The nltest Command Builder generates the correct nltest command for your task. Select a scenario from the list, enter your domain name, and get a ready-to-run command with an explanation of what it does and what output to expect.
It covers the most common nltest operations for Windows system administrators working with Active Directory: domain controller discovery, trust relationship inspection, secure channel testing and reset, and site assignment verification.
Select a task to generate the correct nltest command with an explanation.
| Task | Example command |
|---|---|
| DC Discovery | |
| Find the DC your machine is using |
nltest /dsgetdc:corp.local
|
| Force DC rediscovery |
nltest /dsgetdc:corp.local /force
|
| List all DCs in the domain |
nltest /dclist:corp.local
|
| Find the PDC Emulator |
nltest /dcname:corp.local
|
| Find nearest Global Catalog server |
nltest /dsgetdc:corp.local /gc
|
| Find nearest DC in a specific site |
nltest /dsgetdc:corp.local /site:Branch-Site
|
| Check which AD site a DC belongs to |
nltest /server:DC02 /dsgetsite
|
| Trust Relationships | |
| Check domain trust relationships |
nltest /domain_trusts
|
| Check all trusts including transitive |
nltest /domain_trusts /all_trusts
|
| Find the parent domain |
nltest /parentdomain
|
| Secure Channel | |
| Test the secure channel |
nltest /sc_verify:corp.local
|
| Reset the secure channel |
nltest /sc_reset:corp.local
|
| Diagnostics | |
| Check Netlogon logon statistics |
nltest /logon_query
|
How to use
- Click a task in the table — for example, Find the DC your machine is using or Test the secure channel.
- Enter your domain name in the field that appears below the selected task, such as
corp.local. - If the task requires a DC name or site name, a second field will appear — fill it in or leave it empty if optional.
- Click Build command to generate the command.
- Copy the result using the copy button and run it in a Command Prompt or PowerShell window with the appropriate privileges.
What nltest does
nltest is a Windows command-line utility that communicates directly with the Netlogon service. It gives system administrators access to domain controller discovery, trust relationship inspection, and secure channel management — without opening Active Directory tools or the GUI.
It is available on Windows Server by default. On Windows 10 and 11 workstations, it requires RSAT (Remote Server Administration Tools) to be installed. Some operations — particularly /sc_reset — require local administrator or Domain Admin privileges.
Command categories
DC Discovery — commands that query the Netlogon service to identify which domain controller the machine is currently using, force rediscovery of a new DC, or list all DCs in the domain. Use these when investigating slow authentication, GPO application failures, or DC-related connectivity issues.
Trust Relationships — commands that list the trust relationships visible from the current machine, including direction, type, and transitive scope. Use these when diagnosing cross-domain authentication failures or verifying trust configuration after a migration.
Secure Channel — commands that test or reset the secure channel between a machine and its domain. The secure channel is the authenticated connection used for all domain communication. A broken channel causes the “trust relationship between this workstation and the primary domain failed” error.
Diagnostics — additional commands for checking Netlogon statistics and verifying that the Netlogon service is actively processing authentication requests.
FAQ
nltest Command Builder help
It depends on the command. Most read-only queries — such as /dsgetdc, /dclist, and /domain_trusts — run without elevated privileges. Commands that modify state — particularly /sc_reset and /sc_verify — require local administrator rights. Running /sc_reset on a domain controller requires Domain Admin privileges.
The error “trust relationship between this workstation and the primary domain failed” means the computer’s secure channel to the domain is broken. This usually happens when the computer account password in Active Directory has become out of sync with the local machine. Run nltest /sc_verify:domain to confirm the channel is broken, then use /sc_reset:domain to attempt a repair. If the computer account is expired or disabled, you will need to unjoin and rejoin the domain instead.
/sc_verify tests the secure channel and reports its status without making any changes. Use it first to confirm whether the channel is actually broken. /sc_reset attempts to re-establish the secure channel by negotiating a new session with the domain. Always verify after a reset — a successful /sc_reset command does not guarantee the channel is working correctly until /sc_verify confirms it.
nltest is not installed on Windows workstations by default. It requires RSAT (Remote Server Administration Tools). On Windows 10 and 11, go to Settings → Optional Features → Add a feature and install RSAT: Active Directory Domain Services and Lightweight Directory Services Tools. On Windows Server, nltest is available without additional installation.
Use /force when a machine is caching a reference to a DC that is no longer reachable or has been decommissioned. Without /force, Netlogon returns the cached result even if that DC is unavailable. With /force, Netlogon performs a fresh discovery and returns the best currently available DC. This often resolves slow logon or GPO application issues caused by a stale DC reference — without requiring a reboot.
Yes. Most nltest flags support the /server: prefix, which directs the query to a specific DC rather than the one your machine is currently using. For example: nltest /server:DC02 /domain_trusts. This is useful when you need to compare the view from two different controllers — for example, checking whether a trust is visible on both DC01 and DC02 during a replication investigation.
Practical examples
Example 1: A workstation is throwing the trust relationship error. Before unjoining the domain, run nltest /sc_verify:corp.local to confirm the secure channel is actually broken. If both status lines return NERR_Success, the issue is elsewhere. If not, run nltest /sc_reset:corp.local and verify again.
Example 2: Authentication is slow on a specific workstation and GPOs are not applying. Run nltest /dsgetdc:corp.local to see which DC the machine is talking to. If it is pointing to a DC in a remote site, run nltest /dsgetdc:corp.local /force to force rediscovery and pick up a closer controller.
Example 3: Users from a partner domain cannot access resources. Run nltest /domain_trusts to confirm the trust is present and check its direction. A missing trust or incorrect direction immediately explains the access failure and determines the next step.
Related guides
- nltest command in Windows: domain controller discovery and trust diagnostics — full reference for all nltest flags with real-world usage examples and PowerShell alternatives.
- How to fix the trust relationship between this workstation and the primary domain — step-by-step repair procedure using nltest, PowerShell, and the domain rejoin method.
Other tools
- DNS Lookup Tool — check A, AAAA, MX, TXT, CNAME, and NS records for any domain.
- Network diagnostics tool — run HTTP and HTTPS reachability checks with latency measurements.
- WHOIS lookup — query domain registration details and nameserver information.