{
	"id": "9c3fdda3-af88-4ece-a810-9ebf2ee872fb",
	"created_at": "2026-04-06T03:36:10.46561Z",
	"updated_at": "2026-04-10T03:21:21.683161Z",
	"deleted_at": null,
	"sha1_hash": "924fc246d82f059e4a97b19c9e9616b6a8bbb958",
	"title": "nltest - Windows CMD - SS64",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75973,
	"plain_text": "nltest - Windows CMD - SS64\r\nArchived: 2026-04-06 03:14:15 UTC\r\nSS64\r\nCMD\r\nHow-to\r\nNLTEST.exe\r\nNetwork Location Test - List domain controllers(DCs), Force a remote shutdown, Query the status of trust,\r\ntest trust relationships and the state of domain controller replication.\r\nSyntax\r\n NLTEST [/server:servername] [operation[parameter]\r\nKey\r\n /server:ServerName\r\n Run nltest at a remote domain controller: ServerName.\r\n default = the local computer (a domain controller).\r\n /dbflag:HexadecimalFlags\r\n Set a new debug flag.\r\n The entry in the Windows Server registry for debug flags is\r\n HKLM\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\DBFlag.\r\n A value of 0x2080FFFF (decimal 545325055) for HexadecimalFlags will enable verbose Netlog\r\n A value of 0x0 (decimal 0) or deleting the registry key, will disable Netlogon logging.\r\n /cDigest:Message /domain:DomainName\r\n Display the current digest that the client uses for the secure channel.\r\n (The digest is the calculation that nltest derives from the password.)\r\n This parameter displays the digest that is based on the previous password, also. Nltest u\r\n the secure channel for logons between client computers and a domain controller, or for\r\n directory service replication between domain controllers. You can use this parameter in\r\n conjunction with the /sdigest parameter to check the synchronization of trust account pas\r\n /sDigest:Message /rid:RID_In_Hexadecimal\r\n Display the current digest that the server uses for the secure channel.\r\n (The digest is the calculation that nltest derives from the password.)\r\n This parameter displays the digest for the previous password, also. If the digest from th\r\n server matches the digest from the client, then nltest synchronizes the passwords that it\r\n uses for the secure channel. If the digests do not match, then nltest might not have repl\r\nhttps://ss64.com/nt/nltest.html\r\nPage 1 of 7\n\nthe password change yet.\r\n /dclist:[DomainName]\r\n List all DCs in the domain.\r\n This command first queries Active Directory for a list of DCs.\r\n If this query is unsuccessful, nltest then uses the Browser service (if netbios is enable\r\n /dcname:[DomainName]\r\n List the primary domain controller or the PDC emulator for DomainName.\r\n /domain_trusts [/Primary | /Forest | /Direct_Out | /Direct_In | /All_Trusts | /v]\r\n Return a list of trusted domains.\r\n Optional Flags to filter the list of domains:\r\n /Primary Return only the domain to which the computer account belongs.\r\n /Forest Return only those domains that are in the same forest as the primary domai\r\n /Direct_Out Return only the domains that are explicitly trusted with the primary domai\r\n /Direct_In Return only the domains that explicitly trust the primary domain.\r\n /All_Trusts Return all trusted domains.\r\n /v Display verbose output, including any domain SIDs and GUIDs that are avail\r\n /dnsgetdc:DomainName\r\n Query the DNS server for a list of domain controllers and their corresponding IP addresse\r\n values that you can use to filter the list of DCs:\r\n /PDC Return only those DCs that are PDCs (NT 4.0) or designated as PDC emulators.\r\n /GC Return only those DCs that you designate as global catalogs.\r\n /KDC Return only those DCs that you designate as Kerberos key distribution centers.\r\n /WRITABLE Return only those DCs that can accept changes to the directory database.\r\n This value returns all Active Directory DCs, but not Windows NT 4.0 BDCs.\r\n /LDAPONLY Return servers that are running a Lightweight Directory Access Protocol (LD\r\n The servers can include LDAP servers that are not DCs.\r\n /FORCE Run the command against the DNS server instead of looking in cache.\r\n /SITE Sitename Sort to list first the records that pertain to Sitename.\r\n /SITESPEC Filter the returned records to display only Sitename, used only with /SITE\r\n /DSAddressToSite:MachineName\r\n Call DsAddressToSiteNamesEx\r\n /DSgetdc:[DomainName]\r\n Query the Domain Name System (DNS) server for a list of DCs and their\r\n IP addresses. This parameter also contacts each domain controller to check for connectivi\r\n The following case sensitive flags can be used to filter the list of DCs\r\n or specify alternate names types in the syntax.\r\n /PDC : Return only the PDC or domain controllers designated as the PDC emulator.\r\n /DS : Return only those DCs that are Windows 2000 and later.\r\nhttps://ss64.com/nt/nltest.html\r\nPage 2 of 7\n\n/DSP : Return only Windows 2000 and later DCs. If the query finds no such server,\r\n then return Windows NT 4.0 DCs.\r\n /GC : Return only those DCs that are designated as global catalog servers.\r\n /KDC : Return only those DCs that are designated as Kerberos key distribution centers.\r\n /TIMESERV : Return only those DCs that are designated as time servers.\r\n /GTTIMESERV : Return only DCs designated as master time servers.\r\n /WS\r\n /NetBIOS : Specify computer names in the syntax as NetBIOS names.\r\n /DNS : Specify computer names in the syntax as fully qualified domain names (FQDNs).\r\n If you do not specify a return format, the DC can return either NetBIOS or DNS fo\r\n /IP : Return only DCs that have IP addresses. i.e. return only TCP/IP DCs.\r\n /FORCE : Force the computer to run the command against the DNS server instead of looking\r\n the cache for the information.\r\n /Writable : Require that the returned DC be writable; All Windows 2000 DCs are writable\r\n /Avoidself : When called from a DC, specifies that the returned DC name should\r\n not be the current computer. If the current computer is not a DC, this flag\r\n This flag can be used to obtain the name of another DC in the domain.\r\n /LDAPOnly : Specifies that the server returned is an LDAP server. The server returned is\r\n necessarily a DC. This flag can be used with the DS_GC_SERVER_REQUIRED flag\r\n to return an LDAP server that also hosts a global catalog server.\r\n If this flag is specified, the DS_PDC_REQUIRED, DS_TIMESERV_REQUIRED,\r\n DS_GOOD_TIMESERV_PREFERRED, DS_DIRECTORY_SERVICES_PREFERED,\r\n DS_DIRECTORY_SERVICES_REQUIRED, and DS_KDC_REQUIRED flags are ignored.\r\n /Backg : If the DS_FORCE_REDISCOVERY flag is not specified, this function uses cached DC\r\n If the cached data is more than 15 minutes old, the cache is refreshed by pingin\r\n the DC. If this flag is specified, this refresh is avoided even if the cached da\r\n is expired. This flag should be used if the DsGetDcName function is called perio\r\n /DS_6 : Require that the returned DC be running Windows Server 2008 or later.\r\n /DS_8 : Require that the returned domain controller be running Windows Server 2012 or lat\r\n /Try_Next_Closest_Site : When this flag is specified, DsGetDcName attempts to find a DC\r\n the same site as the caller.\r\n /Ret_DNS : Specifies that the names returned in the DomainControllerName and DomainName m\r\n of DomainControllerInfo should be DNS names.\r\n /Ret_NETBIOS : Specifies that the names returned in the DomainControllerName and DomainNa\r\nhttps://ss64.com/nt/nltest.html\r\nPage 3 of 7\n\nof DomainControllerInfo should be flat names.\r\n /DSgetsite\r\n Return the name of the site in which the DC resides.\r\n /DSgetsitecov\r\n Return the name of the site that the DC covers. A DC can cover a site\r\n that has no local DC of its own.\r\n /DSgetfti:DomainName[ /UpdateTDO]\r\n Return information about interforest trusts. You use this parameter only for a Windows Se\r\n domain controller that is in the root of the forest. If no interforest trusts exist, this\r\n returns an error. The /UpdateTDO value updates the locally stored information on the inte\r\n /DSquerydns\r\n Query for the status of the last update for all DNS records that are specific to a DC.\r\n /DSregdns\r\n Refreshe the registration of all DNS records that are specific to a DC that you specify.\r\n /DSderegdns:DnsHostName\r\n Deregister DNS host records for the host that you specify in the DnsHostName parameter.\r\n values you can use to specify which records nltest deregisters:\r\n /DOM Specify a DNS domain name for the host to use when you search for records on the\r\n If you do not specify this value, nltest uses the DNS domain name as the suffix\r\n DnsHostName parameter.\r\n /DSAGUID Delete Directory System Agent (DSA) records that are based on a GUID.\r\n /DOMGUID Delete DNS records that are based on a globally unique identifier (GUID).\r\n /finduser:User\r\n Find the directly-trusted domain that the user account User belongs to.\r\n Use this parameter to troubleshoot logon issues of older client Operating Systems.\r\n /list_deltas:FileName\r\n Display the contents of the FileName change log file, which lists changes to the user acc\r\n database. Netlogon.chg is the default name for this log file, which resides only on Windo\r\n /logon_query\r\n Query the cumulative number of NTLM logon attempts at a console or over a network.\r\n /LSAGETFTI:DomainName\r\n Call DsGetForestTrustInformation\r\n /UPDATE_TDQ\r\n /LSAQUERYFTI:DomainName\r\n Call LsaQueryForestTrustInformation\r\nhttps://ss64.com/nt/nltest.html\r\nPage 4 of 7\n\n/ParentDomain\r\n Return the name of the parent domain of the server.\r\n /query Report on the state of the secure channel the last time you used it.\r\n (The secure channel is the one that the NetLogon service established.)\r\n /repl Force synchronization with the primary domain controller (PDC).\r\n NT 4.0 BDCs only, not for Active Directory replication.\r\n /sc_query:DomainName\r\n Report on the state of the secure channel the last time that you used it.\r\n (The secure channel is the one that the NetLogon service established.)\r\n This parameter lists the name of the domain controller that you queried on the\r\n secure channel, also.\r\n /sc_reset:[DomainName]\r\n Remove, and then rebuild, the secure channel that the NetLogon service established.\r\n You must have administrative credentials to use this parameter.\r\n /sc_verify:[DomainName]\r\n Check the status of the secure channel that the NetLogon service established.\r\n If the secure channel does not work, this parameter removes the existing channel, and\r\n then builds a new one. You must have administrative credentials to use this parameter.\r\n /sc_change_pwd:[DomainName]\r\n Change the password for the trust account of a domain that you specify.\r\n If you run nltest on a domain controller, and an explicit trust relationship exists,\r\n then nltest resets the password for the interdomain trust account.\r\n Otherwise, nltest changes the computer account password for the domain that you specify.\r\n /bdc_query:DomainName\r\n Query for a list of BDCs in DomainName, and then display their state of synchronization\r\n and replication status. You can use this parameter only for Windows NT 4.0 domain control\r\n /sim_sync:DomainName ServerName\r\n Simulate full synchronization replication. This is a useful parameter for test environmen\r\n /sync Force an immediate synchronization with the PDC of the entire SAM database.\r\n NT 4.0 BDCs only, not for Active Directory replication.\r\n /pdc_repl Force the PDC to send a synchronization notification to all BDCs.\r\n NT 4.0 PDCs only, not for Active Directory replication.\r\n /shutdown:Reason [Seconds]\r\n Remotely shut down the server that you specify in ServerName.\r\n Use a string to specify the reason for the shutdown in the Reason value.\r\nhttps://ss64.com/nt/nltest.html\r\nPage 5 of 7\n\nUse an integer value of Seconds before the shutdown will occur.\r\n (see InitiateSystemShutdown in the Platform SDK documentation.)\r\n /shutdown_abort\r\n Terminate a system shutdown.\r\n /time:HexadecimalLSL HexadecimalMSL\r\n Convert Windows NT Greenwich Mean Time (GMT) time to ASCII. HexadecimalLSL is a hex value\r\n least significant longword. HexadecimalMSL is a hexa value for most significant longword\r\n /transport_notify Force the discovery of a domain controller. Windows NT 4.0 domain controllers\r\n Automatic for later DCs.\r\n /user:UserName\r\n Display many of the attributes that you maintain in the SAM account database for the use\r\n you specify. You cannot use this parameter for user accounts that are stored in an AD dat\r\n /whowill:Domain/ User\r\n Find the DC that has the user account that you specify. Use this parameter to determine\r\n whether nltest has replicated the account information to other DCs.\r\n {/help | /?} Display help at the command prompt.\r\nIf nltest does not appear to be available, enable the Active Directory Domain Services or the AD LDS server role.\r\nExamples\r\nVerify domain controllers in a domain:\r\nNltest /dclist:ss64dom\r\nShow detailed information about a specific user:\r\nNltest /user:\"user64\"\r\nEnable debug logging for the Netlogon service:\r\nNltest /DBFlag:2080FFFF\r\nDisable debug logging for the Netlogon service:\r\nNltest /DBFlag:0x0\r\nVerify trust relationship with a specific server:\r\nnltest /server:ss64-DC01 /sc_query:ss64dom\r\nlags: 30 HAS_IP HAS_TIMESERV\r\nTrusted DC Name \\\\ss64-DC01.ss64.com\r\nhttps://ss64.com/nt/nltest.html\r\nPage 6 of 7\n\nTrusted DC Connection Status Status = 0 0x0 NERR_Success\r\nThe command completed successfully\r\n“..If it disagrees with experiment it is wrong. In that simple statement is the key to science. It does not make any\r\ndifference how beautiful your guess is. It does not make any difference how smart you are, who made the guess,\r\nor what his name is – if it disagrees with experiment it is wrong” ~ Richard Feynman\r\nRelated commands\r\nRepAdmin - Diagnose Active Directory replication problems between domain controllers.\r\nDcDiag - Analyze the state of domain controllers and report any problems.\r\nDsMgt - Manage password operations over unsecured connections, AD Lightweight Directory Services\r\napplication partitions, flexible single master operations (FSMO), and clean up AD metadata.\r\nSetSpn - Read, modify, or delete the Service Principal Names (SPN) for an Active Directory service account.\r\nCopyright © 1999-2026 SS64.com\r\nSome rights reserved\r\nSource: https://ss64.com/nt/nltest.html\r\nhttps://ss64.com/nt/nltest.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://ss64.com/nt/nltest.html"
	],
	"report_names": [
		"nltest.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775446570,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/924fc246d82f059e4a97b19c9e9616b6a8bbb958.pdf",
		"text": "https://archive.orkl.eu/924fc246d82f059e4a97b19c9e9616b6a8bbb958.txt",
		"img": "https://archive.orkl.eu/924fc246d82f059e4a97b19c9e9616b6a8bbb958.jpg"
	}
}