for the interdomain trust account is reset. Otherwise, the computer account
password for the specified domain is changed. This command is only for computers that are Windows 2000, Windows XP, and
Windows Server 2003.
/dclist:[ DomainName]
Lists all domain controllers in the domain. In an NT 4.0 domain environment, this command uses the Browser service to retrieve
the list of domains. In an Active Directory environment, this command first queries Active Directory for a list of domain
controllers. If this is unsuccessful the Browser service is used.
/dcname:[ DomainName]
Lists the primary domain controller or the primary domain controller emulator for DomainName.
/dsgetdc:[ DomainName]
Queries the DNS server for a list of domain controllers and their corresponding IP addresses. Contacts each domain controller to
check for connectivity.
Use the following flags to filter the list of domain controllers or specify alternate names types in the syntax.
/PDC Returns only the PDC (NT 4.0) or domain controller designated as the PDC emulator (Windows 2000 or Windows
Server 2003).
/DS Returns only those domain controllers that are Windows 2000 or Windows Server 2003 servers.
/DSP Requests that Windows 2000 or Windows Server 2003 domain controllers be returned. If no Windows 2000 or
Windows Server 2003 server is found, then this operation returns NT domain controllers.
/GC Returns only those domain controllers designated as Global Catalog servers.
/KDC Returns only those domain controllers designated as Kerberos key distribution centers.
/TIMESERV Returns only those domain controllers designated as time servers.
/GTTIMESERV Returns only those domain controllers designated as master time servers.
/NetBIOS Use this command when specifying computer names in the syntax as NetBIOS names.
/DNS Use this command when specifying computer names in the syntax as FQDNs.
/IP Returns only domain controllers that have IP addresses. Domain controllers not using TCP/IP as their protocol stack
are not returned.
/FORCE Forces the computer to run the command against the DNS server instead of looking in cache for the
information.
/dnsgetdc: DomainName
Queries the DNS server for a list of domain controllers and their corresponding IP addresses.
Use the following flags to filter the list of domain controllers.
/PDC Returns only only those domain controllers that are PDCs (NT 4.0) or designated as PDC emulators.
/GC Returns only those domain controllers designated as Global Catalogs.
/KDC Returns only those domain controllers designated as Kerberos key distribution centers.
/WRITABLE Returns only those domain controllers that can accept changes to the directory database. All Active
Directory domain controllers will be returned. Only NT 4.0 BDCs will not be returned with this command.
/LDAPONLY Returns servers that are running an LDAP application. With this command LDAP servers are returned that
are not necessarily DCs.
/FORCE Forces the computer to run the command against the DNS server instead of looking in cache for the
information.
/SITE:Sitename Sorts the returned records so that the ones pertaining to the site are listed first.
/SITESPEC Filters the returned records so only those pertaining to the site are displayed. This operation can only be used
with the /SITE operation.
/dsgetfti: DomainName[ /UpdateTDO]
Returns information about interforests trust(s). This operation is only for a Windows Server 2003 domain controller that is in the
root of the forest. If no interforest trusts exist, this operation will return an error.
/UpdateTDO Updates the locally stored information on the interforest trust.
/dsgetsite
Returns the name of the site in which the domain controller resides.
/dsgetsitecov
Returns the name of the site that the domain controller covers. A domain controller can cover a site that has no local domain
controller of its own.
/parentdomain
Returns the name of the parent domain of the server.
/dsregdns
Refreshes the registration of all domain controller-specific DNS records.
/dsderegdns: DnsHostName
Deregisters DNS host records from DNS for the host specified with the DnsHostName parameter./DOM: /DOMGUID: /DSAGUID:.
Use the following flags to specify which records will be deregistered.
/DOM: Specifies a DNS domain name for the host to use when searching for records in the DNS server. If not specified,
the suffix of the DnsHostName is assumed to be the DNS domain name
/DOMGUID: Deletes DNS records that are GUID based.
/DSAGUID Deletes DSA records that are GUID based.
/whowill: Domain/ User

Finds the domain controller that has the specified user account. Use this command to determine whether the account
information has been replicated to other domain controllers.
/finduser: User
Finds which directly trusted domain to which the specified user account belongs. Use this operation to troubleshoot logon issues
of older client operating systems.
/transport_notify
Flushes the negative cache to force the discovery of a domain controller. Use this operation on NT 4.0 domain controllers only.
This operation is done automatically when clients log on to Windows 2000 and Windows Server 2003 domain controllers.
/dbflag: HexadecimalFlags
Sets a new debug flag. For most purposes, use 0x2000FFFF as the value for HexadecimalFlags. The entry in the Windows
Server 2003registry for debug flags is HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DBFlag.
/user: UserName
Displays many of the attributes for the specified user account that are maintained in the SAM account database. This operation
will not work for user accounts stored in Active Directory.
/time: HexadecimalLSL HexadecimalMSL
Converts Windows NT GMT time to ASCII. HexadecimalLSL is a hexadecimal value for least significant longword. HexadecimalMSL
is a hexadecimal value for most significant longword.
/logon_query
Queries the cumulative number of NTLM logon attempts at the console or over the network.
/domain_trusts
Returns a list of trusted domains. /Primary /Forest /Direct_Out /Direct_In /All_Trusts /v.
Use the following flags to filter the list of domains.
/Primary Returns only the domain to which the computer account belongs.
/Forest Returns only those domains that are in the same forest as the primary domain.
/Direct_Out Returns only the domains that are explicitly trusted with the primary domain.
/Direct_In Returns only the domains that explicitly trust the primary domain.
/All_Trusts Returns all trusted domains.
/v Displays verbose output including domain SIDs and GUIDs if available.
/dsquerydns
Queries for the status of the last update for all DC-specific DNS records.
/bdc_query: DomainName
Queries for a list of backup domain controllers in DomainName and displays their state of synchronization and replication status.
This operation is only for NT 4.0 domain controllers.
/sim_sync: DomainName ServerName
Simulates full synchronization replication. This operation is useful in test environments.
/list_deltas: FileName
Displays the contents of the change log file FileName, which lists changes to the user account database. Netlogon.chg is the
default name. This log file resides only on NT 4.0 BDCs.
/cdigest: Message /domain: DomainName
Displays the current digest (calculation derived from the password) used by the client for the secure channel. Also, displays the
digest based on the previous password. The secure channel is used for logons between client computers and a domain controller,
or DC to DC for directory service replication. Use this operation in conjunction with the /sdigest operation to check trust account
password synchronization.
/sdigest: Message /rid: RID_In_Hexadecimal
Displays the current digest (calculation derived from the password) that the server is using for the secure channel. Also, displays
the digest for the previous password. If the digest from the server matches the digest from the client (retrieved using the
/cdigest operation), then the passwords used for the secure channel are synchronized. If the digests do not match, then a
password change may not have replicated yet.
/shutdown: Reason[ Seconds]
Performs a remote shutdown of the ServerName for Reason, a string, after Seconds, an integer. For a complete description, see
the Platform SDK documentation for InitiateSystemShutdown.
/shutdown_abort
Terminates a system shutdown.

Useful Commands For Windows Administartors

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Useful Commands For Windows Administartors

Загружено:

Авторское право:

Доступные форматы

USEFUL COMMANDS FOR WINDOWS ADMINISTARTORS

Enter the password for USA-Chicago\admin and press Enter.

NET SESSION | FIND /C "\\"

Remotely, with the help of SysInternals' PSTools:

PSEXEC \\servername NET SESSION | FIND /C "\\"

Back to the index

Who is logged on to a computer?

We often need to know who is currently logged on to a remote computer.

NBTSTAT -a remotecomputer | FIND "<03>" | FIND /I /V "remotecomputer"

Using WMIC (Windows XP Professional and later):

WMIC /Node:remotecomputer ComputerSystem Get UserName

With the help of SysInternals' PSTools:

PSEXEC \\remotecomputer NET CONFIG WORKSTATION | FIND /I " name "

PSEXEC \\remotecomputer NET NAME

FOR /F %%A IN ('REG Query \\remotecomputer\HKU | FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]*$"') DO (

Credits: Ji Janyka (WMIC command) and Matthew W. Helton (NETSH command).

Back to the index

What is this collegue's login name?

DSQUERY USER -name *lastname* | DSGET USER -samid -display

Back to the index

What is the full name for this login name?

With the native NET command:

NET USER loginname /DOMAIN | FIND /I " name "

With (native) Windows Server 2003 commands:

DSQUERY USER -samid *loginname* | DSGET USER -samid -display

Back to the index

What groups is this user a member of?

DSQUERY USER -samid loginname | DSGET USER -memberof -expand

Back to the index

What permissions does a user have on this directory?

Back to the index

When did someone last change his password?

With the native NET command:

NET USER loginname /DOMAIN | FIND /I "Password last set"

Back to the index

How do I reset someone's password?

With the native NET command:

NET USER loginname newpassword /DOMAIN

With (native) Windows Server 2003 commands:

DSQUERY USER -samid loginname | DSMOD USER -pwd newpassword

Back to the index

Is someone's account locked?

With the native NET command:

NET USER loginname /DOMAIN | FIND /I "Account active"

The account is either locked ("Locked") or active ("Yes").

Back to the index

How to unlock a locked account

With the native NET command:

NET USER loginname /DOMAIN /ACTIVE:YES

or, if the password needs to be reset as well:

NET USER loginname newpassword /DOMAIN /ACTIVE:YES

List all domains and workgroups in the network

With the native NET command:

NET VIEW /DOMAIN

Back to the index

List all computers in the network

With the native NET command:

or, to list the names only:

FOR /F "skip=3 delims=\ " %%A IN ('NET VIEW') DO ECHO.%%A

delims is a backslash, followed by a tab and a space.

Back to the index

List all domain controllers

With native Windows 2000 commands:

DSQUERY USER -name lastname | DSGET USER -samid -display

DSQUERY USER -samid loginname | DSGET USER -samid -display