Personal Note: This is only for my personal reference and special thanks to the reference site.
The following commands are useful for troubleshooting secure channel issues, specifically name resolution, DC locator and connectivity:
- nltest /domain_trusts /v
- nltest /sc_query:%trusted_domain%
- nltest /sc_reset:%trusted_domain%[\%DCname%]
- nslookup -debug -type=srv _ldap._tcp.dc._msdcs.%domainFQDN%
For example, in a domain called domain.local, which trusts trusteddomain.com.au and is trusting trustindomain.local, from the domain.local domain:
List the domain trusts:
nltest /domain_trusts /vÂ
List of domain trusts:
0: TRUSTED
trusteddomain.com (NT 5) (Direct Outbound) ( Attr: quarantined )
Dom Sid:
S-1-5-21-1993962763-492894223-839522115
1: TRUSTING trustingdomain.local (NT
5) (Direct Inbound)
Dom Sid: S-1-5-21-6079874623-1494965722-2283543576
2: DOMAIN domain.local (NT 5) (Forest Tree Root) (Primary Domain) (Native)
Dom Guid: 23855607-7223-45a6-a732-13d47536f728
Dom Sid:
S-1-5-21-2037435860-7352130559-617082900
The command completed successfully
Query the secure channel for the trusting domain:
nltest /sc_query:trusteddomain.com
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\dc02.trusteddomain.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
Reset the secure channel for the trusting domain, using standard netlogon DC locator to find a DC:
nltest /sc_reset:trusteddomain.com
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\dc02.trusteddomain.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
Reset the secure channel for the trusting domain to a specific Domain Controller:
nltest /sc_reset:trusteddomain.com\dc01
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\dc01.trusteddomain.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
When this doesn’t work due to an inability to find a logon server for the specified domain:
Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
I_NetLogonControl failed
Lookup the service records for a trusting domain (the output below is without ‘nslookup -debug’ for clarity) from the trusting domain (domain.com):
nslookup -type=srv _ldap._tcp.dc._msdcs.trusteddomain.com
Server: dc01.domain.com
Address: 192.168.0.10
_ldap._tcp.dc._msdcs.trusteddomain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc01.trusteddomain.com
_ldap._tcp.dc._msdcs.trusteddomain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc02.trusteddomain.com
dc01.trusteddomain.com internet address = 192.168.1.20
dc02.trusteddomain.com internet address = 192.168.1.21
Notes:
- The secure channel queries have a potentially different result from each Domain Controller, which will either randomly select a cross-forest DC, or use DNS service records and site information is cross-forest site synchronisation is available.
- If no logon server is found, new cross-forest authentication or authorisation attempts will not work between the source Domain Controller and the target domain. If this occurs, further DNS troubleshooting should occur as this is the primary method used between 2000 and 2003 domain trusts.
Special thanks to this like below:)
http://waynes-world-it.blogspot.com/2008/06/troubleshooting-cross-forest-trust.html
jrsun1980 