Know Your Domain: Mastering the NLTEST Command

You’re troubleshooting a domain trust issue. Or trying to locate the closest domain controller. Or wondering why a workstation seems to think it’s an island.

You could go through ten GUI menus… or you could just run nltest.

Fast. Scriptable. Brutal. Accurate.
Let’s unlock the magic behind this underrated Windows CLI tool.

What is NLTEST?

NLTEST (short for NetLogon Test) is a command-line utility included with Windows that allows you to test and troubleshoot domain trust relationships, logon sessions, domain controller discovery, and more.

It’s especially useful for:

• AD domain admins
• Support engineers
• Penetration testers
• Anyone who wants to see what Windows really thinks about the domain

💡 NLTEST is built-in starting with Windows Server, and included in RSAT tools on clients.

Common Use Cases with Examples

Let’s go beyond /help and explore how this thing actually works.

✅ 1. Find the Domain Controller you’re using

nltest /dsgetdc:<yourdomain.com>

This tells you:

• Which domain controller is being used
• If it’s a GC (Global Catalog)
• Site, address, and whether it’s responding

Output:

DC: \\DC01.yourdomain.com
Address: \\192.168.1.10
Dom Guid: xxx-xxx-xxx-xxx-xxx
Dom Name: yourdomain.com
Forest Name: <name of tte forest>
DC Site Name: <site name>
Flags: GC DS LDAP KDC TIMESERV WRITABLE

✅ 2. List all Domain Controllers in the domain

nltest /dclist:<yourdomain.com>

This gives you a list of all known DCs — great for spotting replication issues or confirming availability.

✅ 3. Force the computer to re-discover its logon DC

nltest /dsgetdc:<domain> /force

Useful if you’re having weird logon issues and suspect the machine is stuck on a bad DC.

✅ 4. Verify Trust Relationships

nltest /domain_trusts

Want to see if your domain trusts others? Or is trusted itself? This shows:

• Direction (inbound/outbound)
• Type (external, forest, etc.)
• Status

✅ 5. Test Secure Channel

nltest /sc_verify:<domain>

Ever seen “The trust relationship between this workstation and the primary domain failed”?
This command tests the secure channel — and lets you know if the computer is still trusted by the domain.

✅ 6. Reset Secure Channel (when things go wrong)

nltest /sc_reset:<domain>

No need to unjoin/rejoin — this can fix broken domain trust from the CLI without rebooting (though a reboot is usually still a good idea).

✅ 7. Find Out Which Domain Controller Authenticated You

nltest /sc_query:<domain>

This command checks the secure channel to the domain and will also tell you which domain controller your machine is currently talking to for authentication.

It doesn’t explicitly say “You logged in via DC01”, but it does say whether the secure channel is working, which server is responsible, and helps diagnose domain trust and logon path issues.

Bonus Commands

Ready to Test Your Skills? (Quick Quiz Time!)

Q1: What command would you use to see all DCs in your domain?
A. nltest /query
B. nltest /dclist:yourdomain.com
C. nltest /dsgetdc

Q2: If your machine’s secure channel is broken, what could you run to try fixing it?
A. nltest /sc_reset:yourdomain.com
B. nltest /domain_trusts
C. nltest /parentdomain

Q3: What command helps you confirm whether your machine is talking to a valid DC?
A. nltest /dsgetft
B. nltest /sc_query:domain.com
C. nltest /whoami

In a nutshell

Final Thoughts

NLTEST is the kind of tool that flies under the radar — until you need it. And when you do, it can save hours of guessing, clicking through slow GUIs, or worse, relying on vague “network issues” as an excuse.

From DC discovery to trust validation and secure channel repair, nltest gives you precise, scriptable power right from the command line.

Got a favorite nltest trick? Or want a cheat sheet to keep on your admin desktop? Let me know😉