Testing connection to secure channel ( Test-NetConnection )

I recently worked on script which gather all needed information for basic DC troubleshooting. One of the steps is to test netconnection to secure channel from affected Domain Controller on following ports: 88, 135, 139, 389, 464, 636, 3268, 3269. First thing is to find out which secure channel is currently set on this DC. To do this I used the following nltest command:

nltest.exe /sc_query:yourdomain.com


PS C:\windows\system32> nltest.exe /sc_query:yourdomain.com

Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\DC01.yourdomain.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success

The command completed successfully


From above output we need only one line which contains DC name, in this example:    DC01.yourdomain.com

I used PowerShell commands this time to get this information from some Domain Controller remotely. To remove not needed characters from the output I used “Trim” and “SubString” options:

		

$Server =  'DC02' 
$Nltest =  Invoke-Command $Server -ScriptBlock{nltest.exe /sc_query:yourdomain.com} | Where-Object {$_ -match "Trusted DC Name"}
$Nltest =  $Nltest.trim() 
$Secure =  $Nltest.Substring(18)
$Secure =  (Get-ADDomainController -Identity $Secure).name 

		

DC01

Now when we have domain controller name we can try to test connection to secure channel on several port using Test-NetConnection command and pass value from $secure into scriptblock. Below you can find clean output generated with foreach and if/else conditions.

 

Final script:

		
$Server =  Read-Host -Prompt "Please provide server name"
$Nltest =  Invoke-Command $Server -ScriptBlock{nltest.exe /sc_query:yourdomain.com} | Where-Object {$_ -match "Trusted DC Name"}
$Nltest =  $Nltest.trim()
$Secure =  $Nltest.Substring(18)
$Secure =  (Get-ADDomainController -Identity $Secure).name
$Ports =   "88","135","139","389","464","636","3268","3269"


Write-Host "`n----------------------------------------------------------------------------`n"
Write-Host "Testing connection to Secure channel -  $secure :`n" -ForegroundColor Yellow

	ForEach ($P in $Ports)
    {
        $Result = Invoke-Command $Server -ScriptBlock {param($P,$Secure)(Test-NetConnection -Port $p -ComputerName $Secure).TcpTestSucceeded } -ArgumentList $p,$secure
        
        If($Result -match "false")
        {
		    Write-Output "Failure: Port  $P"
        }
	    Else
	    {
		    Write-Output "Success: Port  $P"
	    }
	}
		

Output:

 

 

 

 

For more information about nltest you can refer to:

https://ss64.com/nt/nltest.html

https://technet.microsoft.com/pl-pl/library/cc731935(v=ws.10).aspx

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.