Академический Документы
Профессиональный Документы
Культура Документы
The user must have credentials for both domains. The /pd parameter can be used to specify the password for
Northamerica\admin and the /po parameter can How many users are logged on/connected to a server?
Sometimes we may need to know how many users are logged on to a (file) server, like maybe when there is a performance
degradation.
At the server's console itself, with native commands only:
By replacing FIND /C "\\" by FIND "\\" (removing the /C switch) you'll get a list of logged on users instead of just the number of
users.
The first name in the list usually is the logged on user (try playing with the NET NAME command to learn more about the names
displayed by NBTSTAT).
This is the fastest way to find the logged on user name, and the results that you do get are correct, but NBTSTAT won't always
return a user name, even when a user is logged on.
This is arguably the most reliable (native) command to find out who is logged on.
PSLOGGEDON -L \\remotecomputer
or:
or:
or:
PSEXEC \\remotecomputer NETSH DIAG SHOW COMPUTER /V | FIND /i "username"
or:
NETSH and WMIC are for XP or later, and are the most reliable of all commands shown here.
WMIC requires WMI enabled remote computers and Windows XP on the administrator's computer; NETSH requires Windows XP
on the remote computers.
PSLOGGEDON is a more accurate solution than NBTSTAT, but it will return the last logged on user if no one is currently logged on.
The NET and NBTSTAT commands show more or less identical results, but the NBTSTAT command is much faster.
The REG command is accurate, but may need to be modified depending on the version used. As displayed here, the code is
written for REG.EXE 3.0 (XP).
If you want to search lots of computers for logged on users, I recommend you try NBTSTAT first (fast, but it won't always return
the user name!), and only switch to NETSH, REG or WMIC (accurate) if NBTSTAT doesn't return a user name.
My collegues often forget to mention their logon account name when calling the helpdesk, and the helpdesk doesn't always ask
either. I suppose they expect me to know all 1500+ accounts by heart.
With (native) Windows Server 2003 commands only:
In Windows NT 4 and later, users usually are members of global groups. These global groups in turn are members of (domain)
local groups. Access permissions are given to (domain) local groups.
To check if a user has access to a resource, we need to check group membership recursively.
With (native) Windows Server 2003 commands:
One could use the previous command to check what permissions a user has on a certain directory.
However, sometimes SHOWACLS from the Windows Server 2003 Resource Kit Tools is a better alternative:
CD /D d:\directory2check
SHOWACLS /U:domain\userid
NET VIEW
NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.
DSQUERY Server
or, if you prefer host names only (tip by Jim Christian Flatin):
or, to find the FSMO with (native) Windows Server 2003 commands (Active Directory only):
NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.
NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.
NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.
NETDOM is part of the support tools found in the \SUPPORT directory of the Windows 2000 installation CDROM.
"I need an up-to-date list of disk space usage for all servers, on my desk in 5 minutes"
Sounds familiar?
3. and WMIC.EXE, which is native in Windows XP Professional, Windows Server 2003 and Vista.
The CSV file format is ServerName,DeviceID,FileSystem,FreeSpace,Size (one line for each harddisk partition on each server).
If you have a strict server naming convention, SERVERS.TXT itself can be generated with the NET command:
FOR /F "delims=\ " %%A IN ('NET VIEW ^| FINDSTR /R /B /C:"\\\\SRV\-"') DO (>>SERVERS.TXT ECHO.%%A)
Notes: (1) assuming server names start with "SRV-"; modify to match your own naming convention.
(2) delims is a backslash, followed by a tab and a space.
FOR /F "delims=[]" %%A IN ('NET LOCALGROUP Administrators | FIND /N "----"') DO SET HeaderLines=%%A
FOR /F "tokens=*" %%A IN ('NET LOCALGROUP Administrators') DO SET FooterLine=%%A
NET LOCALGROUP Administrators | MORE /E +%HeaderLines% | FIND /V "%FooterLine%"
DHCPLOC.EXE is native in Windows Server 2003, and will run in Windows XP if copied/installed.
I didn't test this in Windows Server 2003 yet, but in Windows XP you need to press "d" to start the discovery, or "q" to quit.
Disable the firewall only when the computer (e.g. a laptop) is connected to the domain:
Disable the firewall comletely (not recommended unless an alternative enterprise firewall is used that requires you to do so):
Dnslint Overview
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This command-line tool allows you to verify Domain Name System (DNS) records for a specified domain name. Use DNSLint to
help diagnose potential causes of incorrect delegation and other common DNS problems.
Concepts
Incorrect delegation
System Administrators use DNS delegations to assign the authority for a DNS subdomain to a set of DNS servers. These
delegations help administrators implement a DNS infrastructure that is scalable, flexible, and easy to administer.
Incorrect delegation is a common problem with DNS structures. This can occur when the authority for a DNS subdomain has
been delegated to a particular DNS server that either does not exist, or does not have authority over the subdomain.
Incorrect delegation problems are compounded when other DNS issues are present in a DNS infrastructure. For example, if DNS
domain information is not identical on all authoritative DNS servers, data returned from the servers may differ, leading to
intermittent name resolution difficulties. In another scenario, if a Mail Exchange (MX) record exists but the corresponding glue
record is missing, then e-mail delivery to that domain may be erratic.
Prior to the development of DNSLint, the nslookup utility was frequently used to diagnose and troubleshoot these types of DNS
issues. Nslookup allows users to manually traverse a DNS infrastructure, inspecting the various DNS records. However, DNSLint
offers quicker verification that record-level data is correct.
For more information about DNS, see DNS or Concepts in Microsoft Management Console Help.
For more information about troubleshooting DNS, see the chapter Troubleshooting DNS in the Networking Guide of the
Windows Server 2003 Resource Kit.
Verifying a particular set of DNS records on multiple DNS servers can help diagnose and fix problems caused by missing or
incorrect DNS records.
For example, when clients are experiencing problems logging on to the domain, verifying that the SRV records that clients use to
find LDAP and Kerberos servers are available and accurate, can help determine if DNS is a cause of the problem.
Another scenario example is where you receive reports that customers are having problems accessing your Web site on the
Internet. It would be nice to have a tool that quickly checks all the DNS records that are involved with the Web farm on all of the
DNS servers that are supposed to have these records. You could quickly determine if there are missing or incorrect DNS records
that may be related to the problem.
In a third example, you could be experiencing problems with e-mail delivery. You can send e-mail, but you are not receiving e-
mail. Name resolution could be the problem? To confirm this theory or eliminate it as a possibility, you need to check all of the
DNS records on all of the DNS servers that are used to resolve the IP address of the e-mail server.
System Requirements
DNSLint runs on a source computer and acts on a target computer. The target computer can be the same computer as the source
computer, or it can be a different computer.
Dnslint Syntax
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
DNSLint Syntax
dnslint /d domain_name | /ad | /ql {text_file | autocreate} [/v] [/r report_name] [/y] [/no_open] [/s
alternate_DNS_server_ip_address] [/c SMTP|POP|IMAP] [/t] [/test_tcp]
Parameters
/d domain
/ad
Tests the DNS records used by Active Directory for replication. This is a required parameter. The /s parameter is required with this
parameter.
Sends DNS queries based on input from a text file containing a list of DNS names. The command dnslint /ql autocreate creates
an example textfile. The /ql parameter supports A, PTR, CNAME, SRV, and MX DNS record types. This is a required parameter.
The /ql parameter will accept either a text file name or the autocreate option, not both.
/v
/r report_name
Specifies a name for the DNSLint report file. The default report name is DNSLint Report.htm.
Note
DNSLint always appends an .htm extension to the file, even if you specify an extension. For example, if you specify
report_name=my_file.rpt, the resulting file will be called my_file.rpt.htm.
/y
/no_open
/s alternate_DNS_server_ip_address
This parameter supplies an alternate DNS server, forcing DNSLint to bypass InterNIC. This parameter is useful for testing domain
structures that are not availible from the InterNIC database.
/c SMTP|POP|IMAP
Used to perform connectivity tests on well-known e-mail ports when e-mail servers are found while inspecting DNS servers. See
"Remarks" for more information.
/t
Used to request a plain text file with the same name as the DNSLint report file. (The default filename is DNLint Report.htm,
unless the /r parameter is used to specify a different name.)
/test_tcp
Used to test TCP port 53 as well as UDP port 53. Unless this parameter is specified, DNSLint test the UDP port only.
Notes
You must always specify one of the following parameters: /d, /ad, and /ql. However, they cannot be used together.
The /c parameter cannot be used with the /ad or /ql parameters.
Sample Usage
dnslint /d fourthcoffee.com
dnslint /v /d fourthcoffee.com
dnslint /y /d fourthcoffee.com
Dnslint Examples
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
DNSLint Examples
The following command instructs DNSLint to traverse the woodgrovebank.com domain, and return all relevant data about its
DNS structure. This domain has no structural errors.
dnslint /d woodgrovebank.com
The link below shows a sample DNSLint report generated in response to this command.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
DNSLint Report
Command run:
dnslint /d woodgrovebank.com
woodgrovebank.com
The following 6 DNS servers were identified as authoritative for the domain:
IP Address: 10.46.138.20
Hostmaster: msnhst.woodgrovebank.com
dns1.cp.woodgrovebank.net 10.46.138.20
dns1.dc.woodgrovebank.net 10.68.128.151
dns1.sj.woodgrovebank.net 10.46.97.11
dns1.tk.woodgrovebank.net 10.46.232.37
dns3.jp.woodgrovebank.net 10.46.72.123
dns3.uk.woodgrovebank.net 10.199.144.151
10.46.197.102
10.46.230.218
10.46.230.219
10.46.230.220
10 maila.woodgrovebank.com 10.107.3.124
10 mailb.woodgrovebank.com 10.107.3.122
10 mailc.woodgrovebank.com 10.107.3.126
IP Address: 10.46.232.37
Hostmaster: msnhst.woodgrovebank.com
dns1.cp.woodgrovebank.net 10.46.138.20
dns1.dc.woodgrovebank.net 10.68.128.151
dns1.sj.woodgrovebank.net 10.46.97.11
dns1.tk.woodgrovebank.net 10.46.232.37
dns3.jp.woodgrovebank.net 10.46.72.123
dns3.uk.woodgrovebank.net 10.199.144.151
10.46.230.220
10.46.197.100
10.46.197.102
10.46.230.218
10 maila.woodgrovebank.com 10.107.3.124
10 mailb.woodgrovebank.com 10.107.3.122
10 mailc.woodgrovebank.com 10.107.3.126
IP Address: 10.199.144.151
Hostmaster: msnhst.woodgrovebank.com
dns1.cp.woodgrovebank.net 10.46.138.20
dns1.dc.woodgrovebank.net 10.68.128.151
dns1.sj.woodgrovebank.net 10.46.97.11
dns1.tk.woodgrovebank.net 10.46.232.37
dns3.jp.woodgrovebank.net 10.46.72.123
dns3.uk.woodgrovebank.net 10.199.144.151
10.46.230.218
10.46.230.219
10.46.230.220
10.46.197.100
10 maila.woodgrovebank.com 10.107.3.125
10 mailb.woodgrovebank.com 10.107.3.123
10 mailc.woodgrovebank.com 10.107.3.121
IP Address: 10.46.72.123
Hostmaster: msnhst.woodgrovebank.com
dns1.cp.woodgrovebank.net 10.46.138.20
dns1.dc.woodgrovebank.net 10.68.128.151
dns1.sj.woodgrovebank.net 10.46.97.11
dns1.tk.woodgrovebank.net 10.46.232.37
dns3.jp.woodgrovebank.net 10.46.72.123
dns3.uk.woodgrovebank.net 10.199.144.151
10.46.230.218
10.46.230.219
10.46.230.220
10.46.197.100
10 maila.woodgrovebank.com 10.107.3.124
10 mailb.woodgrovebank.com 10.107.3.122
10 mailc.woodgrovebank.com 10.107.3.126
IP Address: 10.68.128.151
Hostmaster: msnhst.woodgrovebank.com
dns1.cp.woodgrovebank.net 10.46.138.20
dns1.dc.woodgrovebank.net 10.68.128.151
dns1.sj.woodgrovebank.net 10.46.97.11
dns1.tk.woodgrovebank.net 10.46.232.37
dns3.jp.woodgrovebank.net 10.46.72.123
dns3.uk.woodgrovebank.net 10.199.144.151
10.46.230.219
10.46.230.220
10.46.197.100
10.46.197.102
10 maila.woodgrovebank.com 10.107.3.124
10 mailb.woodgrovebank.com 10.107.3.122
10 mailc.woodgrovebank.com 10.107.3.126
IP Address: 10.46.97.11
Hostmaster: msnhst.woodgrovebank.com
dns1.cp.woodgrovebank.net 10.46.138.20
dns1.dc.woodgrovebank.net 10.68.128.151
dns1.sj.woodgrovebank.net 10.46.97.11
dns1.tk.woodgrovebank.net 10.46.232.37
dns3.jp.woodgrovebank.net 10.46.72.123
dns3.uk.woodgrovebank.net 10.199.144.151
10.46.197.102
10.46.230.218
10.46.230.219
10.46.230.220
10 maila.woodgrovebank.com 10.107.3.124
10 mailb.woodgrovebank.com 10.107.3.122
10 mailc.woodgrovebank.com 10.107.3.126
DNSLint Report
Command run:
lab.fourthcoffee.com
The following 1 DNS servers were identified as authoritative for the domain:
IP Address: 10.46.138.20
Responding to queries: NO
Notes
One or more DNS servers may not be authoritative for the domain
SOA record data was unavailable and/or missing on one or more DNS servers
The following command instructs DNSLint to traverse the lab.fourthcoffee.com domain. The command uses the /s parameter
because lab.fourthcoffee.com is a private domain. As it turns out, this domain contains errors in its structure.
The link below shows a sample DNSLint report generated in response to this command.
Dcdiag Overview
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Tool Location
The Dcdiag command-line tool is included when you install Windows Server 2003 Support Tools from the product CD or from the
Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=100114). For more information about how to install
Windows Support Tools, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?LinkId=62270).
This command-line tool analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in
troubleshooting. As an end-user reporting program, Dcdiag encapsulates detailed knowledge of how to identify abnormal
behavior in the system. Dcdiag displays command output at the command line.
Dcdiag consists of a framework for executing tests and a series of tests to verify different functional areas of the system. This
framework selects which domain controllers are tested according to scope directives from the user, such as enterprise, site, or
single server.
Corresponding UI
Concepts
All domain controllers in the same domain are peers of one another and any domain controller can make directory updates.
However, given the way in which directory updates are replicated from one domain controller to another, it is possible that
difficulties can arise. For example, if the necessary domain controllers are not connected by a replication topology, the
appropriate domain controllers do not receive directory updates when replication occurs.
Also, in order for the (Domain Controller) Locator to find a domain controller, it must have accurate information so that it can
properly locate the resource. If a domain controller is incorrectly advertised, the Locator is unable to find it.
System Requirements
Dcdiag Syntax
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
DCDiag Syntax
dcdiag /s: DomainController [/n:NamingContext] [/u:Domain\UserName /p:{* | Password | ""}] [{/a | /e}] [{/q | /v}] [/i]
[/f:LogFile] [/ferr:ErrLog] [/c [/skip:Test]] [/test:Test] [/fix] [{/h | /?}] [/ReplSource:SourceDomainController]
Parameters
/s: DomainController
Uses DomainController as the home server. This parameter is required. It is ignored for DcPromo and RegisterInDns tests which
can only be run locally.
/n: NamingContext
Uses NamingContext as the naming context to test. Domains may be specified in NetBIOS, DNS or distinguished name format.
Uses Domain\UserNameDCDiag uses the process's or users default credentials. If alternate credentials are needed, use the
following options to provide those credentials for binding with Password as the password. Use "" for an empty or null password,
or the wildcard character (*) to prompt for the password.
/a
/e
/q
/v
/i
/fix
Only affects the MachineAccount test. It causes the test to fix the SPNs (Service Principal Names) on the domain controller's
Machine Account Object.
/f: LogFile
/ferr: ErrLog
Redirects fatal error output to a separate file ErrLog. The /ferr parameter operates independently of /f.
/c
Comprehensive. Runs all tests except DCPromo and RegisterInDNS, including non-default tests. Optionally, can be used with
/skip to skip specified tests. The following tests are not run by default:
Topology
CutoffServers
OutboundSecureChannels
{ /h | /?}
/test: Test
Runs only this test. The nonskippable test Connectivity is also run. Should not be run in the same command with /skip.
Note
All tests except DcPromo and RegisterInDNS must be run on computers that have been promoted to domain controller.
The test CheckSecurityError is available only in the version of Dcdiag that is included with Windows Support Tools in
Windows Server 2003 Service Pack 1 (SP1) and must be run on a domain controller that is running Windows Server 2003
with SP1.
/ReplSource: SourceDomainController
Option for /test:CheckSecurityError. Tests the connection between the domain controller on which you run the command and
the source domain controller. SourceDomainController is the DNS name, NetBIOS name, or distinguished name of a real or
potential "from" server that is represented by a real or potential connection object.
DNS Syntax
The new DNS tests in Windows Server 2003 SP1 use the following syntax:
Parameters
/DnsBasic
Performs basic DNS tests, including network connectivity, DNS client configuration, service availability, and zone existence.
/DnsForwarders
Performs the /DnsBasic tests, and also checks the configuration of forwarders.
/DnsDelegation
Performs the /DnsBasic tests, and also checks for proper delegations.
/DnsDynamicUpdate
Performs /DnsBasic tests, and also determines if dynamic update is enabled in the Active Directory zone.
/DnsRecordRegistration
Performs the /DnsBasic tests, and also checks if the address (A), canonical name (CNAME) and well-known service (SRV)
resource records are registered. In addition, creates an inventory report based on the test results.
/DnsResolveExtName [/DnsInternetName:InternetName]
Performs the /DnsBasic tests, and also attempts to resolve InternetName. If /DnsInternetName is not specified, attempts to
resolve the name www.microsoft.com. If /DnsInternetName is specified, attempts to resolve the Internet name supplied by the
user.
/DnsAll
Performs all tests, except for the DnsResolveExtName test, and generates a report.
/f: LogFile
/ferr: ErrLog
Redirects fatal error output to a separate file ErrLog. The /ferr parameter operates independently of /f.
/s: DomainController
/e
Runs all tests specified by /test:DNS against all domain controllers in the Active Directory forest.
/v
Verbose. Presents extended information about successful test results, in addition to information about errors and warnings.
When the /v parameter is not used, provides only error and warning information. Use the /v switch when errors or warnings are
reported in the summary table.
Dcdiag Examples
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
DCDiag Examples
Example 1: A normal DC
In this example, you want to examine the domain controller so you can verify that it is healthy and functioning properly. Type the
following command at the command prompt:
Substitute the actual account user name for <username>. If you want to specify the domain of the user, use
<domainname>\<username>. For example, if you want to specify a user account named AlanS from the Contoso domain,
type /u:Contoso\AlanS to specify the user account. If you use an asterisk (*) for the password, the tool will prompt you for a
password. If you want to type the password, you can substitute the actual user account password for the asterisk. However,
the password will appear on the screen when you type it.
Copy Code
Domain Controller Diagnosis
Copy Code
Domain Controller Diagnosis
Note
If you receive output from diagnostic testing similar to the previous example, there is probably a DNS registration issue. For
additional diagnostic procedures and potential resolutions, see Troubleshooting DNS (http://go.microsoft.com/fwlink/?
LinkID=48893). Also, see Troubleshooting Active DirectoryRelated DNS Problems (http://go.microsoft.com/fwlink/?
LinkId=130597).
Note
If you receive output from diagnostic testing similar to the previous example, see the list of related Knowledge Base articles
on the Windows Operating System Event ID 5179 Netlogon page (http://go.microsoft.com/fwlink/?LinkId=130599) for
additional troubleshooting information. Also, see Troubleshooting Active DirectoryRelated DNS Problems
(http://go.microsoft.com/fwlink/?LinkID=130597).
Copy Code
Domain Controller Diagnosis
Netdom Overview
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This command-line tool enables administrators to manage Windows Server 2003 and Windows 2000 domains and trust
relationships from the command line.
Manage computer accounts for domain member workstations and member servers. Management operations include:
An option to move an existing computer account for a member workstation from one domain to another while
maintaining the security descriptor on the computer account.
Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:
From a Windows 2000 or Windows Server 2003 domain to a Windows NT 4.0 domain.
From a Windows 2000 or Windows Server 2003 domain to a Windows 2000 or Windows Server 2003 domain
in another enterprise (an "uplevel" external trust).
Between two Windows 2000 or Windows Server 2003 domains in an enterprise (a shortcut trust).
The Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos realm.
Verify and/or reset the secure channel for the following configurations:
Note
Corresponding UI
Much of the functionality of NetDom can be accessed from the Microsoft Management Console Active Directory Users and
Computers snap-in, which is part of Windows Server 2003. More functionality can be accessed from the Active Directory:
Domains and Trust snap-in which is the corresponding UI for NetDoms Trust Management functionality.
Concepts
A trust relationship is a defined affiliation between domains that enables pass-through authentication.
A one-way trust relationship between two domains means that one domain (the trusting domain) allows users who have
accounts on the other domain (the trusted domain), access to its resources.
The one-way trust relationship described here is helpful in master domain models, but it is not the only kind of trust relationship.
When two one-way trusts are established between domains, it is known as a two-way trust. In two-way trusts, each domain
treats the users from the trusted (and trusting) domain as its own users.
System Requirements
Note
The Windows Server 2003 Administration Tools Pack must be installed on computers running Windows XP
Professional for Netdom.exe to work. This tools pack is installed by default for computers running Windows
Server 2003.
Netdom Examples
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
NetDom Examples
Note
If the /ou parameter is not specified, the account is created in the Computers container.
Example 4: Add an alternate name for a Windows Server 2003 domain controller
To give an alternate name for the domain controller DC in the example.com domain, use the following syntax:
A name must first exist as an alternate before it can be made the primary name of a computer.
To rename a member server you must choose one of the existing alternate names for the computer and make it the new primary
name.
Besides adding the computer account to the domain, the workstation is modified to contain the appropriate shared secret to
complete the join operation.
If the destination is a Windows 2000 domain, the Security ID history (SIDHistory) for the workstation is updated, retaining the
security permissions that the computer account had previously.
Example 10: Reset the secure channel for a workstation, member server, or Windows NT 4.0 BDC
To reset the secure channel secret maintained between mywksta and devgroup.example.com (regardless of OU), type the
following at the command prompt:
To reset the secure channel between the Windows NT 4.0 PDC for Northamerica and the backup domain controller NABDC, type
the following at the command prompt:
Example 11: Force a Secure Channel Session Between a Member and a Specific Domain Controller
Members often establish secure channel sessions with non-local domain controllers. To force a secure channel session between a
member and a specific domain controller by using the /server parameter with the reset operation, type the following at the
command prompt:
To set the Windows NT 4.0 resource domain USA-Chicago to trust the Windows NT 4.0 account domain Northamerica, type the
following at the command prompt:
Enter the password for Northamerica\admin and press Enter. The following prompt is displayed:
be used to specify the password for USA-Chicago\admin. If passwords are not provided on the command line, the user is
prompted for both.
If you then want to specify a two-way trust, type the following at the command prompt
Example 14: Establish a One-Way Trust Relationship from a Windows Domain to a Non-Windows Kerberos Realm
To establish a one-way trust where Northamerica trusts the non-Windows Kerberos realm ATHENA, type the following at the
command prompt:
The /d parameter specifies the trusted domain and the /realm parameter indicates that this is a non-Windows Kerberos realm.
The order of the domains is not important. Credentials to the Windows 2000 domain can be supplied if needed.
Note
Verifying a specific trust relationship requires credentials unless the user has domain administrator privileges on both
domains.
If you want to set the Kerberos realm ATHENA to trust the Northamerica domain, type the following at the command prompt:
Note
To make the trust two-way, you can specify the /twoway parameter.
Non-Windows Kerberos trusts are created as non-transitive. If you want to change the trust from ATHENA to Northamerica as
transitive, type the following at the command prompt:
To display the transitive state, type the following at the command prompt:
The order of the two domains above is not important. Either can be the non-Windows Kerberos domain.
To verify a two-way trust between the Northamerica and Europe domains, type the following at the command prompt:
The /verify parameter checks that the appropriate shared secrets are synchronized between the two items involved in the trust.
The /reset parameter synchronizes the appropriate shared secrets if they are not already synchronized.
When you use the NetDom trust operation with the /verify /kerberos parameters, it seeks a session ticket for the Kerberos
Admin service in the target domain. If successful, you can conclude that all Kerberos operations (for example KDC referrals) are
operating correctly between the workstation and the target domain.
Note
This operation cannot be executed remotely. It must be run on the workstation being tested.
To list all servers and verify secure channel secret, type the following at the command prompt:
To list all workstations and reset any unsynchronized secure channel secrets, type the following at the command prompt:netdom
query /d:Northamerica WORKSTATION /reset
To view all the direct and indirect trust relationships for the domain Northamerica, type the following at the command prompt:
To view all trust relationships and check their status, type the following at the command prompt:
Example 28: List the routed name suffixes for the trust between my TestDomain and the trustpartnerdomain
Note
The /d parameter is not needed for this operation which is an exception from other trust operations.
To list the routed name suffixes for the trust between my TestDomain abd the trustpartnerdomain, type the following at the
command prompt:
This will list out all the routed name suffixes for the trust between myTestDomain and the trustpartnerdomain. The trust must be
either a Cross Forest trust or Non-Windows Realm Trust with the Forest Transitive attribute set.
Sample Output
Copy Code
com
rmatic.nttest.microsoft.com
c.nttest.microsoft.com
/ToggleSuffix must be used with /NameSuffixes. Use /NameSuffixes immediately before using /ToggleSuffix because
the order in which the name suffixes are listed may change.
To enable/disable the first routed name suffix in the list generated by the previous command, type the following at the command
prompt:
Sample Output
Note
The output generated reflects the routed name suffix list after the Toggling.
Copy Code
com
rmatic.nttest.microsoft.com
c.nttest.microsoft.com
Note
This is only allowed for a trust with a Forest Transitive, Non-Windows Realm Trust. This is also true for:
Copy Code
dude.com
The TLN or Exclusion was successfully added to the Forest Trust Info.
x:dude.com
The Forest Trust Info for the specified trust could not be stored.
Copy Code
x:cool.dude.com
The TLN or Exclusion was successfully added to the Forest Trust Info.
Copy Code
1. *.cool.dude.com, Exclusion
Netdom Syntax
NetDom Syntax
NetDom add
Syntax
NetDom add Computer {/d: | /domain:}Domain [{/ud: | /userd:}[Domain\]User {/pd: | /passwordd:}{Password|*}] [{/s: | /serv
er:}Server] [/ou:OUPath] [/dc] [/help | /?]
Parameters
Computer
Specifies the domain in which to create the account. If this parameter is omitted, then the domain that the current computer
belongs to is used.
Specifies the user account that makes the connection with the domain that is specified in the /d or /domain parameter. If this
parameter is omitted, the current user account is used.
Specifies the password of the user account that is specified in the /ud or /userd parameter. Use the wildcard character (*) to be
prompted for the password.
/ou: OUPath
Specifies the organizational unit (OU) under which to create the account. This must be the full RFC 1779 distinguished name of
the OU. If omitted, the account is created under the default OU for machine objects for that domain.
/dc
Specifies that a domain controller's machine account is to be created. This allows the computer accounts for new Windows 2000,
Windows Server 2003 domain controllers, and new Windows NT 4.0 backup domain controllers (BDCs) to be pre-created. If
installing a new Windows NT 4.0 BDC into an existing Windows 2000 or Windows Server 2003 domain, the computer account
must be pre-created. This parameter cannot be used with the /ou parameter.
{/help | /?}
NetDom computername
Manages the primary and alternate names for a computer. This command can safely rename Windows Server 2003 and
Windows 2000 domain controllers as well as member servers.
Syntax
Parameters
Computer
/usero:[domain\]UserName
/passwordo:[Password | *]
Specifies the password to be used for the originating domain. If the wildcard character (*) is used, then the user will be
prompted for the password.
/userd:[Domain\]UserName
/passwordd:[Password | *]
Specifies the password to be used for the destination domain. If the wildcard character (*) is used, then the user will be
prompted for the password.
/add: NewAltDNSName
Specifies that a new alternate name should be created. The name must be a fully qualified domain name (computer name
followed by primary DNS suffix, such as comp1.example.com).
/remove: AltDNSName
Specifies that an existing alternate name should be deleted. The name must be a fully qualified domain name (computer name
followed by primary DNS suffix, such as comp1.example.com).
/makeprimary: ComputerDNSName
Specifies that an existing alternate name should be made into the primary name. The name must be a fully qualified domain
name (computer name followed by primary DNS suffix, such as comp1.example.com).
Lists the primary and/or any alternate names. The following valid values can be specified:
Value Description
ALLNAMES Lists the primary and any alternate names. This is the default.
/verify
Checks if there is a DNS A record and an Service Principal Name (SPN) for each computer name.
{/help | /?}
Sample Usage
NetDom join
Joins a workstation or member server to a domain. The act of joining a computer to a domain creates an account for the
computer on the domain, if it does not already exist.
Syntax
NetDom join Computer {/d: | /domain:}Domain [/ou:OUPath] [{/ud: | /userd:}[Domain\]User [{/pd: | /passwordd:}{Password|
*}]] [{/uo: | /usero}User [{/po: | /passwordo}{Password|*}] [/reboot[:Delay]] [/help | /?]
Parameters
Note
When joining a computer running Windows NT 4.0 or earlier to the domain, the operation is not transacted. This means
that a failure during the operation might leave the computer in an undetermined state with respect to the domain to
which it was meant to join.
Computer
{/d: | /domain:}Domain
Specifies the domain to which the account is joined. If this parameter is omitted, then the domain that the current computer
belongs to is used.
/ou: OUPath
Specifies the organizational unit (OU) under which to create the account. This must be the full RFC 1779 distinguished name of
the OU. If omitted, the account is created under the default OU for machine objects for that domain.
{/ud: | /userd:}[Domain\]User
Specifies the user account that makes the connection with the domain specified in the /d or /domain parameter. If this
parameter is omitted, the current user account is used.
{/pd: | /passwordd:}{Password|*}
Specifies the password of the user account that is specified in the /ud or /userd parameter. Use the wildcard character (*) to be
prompted for the password.
{/uo: | /usero}User
Specifies the user account that makes the connection with the computer to be joined. If this parameter is omitted, the current
user account is used.
{/po: | /passwordo}{Password|*}
Specifies the password of the user account that is specified in the /uo or /usero parameter. Use the wildcard character (*) to be
prompted for the password.
/reboot[:Delay]
Specifies that the computer shuts down and automatically reboots after the join has completed. The Delay value is the number
of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.
{/help | /?}
Sample Usage
NetDom move
Moves a workstation or member server to a new domain. The act of moving a computer to a new domain creates an account for
the computer on the domain, if it does not already exist.
Syntax
NetDom move Computer {/d: | /domain:}Domain [/ou:OUPath] [{/ud: | /userd}[Domain\]User [{/pd: | /passwordd}
{Password|*}] [{/uo: | /usero}[Domain\]User [{/po: | /passwordo}{Password|*}]] [{/uf: | /userf}[Domain\]User [{/pf: | /passw
ordf}{Password|*}]] [/reboot[:Delay]] [{/help | /?}]
Parameters
Notes
When moving a computer running Windows NT 4.0 or earlier to the domain, the operation is not transacted. This
means that a failure during the operation might leave the computer in an undetermined state with respect to the
domain of its intended move.
When moving a computer to a new domain, the old computer account in the previous domain is not deleted. If
credentials are supplied for the former domain, the old computer account is disabled.
The act of moving a computer to a new domain will create an account for the computer on the domain if it does not
already exist.
Computer
{/d: | /domain:}Domain
Specifies the domain to which the account is moved. If the parameter is omitted, then the domain that the current computer
belongs to is used.
/ou: OUPath
Specifies the organizational unit (OU) under which to create the account. This must be the full RFC 1779 distinguished name of
the OU. If omitted, the account is created under the default OU for machine objects for that domain.
{/ud: | /userd}[Domain\]User
Specifies the user account that makes the connection with the domain specified in the /d or /domain parameter. If this
parameter is omitted, the current user account is used.
{/pd: | /passwordd}{Password|*}
Specifies the password of the user account that is specified in the /ud or /userd parameter. Use an asterisk (*) to be prompted
for the password.
{/uo: | /usero}User
Specifies the user account to make the connection with the computer to be moved. If this parameter is omitted, the current user
account is used.
{/po: | /passwordo}{Password|*}
Specifies the password of the user account that is specified in the /uo or /usero parameter. Use the wildcard character (*) to be
prompted for the password.
{/uf: | /userf}User
Specifies the user account to make the connection with the computer's former domain (of which the computer had been a
member prior to the move). This parameter is used to disable the old computer account.
{/pf: | /passwordf}{Password|*}
Specifies the password of the user account that is specified in the /uf or /userf parameter. Use the wildcard character (*) to be
prompted for the password.
/reboot[:Delay]
Specifies that the computer shuts down and automatically reboots after the move has completed. The Delay value is the number
of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.
{/help | /?}
Sample Usage
NetDom query
Syntax
NetDom query {/d: | /domain:}Domain [{/s: | /server:}Server] [{/ud: | /userd:}[Domain\]User {/pd: | /passwordd}{Password|
*}] [/verify] [/reset] [/direct] {WORKSTATION|SERVER|DC|OU|PDC|FSMO|TRUST} [{/help | /?}]
Parameters
{/d: | /domain:}Domain
Specifies the domain to query for the information. If this parameter is omitted, then the domain that the current computer
belongs to is used.
{/s: | /server:}Server
{/ud: | /userd:}[Domain\]User
Specifies the user account that makes the connection with the domain in the /d or /domain parameter. If this parameter is
omitted, the current user account is used.
{/pd: | /passwordd}{Password|*}
Specifies the password of the user account that is specified in the /ud or /userd parameter. Use the wildcard character (*) to be
prompted for the password.
/verify
Specifies verification of the secure channel secrets for all enumerated memberships or trusts, and displays them. Unless the user
is an enterprise-level administrator, it will not be possible to verify all secure channel secrets.
/reset
Specifies resynchronization ofthe secure channel secrets for all enumerated memberships or trusts which are currently broken.
The /reset parameter implies the /verify parameter. Unless the user is an enterprise-level administrator, it might not be possible
to reset all enumerated trusts or memberships.
/direct
Indicates that the query for trust relationships returns only direct trust relationships, rather than direct and indirect relationships.
This parameter is valid only when Domain is specified with the /d parameter.
WORKSTATION|SERVER|DC|OU|PDC|FSMO|TRUST
Object Description
OU Queries the domain for the list of OUs under which the specified user can create a machine object.
PDC Queries the domain for the current primary domain controller.
FSMO Queries the domain for the current list of operations master (also know as flexible single master operations
or FSMO) owners.
Sample Usage
NetDom remove
Syntax
NetDom remove Computer {/d: | /domain:}Domain [{/ud: | /userd:}[Domain\]User [{/pd: | /passwordd}{Password|*}]] [{/uo:
| /usero}User [{/po: |/passwordo}{Password|*}]] [/reboot[:Delay]] [{/help | /?}]
Parameters
Computer
{/d: | /domain:}Domain
Specifies the domain from which the account is to be removed. If this parameter is omitted, then the domain that the current
computer belongs to is used.
Specifies the user account that makes the connection with the domain in the /d or /domain parameter. If this parameter is
omitted, then the current user account is used.
{/pd: | /passwordd}{Password|*}
Specifies the password of the user account that is specified in the /ud or /userd parameter. Use the wildcard character (*) to be
prompted for the password.
{/uo: | /usero}User
Specifies the user account to make the connection with the computer to be removed. If this parameter is omitted, then the
current user account is used.
{/po: |/passwordo}{Password|*}
Specifies the password of the user account that is specified in the /uoor /usero parameter. Use the wildcard character (*) to be
prompted for the password.
/reboot[:Delay]
Specifies that the computer shuts down and automatically restarts after the remove operation has completed. The Delay value is
the number of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.
{/help | /?}
Sample Usage
netdom remove /d:reskit.ms.com mywksta
NetDom movent4bdc
Renames a Windows NT 4.0 backup domain controller to reflect a domain name change. This can assist in Windows NT 4.0
domain renaming efforts.
Syntax
Parameters
Computer
{/d: | /domain:}Domain
/reboot[:Delay]
Specifies that the computer shuts down and automatically reboots after the rename operation has completed. The Delay value is
the number of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.
{/help | /?}
Sample Usage
NetDom renamecomputer
Renames a domain computer and its corresponding domain account. Use this command to rename domain workstations and
member servers only. To rename domain controllers, use the NetDom computername command.
Syntax
Parameters
Computer
/newname: NewComputerName
/userd:[domain\]UserName
/passwordd:[password | *]
Specifies the password of the user account that is specified in the /ud or /userd parameter. If the wildcard character (*) is used,
then the user will be prompted for the password.
/usero:[domain\]UserName
/passwordo:[password| *]
Specifies the password of the user account that is specified in the /uo or /usero parameter. If the wildcard character (*) is used,
then the user will be prompted for the password.
/force[:Delay]
The user will be prompted for confirmation unless the /force parameter is specified.
/reboot[:Delay]
Specifies that the computer shuts down and automatically reboots after the rename operation has completed. The Delay value is
the number of seconds before automatic shutdown occurs. The default Delay value is 20 seconds.
{/help | /?}
Note
Do not use renamecomputer to rename Windows Server 2003 or Windows 2000 domain controllers. Using the
renamecomputer operation to rename a domain controller may result in the domain controller no longer functioning as
a domain controller on the network. To rename Windows Server 2003 and Windows 2000 servers and domain
controllers, use the computername operation.
NetDom reset
Syntax
NetDom reset Computer {/d: | /domain:}Domain [{/s: | /server:}Server] [{/uo: | /usero:}User {/po: | /passwordo}{Password|
*}] [{/help | /?}]
Parameters
Computer
Specifies the name of the computer for which the connection is to be reset.
{/d: | /domain:}Domain
Specifies the domain with which to establish the secure connection. If this parameter is omitted, then the domain that the
current computer belongs to is used.
{/s: | /server:}Server
Specifies the name of the domain controller to use to establish the secure connection.
{/uo: | /usero:}User
Specifies the user account that makes the connection with the computer to be reset. If this parameter is omitted, then the
current user account is used.
{/po: | /passwordo}{Password|*}
Specifies the password of the user account that is specified in the /uo or /usero parameter. Use the wildcard character (*) to be
prompted for the password.
{/help | /?}
Sample Usage
NetDom resetpwd
Syntax
NetDom resetpwd {/s: | /server:}Server {/ud: | /userd:}[Domain\]User {/pd: | /passwordd:}{Password|*}] [{/help | /?}]
Parameters
{/s: | /server:}Server
Specifies the name of the domain controller to use for setting the machine account password.
{/ud: | /userd:}[Domain\]User
Specifies the user account that makes the connection with the domain specified in the /s parameter. This must be in
Domain\User format. If this parameter is omitted, then the current user account is used.
{/pd: | /passwordd:}{Password|*}
Specifies the password of the user account that is specified in the /ud parameter. Use the wildcard character (*) to be prompted
for the password.
{/help | /?}
NetDom trust
Syntax
NetDom trust TrustingDomainName {/d: | /domain:} TrustedDomainName [{/ud: | /userd:}[Domain\]User [{/pd: | /passwordd
:}{Password|*}] [{/uo: | /usero:}User] [{/po: | /passwordo:}{Password|*}] [/verify] [/reset]
[/passwordt:NewRealmTrustPassword] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]]
[/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:TrustName
[/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive] [/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN]
[/RemoveTLNEX][{/help | /?}]
Parameters
TrustingDomainName
{/d: | /domain:}TrustedDomainName
Specifies the name of the trusted domain. If this parameter is omitted, then the domain that the current computer belongs to is
used.
{/ud: | /userd:}[Domain\]User]
Specifies the user account that makes the connection with the domain specified in the /d or /domain parameter. If this
parameter is omitted, then the current user account is used.
/pd:{Password|*}
Specifies the password of the user account that is specified in the /ud or /userd: parameter. Use the wildcard character (*) to be
prompted for the password.
{/uo: | /usero:}User
Specifies the user account that makes the connection with the trusting domain. If this parameter is omitted, then the current
user account is used.
Specifies the password of the user account that is specified in the /uo or /usero parameter. Use the wildcard character (*) to be
prompted for the password.
/verify
Verifies the secure channel secrets upon which a specific trust is based.
/reset
Resets the trust secret between trusted domains or between the domain controller and the workstation.
/passwordt: NewRealmTrustPassword
Specifies a new trust password. This parameter is valid only with the /add parameter, and only if one of the domains specified is
a non-Windows Kerberos realm. The trust password is set on the Windows domain only, which means that credentials are not
needed for the non-Windows domain.
/add
/realm
Indicates that the trust is created to a non-Windows Kerberos realm. The /realm parameter is valid only with the /add and
/passwordt parameters.
/remove
/force
Removes both the trusted domain object and the cross-reference object for the specified domain from the forest. Use this option
to clean up decommissioned domains that are no longer in use, and cannot be removed by using the Active Directory Installation
wizard. This problem can occur if the domain controller for that domain was disabled or damaged and there were no domain
controllers, or if it was not possible to recover the domain controller from backup media. This parameter is valid only when the
/remove parameter is specified.
/twoway
Specifies establishment ofa two-way trust relationship rather than a one-way trust relationship.
/kerberos
Specifies exercisingthe Kerberos protocol between a workstation and a target domain. This parameter is valid only when the
/verify parameter is specified.
/transitive[:{YES|NO}]
Specifies whether to set a transitive or non-transitive trust. This parameter is valid only for a non-Windows Kerberos realm. Non-
Windows Kerberos trusts are created as non-transitive. If no value is specified, then the current transitivity state is displayed.
Value Description
/oneside:{TRUSTED| TRUSTING}
Denotes that the trust object should only be created or removed on one domain.
Value Description
TRUSTED Indicates that the trust object is created or removed on the trusted domain specified by the /d or /domain
parameter).
TRUSTING Indicates that the trust object is to be created or removed on the trusting domain. Valid only with the /add or
/REMove parameter. The /passwordt parameter is required when using with the /ADD or /REMove option
/quarantine[:{YES | NO}]
Sets or clears the domain quarantine attribute. If no value is specified then the current quarantine state is displayed.
Value Description
YES Specifies that only SIDs from the directly trusted domain will be accepted for authorization data returned during
authentication. SIDS from any other domains will be removed.
NO Specifies that any SID will be accepted for authorization data returned during authentication. This is the default value.
/namesuffixes: TrustName
Lists the routed name suffixes for TrustName on the domain named by TrustingDomainName. The /usero and /passwordo
parameters can be used for authentication. The /domain parameter is not required.
/togglesuffix:#
Changes the status of a name suffix. Used with the /namesuffixes parameter. The number of the name entry specified by the
/namesuffixes parameter must be provided to indicate which name will have its status changed. Names that are in conflict
cannot have their status changed until the name in the conflicting trust is disabled. Always precede this command with the
/namesuffixes parameter because LSA will not always return the names in the same order.
/EnableSIDistory
Specifying yes allows users who migrate to the trusted forest from any other forest to use SID history to access resources in this
forest. Valid only for an outbound forest trust. This should be done only if the trusted forest administrators can be trusted
enough to specify SIDs of this forest in the SID history attribute of their users appropriately. Specifying no would disable the
ability of the migrated users in the trusted forest to use SID history to access resources in this forest. Specifying
/EnableSIDHistory without yes or no will display the current state.
/ForestTRANsitive
Specifying yes marks this trust as forest transitive. Specifying no marks this trust as not forest transitive. Specifying
/ForestTRANsitive without yes or no will display the current state of this trust attribute. Valid only for non-Windows real trusts
and can only be performed on the root domain for a forest.
/SelectiveAUTH
Specifying no disables selective authentification across this trust. Specifying /SelectiveAUTH without yes or no displays the
currrent state of this trust attribute. Specifying yes enables selective authentification across this trust. Valid only on outbound
forest and external trusts.
/AddTLN
Adds the specified top level name (DNS name suffix) to the forest trust info for the specified trust. Valid only for a forest
transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes
operation for a list of name suffixes.
/AddTLNEX
Adds the specified top level name exclusion(DNS name suffix) to the forest trust info for the specified trust. Valid only for a forest
transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes
operation for a list of name suffixes.
/RemoveTLN
Removes the specified top level name (DNS name suffix) from the forest trust info from the specified trust. Valid only for a forest
transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the /NameSuffixes
operation for a list of name suffixes.
/RemoveTLNEX
Removes the specified top level name exclusion (DNS Name Suffix) from the forest trust info from the specified trust. Valid only
for a forest transitive non-Windows realm trust and can only be performed on the root domain for a forest. Refer to the
/NameSuffixes operation for a list of name suffixes.
{/help | /?}
Sample Usage
netdom trust /d:masterdom resourcedom
NetDom verify
Syntax
NetDom verify Computer {/d: | /domain:}Domain [{/uo: | usero}User {/po: | /passwordo}{Password|*}] [{/help | /?}]
Parameters
Computer
{/d: | /domain:}Domain
Specifies the domain with which to verify the secure connection. If this parameter is omitted, then the domain that the current
computer belongs to is used.
{/uo: | usero}User
Specifies the domain with which to verify the secure connection. If this parameter is omitted, then the current user account is
used.
{/po: | /passwordo}{Password|*}
Specifies the password of the user account that is specified in the /uo or /usero parameter. Use the wildcard character (*) to be
prompted for the password.
{/help | /?}
Netdiag Examples
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
NetDiag Examples
Sample Scenario
In this scenario, you have a problem connecting to a network resource. You receive only a "Network path not found" error
message and no further assistance. You have no idea where to start troubleshooting the problem.
Assuming that the reason for the failure in this case is that the DNS server is down, the solution can be found with NetDiag.
netdiag
When executed in this scenario, NetDiag performs tests on each network adapter, and a set of global tests. The tests on the
network adapters are performed in the following order:
IpConfig test
Autoconfiguration test (APIPA)
Next in this example NetDiag performs a set of global tests in the following order:
Winsock test
DNS test
DC discovery test
DC list test
Kerberos test
LDAP test
Bindings test
IP Security test
The results of these tests show that the network adapter protocol, bindings, and IP address tests succeed. The DNS ping test fails
and reports that the DNS server cannot be contacted.
With this information, the administrator knows that either the DNS server address is incorrect, or the DNS server is not
responding. Because the DNS address is also displayed as output, you can easily verify whether it is correct.
After the problem is isolated, the administrator can perform additional troubleshooting to determine why the DNS server is
down.
For more information on interpreting output from the NetDiag tool see the Interpreting NetDiag Output topic on the Netdiag
Remarks page.
Copy Code
.......................................
Global results:
[WARNING] The DNS entries for this DC cannot be verified right now on DNS
server 10.10.1.77, ERROR_TIMEOUT.
[FATAL] No DNS servers have the DNS records for this DC registered.
Netdiag Syntax
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
NetDiag Syntax
netdiag [/q] [/v] [/l] [/debug] [/d:DomainName] [/fix] [/DcAccountEnum] [/test:TestName] [/skip:TestName] [/?]
Parameters
/q
/v
/l
Sends output to Netdiag.log. This log file is created in the same directory where Netdiag.exe was run.
/debug
Specifies even more verbose output. With this parameter, NetDiag takes a few minutes to complete.
/d: DomainName
/fix
/DcAccountEnum
/test: TestName
Runs only the listed test(s). TCP/IP must be bound to one or more adapters before running any of the tests. Nonskippable tests
are still run. A detailed explanation of the switches can be found on the Netdiag Remarks page.
Value Description
Autonet Automatic Private IP Addressing (APIPA) address test. Tests whether APIPA is in use for the network
adapters.
Bindings Bindings test. Lists all bindings, including interface name, lower module name, upper module name,
whether the binding is currently enabled, and the owner of the binding.
Browser Redirector and Browser test. Lists the protocols bound to the Browser service and the redirector.
DcList Domain controller list test. Obtains a list of domain controllers for the domain.
DefGw Default gateway test. Attempts to contact each configured default gateway.
DNS DNS test. Tests the availability of the configured DNS servers and verifies the current client's DNS
registrations.
DsGetDc Domain controller discovery test. First finds a generic domain controller from directory service, then finds
the primary domain controller. Then, finds a Windows 2000 domain controller (DC). If the tested domain is
the primary domain, checks whether the domain GUID stored in Local Security Authority (LSA) is the same
as the domain GUID stored in the DC. If not, the test returns a fatal error; if the /fix option is on, DsGetDC
tries to fix the GUID in LSA.
IpConfig IP address configuration test. Enumerates the TCP/IP configuration information for each network adapter.
IpLoopBk IP address loopback ping test. Pings the IP loopback address of 127.0.0.1 for each adapter.
IPSec IP Security test. Tests whether IP Security is enabled and displays a list of active IP Security policies for the
computer.
IPX IPX test. Lists statistics for the IPX protocol installed on the computer.
Kerberos Kerberos test. Checks whether the Kerberos package information is up-to-date.
Ldap Lightweight Directory Access Protocl (LDAP) test. Contacts all available domain controllers and determines
which LDAP authentication protocol is in use.
Member Domain membership test. Checks to confirm details of the primary domain, including computer role,
domain name, and domain GUID. Checks to see if NetLogon service is started, adds the primary domain to
the domain list, and queries the primary domain security identifier (SID).
Modem Modem diagnostics test. Lists configuration information for each modem found.
NbtNm NetBT name test. Similar to the nbtstat -n command. It checks that the workstation service name <00> is
equal to the computer name. It also checks that the messenger service name <03>, and server service
name <20> are present on all interfaces and that none of these names are in conflict.
Ndis Netcard queries test. Lists the network adapter configuration details, including the adapter name,
configuration, media, globally unique identifier (GUID), and statistics. If this test shows an unresponsive
network adapter, the remaining tests are aborted.
NetBTTransports NetBT transports test. Lists the transport protocols that are bound to NetBT.
Netstat Netstat information test. Lists protocol statistics and current TCP/IP connections.
Netware Netware test. Queries the nearest Netware server for current login information.
Route Routing table test. Lists static routes and whether they are persistent.
Trust Trust relationship test. Tests trust relationships to the primary domain only if the computer is a member
workstation, member server, or a Backup Domain Controller (BDC) domain controller that is not a PDC
emulator. Checks that the primary domain security identifier (SID) is correct. Contacts an active DC.
Connects to the SAM server on the DC. Uses the domain SID to open the domain to verify whether the
domain SID is correct. Queries info of the secure channel for the primary domain. If the computer is a
BDCDC, reconnects to the PDC emulator. If the computer is a member workstation or server, sets secure
channel to each DC on the DC list for this domain.
WAN Wide Area Network (WAN) configuration test. Lists settings and status on each COM port currently in use.
WINS Windows Internet Name Service (WINS) service test. Tests the availability of the configured WINS server
and the validity of the client registrations.
Winsock Winsock test. Lists protocols and ports available to the WinSock service.
/skip: TestName
Skips the test specified by TestName. Nonskippable tests will still run. Valid TestName values are:
Value Description
Autonet Automatic Private IP Addressing (APIPA) address test.
Bindings Bindings test.
Browser Redir and Browser test.
DcList Domain controller list test.
DefGw Default gateway test.
DNS DNS test.
DsGetDc Domain controller discovery test.
IpConfig IP address configuration test.
IpLoopBk IP address loopback ping test.
IPX IPX test.
Kerberos Kerberos test.
Ldap Lightweight Directory Access Protocol (LDAP) test.
Modem Modem diagnostics test.
NbtNm NetBT name test.
Netstat Netstat information test.
Netware Netware test.
Route Routing table test.
Trust Trust relationship test.
WAN Wide Area Network (WAN) configuration test.
WINS Windows Internet Name Service (WINS) test.
Winsock Winsock test.
Nltest Examples
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
NLTest Examples
Example 1: Verify DCs in a domain
In this example, the /dclist parameter is used to create a list of domain controllers of the domain fourthcoffee.com
nltest /dclist:fourthcoffee
Output displays similar to the following:
Copy Code
Get list of DCs in domain 'ntdev' from '\\fourthcoffee-dc-01'.
fourthcoffee-dc-01.forthcoffee.com [DS] Site: Rome
fourthcoffee-dc-03.forthcoffee.com [DS] Site: LasVegas
fourthcoffee-dc-04.forthcoffee.com [DS] Site: LA
fourthcoffee-dc-09.forthcoffee.com [DS] Site: NYC
fourthcoffee-dc-12.forthcoffee.com [DS] Site: Paris
fourthcoffee-dc-24.forthcoffee.com [DS] Site: Chattaroy
fourthcoffee-dc-32.forthcoffee.com [DS] Site: Haifa
fourthcoffee-dc-99.forthcoffee.com [DS] Site: Redmond
fourthcoffee-dc-63.forthcoffee.com [PDC] [DS] Site: London
The command completed successfully
Example 2: Advanced information about users
In this example, you want to find out detailed information about a certain user. At the command prompt, type:
nltest /user:"TestAdmin"
Output displays similar to the following:
Copy Code
User: User1
Rid: 0x3eb
Version: 0x10002
LastLogon: 2ee61c9a 01c0e947 = 5/30/2001 13:29:10
PasswordLastSet: 9dad5428 01c0e577 = 5/25/2001 17:05:47
AccountExpires: ffffffff 7fffffff = 9/13/30828 19:48:05
PrimaryGroupId: 0x201
UserAccountControl: 0x210
CountryCode: 0x0
CodePage: 0x0
BadPasswordCount: 0x0
LogonCount: 0x33
AdminCount: 0x1
SecurityDescriptor: 80140001 0000009c 000000ac 00000014 00000044 00300002 000000
02 0014c002 01050045 00000101 01000000 00000000 0014c002 000f07ff 00000101 05000
000 00000007 00580012 00000003 00240000 00020044 00000501 05000000 00000015 22cd
b7b4 7112b3f1 2b3be507 000003eb 00180000 000f07ff 00000201 05000000 00000020 000
00220 00140000 0002035b 00000101 01000000 00000000 00000201 05000000 00000020 00
000220 00000201 05000000 00000020 00000220
AccountName: User1
Groups: 00000201 00000007
LmOwfPassword: fb890c9c 5c7e7e09 ee58593b d959c681
NtOwfPassword: d82759cc 81a342ac df600c37 4e58a478
NtPasswordHistory: 00011001
LmPasswordHistory: 00010011
The command completed successfully
The detailed information provided can be used to troubleshoot many issues.
Example 3: Verify trust relationship with a specific server
In this example, you want to verify that the server a-dc1 has a valid trust relationship with the domain. At the command prompt,
type:
nltest.exe /server:fourthcoffee-dc-01 /sc_query:fourthcoffee
Output displays similar to the following:
Copy Code
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\fourthcoffee-dc-01.forthcoffee.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
Example 4: Determine the PDC emulator for a domain
In this example, you want to determine which DC in your domain the Windows NT 4.0based computers are looking to as the
PDC. At the command prompt, type:
nltest /dcname:fourthcoffee
Output displays similar to the following:
Copy Code
PDC for Domain fourthcoffee is \\fourthcoffee-dc-01
The command completed successfully
You can see that a-dcp is the PDC emulator for your domain.
Example 5: Show trust relationships for a domain
In this example, you want to view the established trust relationships for your domain. At the command prompt, type:
nltest /domain_trusts
Output displays similar to the following:
Copy Code
List of domain trusts:
0: forthcoffee forthcoffee.com (NT 5) (Forest Tree Root) (Primary Domain)
The command completed successfully
This example shows that one domain is trusting itself and no others.
Nltest Syntax
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
NLTest Syntax
NLTest uses the following syntax:
nltest [/server:servername] [operation[parameter] ...
/server: ServerName
Runs NLTest at the specified remote domain controller. If this parameter is not specified, the command is executed on the local
computer (domain controller).
Operations
/query
Reports on the state of the secure channel the last time it was used. This is the secure channel established by the NetLogon
service.
/repl
Forces a synchronization with the PDC. Only changes not yet replicated to the BDC are synchronized. This command is for NT 4.0
BDCs only and is not for Active Directory replication. Administrative rights are required to perform this command.
/sync
Forces an immediate synchronization with the PDC of the entire SAM database. This command is for NT 4.0 BDCs only and is not
for Active Directory replication. Administrative rights are required to perform this command.
/pdc_repl
Forces the PDC to send a synchronize notification to all BDCs. This command is for NT 4.0 PDCs only and is not for Active
Directory replication. Administrative rights are required to perform this command.
/sc_query: DomainName
Reports on the state of the secure channel the last time it was used. This is the secure channel established by the NetLogon
service. Also, lists the name of the domain controller that was queried on the secure channel.
/sc_reset:[ DomainName]
Removes and then rebuilds the secure channel established by the NetLogon service. Administrative rights are required to
perform this command.
/sc_verify:[ DomainName]
Checks the status of the secure channel established by the NetLogon service. If the secure channel is not working, this operation
removes the existing channel and builds a new one. Administrative rights are required to perform this command. This operation
is only valid on Windows 2000 with Service Pack 2 and Windows Server 2003 domain controllers.
/sc_change_pwd:[ DomainName]
Changes the password for the trust account of the specified domain. If this command is run on a domain controller, and an
explicit trust relationship exists, then the password for the interdomain trust account is reset. Otherwise, the computer account
password for the specified domain is changed. This command is only for computers that are Windows 2000, Windows XP, and
Windows Server 2003.
/dclist:[ DomainName]
Lists all domain controllers in the domain. In an NT 4.0 domain environment, this command uses the Browser service to retrieve
the list of domains. In an Active Directory environment, this command first queries Active Directory for a list of domain
controllers. If this is unsuccessful the Browser service is used.
/dcname:[ DomainName]
Lists the primary domain controller or the primary domain controller emulator for DomainName.
/dsgetdc:[ DomainName]
Queries the DNS server for a list of domain controllers and their corresponding IP addresses. Contacts each domain controller to
check for connectivity.
Use the following flags to filter the list of domain controllers or specify alternate names types in the syntax.
/PDC Returns only the PDC (NT 4.0) or domain controller designated as the PDC emulator (Windows 2000 or Windows
Server 2003).
/DS Returns only those domain controllers that are Windows 2000 or Windows Server 2003 servers.
/DSP Requests that Windows 2000 or Windows Server 2003 domain controllers be returned. If no Windows 2000 or
Windows Server 2003 server is found, then this operation returns NT domain controllers.
/GC Returns only those domain controllers designated as Global Catalog servers.
/KDC Returns only those domain controllers designated as Kerberos key distribution centers.
/GTTIMESERV Returns only those domain controllers designated as master time servers.
/NetBIOS Use this command when specifying computer names in the syntax as NetBIOS names.
/DNS Use this command when specifying computer names in the syntax as FQDNs.
/IP Returns only domain controllers that have IP addresses. Domain controllers not using TCP/IP as their protocol stack
are not returned.
/FORCE Forces the computer to run the command against the DNS server instead of looking in cache for the
information.
/dnsgetdc: DomainName
Queries the DNS server for a list of domain controllers and their corresponding IP addresses.
Use the following flags to filter the list of domain controllers.
/PDC Returns only only those domain controllers that are PDCs (NT 4.0) or designated as PDC emulators.
/KDC Returns only those domain controllers designated as Kerberos key distribution centers.
/WRITABLE Returns only those domain controllers that can accept changes to the directory database. All Active
Directory domain controllers will be returned. Only NT 4.0 BDCs will not be returned with this command.
/LDAPONLY Returns servers that are running an LDAP application. With this command LDAP servers are returned that
are not necessarily DCs.
/FORCE Forces the computer to run the command against the DNS server instead of looking in cache for the
information.
/SITE:Sitename Sorts the returned records so that the ones pertaining to the site are listed first.
/SITESPEC Filters the returned records so only those pertaining to the site are displayed. This operation can only be used
with the /SITE operation.
/dsgetfti: DomainName[ /UpdateTDO]
Returns information about interforests trust(s). This operation is only for a Windows Server 2003 domain controller that is in the
root of the forest. If no interforest trusts exist, this operation will return an error.
/UpdateTDO Updates the locally stored information on the interforest trust.
/dsgetsite
Returns the name of the site in which the domain controller resides.
/dsgetsitecov
Returns the name of the site that the domain controller covers. A domain controller can cover a site that has no local domain
controller of its own.
/parentdomain
Returns the name of the parent domain of the server.
/dsregdns
Refreshes the registration of all domain controller-specific DNS records.
/dsderegdns: DnsHostName
Deregisters DNS host records from DNS for the host specified with the DnsHostName parameter./DOM: /DOMGUID: /DSAGUID:.
Use the following flags to specify which records will be deregistered.
/DOM: Specifies a DNS domain name for the host to use when searching for records in the DNS server. If not specified,
the suffix of the DnsHostName is assumed to be the DNS domain name
/Primary Returns only the domain to which the computer account belongs.
/Forest Returns only those domains that are in the same forest as the primary domain.
/Direct_Out Returns only the domains that are explicitly trusted with the primary domain.
/Direct_In Returns only the domains that explicitly trust the primary domain.
/dsquerydns
Queries for the status of the last update for all DC-specific DNS records.
/bdc_query: DomainName
Queries for a list of backup domain controllers in DomainName and displays their state of synchronization and replication status.
This operation is only for NT 4.0 domain controllers.
/sim_sync: DomainName ServerName
Simulates full synchronization replication. This operation is useful in test environments.
/list_deltas: FileName
Displays the contents of the change log file FileName, which lists changes to the user account database. Netlogon.chg is the
default name. This log file resides only on NT 4.0 BDCs.
/cdigest: Message /domain: DomainName
Displays the current digest (calculation derived from the password) used by the client for the secure channel. Also, displays the
digest based on the previous password. The secure channel is used for logons between client computers and a domain controller,
or DC to DC for directory service replication. Use this operation in conjunction with the /sdigest operation to check trust account
password synchronization.
/sdigest: Message /rid: RID_In_Hexadecimal
Displays the current digest (calculation derived from the password) that the server is using for the secure channel. Also, displays
the digest for the previous password. If the digest from the server matches the digest from the client (retrieved using the
/cdigest operation), then the passwords used for the secure channel are synchronized. If the digests do not match, then a
password change may not have replicated yet.
/shutdown: Reason[ Seconds]
Performs a remote shutdown of the ServerName for Reason, a string, after Seconds, an integer. For a complete description, see
the Platform SDK documentation for InitiateSystemShutdown.
/shutdown_abort
Terminates a system shutdown.