Using the Security Descriptor Check Utility and NLTEST - Page 2

By Brien M. Posey | Posted Jan 10, 2001
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

WEBINAR: On-Demand

Learn How a Virtual Networking Approach Can Strengthen the Security of Federal Networks REGISTER >

Replication-Related Functions

Many Active Directory problems can be caused by failed replication. To help you to quickly diagnose and correct such problems, NLTEST contains a variety of replication-related functions. One such function allows you to query BDCs to check replication status:


If you discover that your backup domain controllers (BDCs) are out of sync with your primary domain controller (PDC), you can begin the replication process with a couple of different commands. For example, you can force a partial synchronization with the following command:


If you decide that forcing a full synchronization would be more appropriate, you can use this command:

As you probably know, in a mixed-mode or a Windows NT 4.0 environment, replication begins with the PDC notifying the BDCs that a change has occurred. You can force such a notification with the following command:


Finding Other Information

Sometimes you just need to find out more information about objects on your network. NLTEST provides several useful commands for doing so. One such command will tell you which domain that a given machine belongs to. The syntax for this command is:


Another useful NLTEST function displays information on user accounts. Just enter the following command:

NLTEST /SERVER:servername /USER:username

When you enter this command, you'll see an extensive summary of the user account's Active Directory information:

User: administrator
Rid: 0x1f4
Version: 0x10002
AccountExpires: ffffffff 7fffffff = 9/13/30828 21:48:05
PrimaryGroupId: 0x201
UserAccountControl: 0x210
CountryCode: 0x0
CodePage: 0x0
BadPasswordCount: 0x0
LogonCount: 0x0
AdminCount: 0x1
SecurityDescriptor: 80140001 00000088 00000098 00000014 00000030 001c0002 00000
01 0014c002 01050044 00000101 01000000 00000000 00580002 00000003 00140000 0002
35b 00000101 01000000 00000000 00180000 000f07ff 00000201 05000000 00000020 000
0220 00240000 00020044 00000501 05000000 00000015 4862e393 36d67c9a 65d637a8 00
001f4 00000201 05000000 00000020 00000220 00000201 05000000 00000020 00000220
AccountName: Administrator
AdminComment: Built-in account for administering the computer/domain
Groups: 00000201 00000007
LmOwfPassword: b626bcf7 b28d3099 bb8d1f17 4269c913
NtOwfPassword: 38f98739 c4c67eb4 3d3ecf99 5e8fc7ce
NtPasswordHistory: 00010001
LmPasswordHistory: 00010001

As you can see, the NLTEST utility can be very useful. As I mentioned earlier, I've only scratched the tip of the iceberg in discussing NLTEST's capabilities. Of course, the best way to keep your Active Directory healthy is to use a combination of all of the tools I've discussed in this article series. Some tools are more suited to certain tasks than others. //

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter