This command-line tool helps perform network administrative
tasks. You can use NLTest to:
When the word "trust" is used in the context of Windows, it
describes a relationship between two Windows domains. Each domain
takes the roles of either the trusting domain or the trusted
domain. For any given trust relationship, there is a single
discrete communication channel between each domain controller in
the trusting domain and a domain controller in the trusted
domain.
For example, if domain A trusts domain B, then B is the trusted
domain and A is the trusting domain. In another example, suppose
domain I trusts domain J and domain J trusts domain I. In this
example, there are two distinct trust relationships between their
domain controllers. Often this is called the "complete trust" mode,
or a two-way trust. Yet for secure channel diagnosis, it is best to
think of these as two separate secure channels between each domain
controller in the trusting domain and a domain controller in the
trusted domain.
Trust relationships are not transitive. For example, suppose
domain X trusts domain Y, which in turn trusts domain Z. This does
not imply domain X trusts domain Z. The reason for this is that the
administrator in each domain must grant explicit permission on
either side of the trust relationship.
Another form of trust relationship is sometimes referred to as
an "implicit" trust. In a single domain model or in an environment
where there are no "explicit" trust relationships between any two
domains, the implicit trust relationship is active and functionally
needed. This implicit trust exists between any Windows-based
computer that is a member of a domain and a domain controller in
its domain. Explicit trust relationships are established by using
User Manager For Domains. Implicit trust relationships are
established by becoming a member of a domain. Implicit trusts are
also esablished between domains that are members of the same
forest.
NLTest can be used to test the trust relationship between a
Windows-based computer that is a member of a domain and a domain
controller where its computer account resides. NLTest can also
verify the trust between the BDCs in a domain and their PDC. In
domains where an explicit trust has been defined, NLTest can test
the trust relationship between all domain controllers in the
trusting domain and a domain controller in the trusted domain.
These sessions of communication are called secure channels and
are used to authenticate computer accounts. They also are used to
authenticate user accounts when a remote user connects to a network
resource and the user account exists in a trusted domain. This is
called pass-through authentication, and it allows a Windows-based
computer that has joined a domain to have access to the user
account database in its domain and in any trusted domains.
For Windows XP Professional, NLTest no longer uses the
Browser service to enumerate domain controllers. Rather, the
/dclist option calls the DsGetDomainControllerInfo
API to get the list from the directory service.
All of these trust relationships and domain synchronization can
be monitored, tested, and verified by NLTest.
