Work with Trusts, Secure Channels and NLTest

If like me you work in an environment that contains multiple Trust between multiple Domains,
you probably need to be able to check or change the status of your secure channels between different Domain Controllers.
Play with this a little (in a lab) to get comfortable with the commands!
Secure channels are secure communication paths between machines, used for example for passthrough authentication.
There a different kinds:
-A member server/workstation has a secure channel to a DC in its own domain, the member’s Machine account is used for authentication.
-A DC has a secure channel with the PDC emulator in its own domain, except the PDC Emulator itself,the DC’s Machine account is used for authentication
-A DC has a secure channel with a DC in every Domain that is Trusted by its domain, in this case the TDO (Trusted Domain Object, special object used for Trust authentication) account is used.
The tools you need are nltest and netdom, those should probably be standard gear in your weapons arsenal.
‘NL’test comes from NetLogon, as this is the service responsible for managing Secure Channels.
As an example I will use member server RESOURCE01 that lives in domain RESDOM.NET.
Resource Domain RESDOM.NET has an outgoing external Trust to User Domain USERDOM.LOCAL (RESDOM trusts USERDOM).
To check the Trust RESOURCE01 has to its own domain:
nltest /sc_query:RESDOM.NET /server:RESOURCE01
The /server switch can be omitted when the command is run from the server in question.
A problem with a member -> DC can happen when a machine has been off the network for a long time ( > 60 days)

and the computer account password in AD isn’t the same as the one on the machine.

Resetting the Computer Account using ADUC and Rejoining the machine is often the easiest cure.
Command line you can try following to reset both the AD and Computer SC password, to prevent a rejoin:
netdom reset <server> /Domain <domain> /UserO <user to connect to machine> /PasswordO *
To check a secure channel between a DC and a DC in a Trusted domain use:
nltest /sc_query:<trusted domain> /server:<DC in trusting domain>
for example:
nltest /sc_query:USERDOM /server:RESOURCE01
In stead of sc_query you can also use sc_verify which is less passive:
"if the secure channel is not working, this operation removes the existing channel and builds a new one" as per Microsoft.
If there’s a problem with a Secure Channel (for example in case of a network or firewall issue or name resolution issue),
you can try following command to rebuild the secure channel:
nltest /sc_reset:<trusted domain> /server: :<DC in trusting domain>
for example:
nltest /sc_reset:USERDOM.LOCAL /server:RESOURCE01
You can also force the server to create a SC to a specified DC in the Trusted Domain:
nltest /sc_reset:<trusted domain>\<DC trusted domain> /server: :<DC trusting domain>
for example:
nltest /sc_reset:USERDOM.LOCAL\GOOD-DC01 /server:RESOURCE01

Hope you find this useful, I know some of you may not be very comfortable using these commands,

but maybe after reading this post they make a little more sense!

One response to “Work with Trusts, Secure Channels and NLTest

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s