Category Archives: Basics

Mapping Get-ADTrust attributes to the TDO Object

This post provides the details of the mapping between the the attributes displayed by the Get-ADTrust powershell command and the attributes of the TDO object.

Most of the properties returned by the Get-ADTrust command map to the TrustAttribute attribute of the TDO object, so the table below shows which values of the TrustAttribute map to corresponding Get-ADTrust Property.  The NetTools Mnemonic column has the name of the mnemonic that NetTools will display if this value is set.

Get-ADTrust Parameter TDO Attribute NetTools Mnemonic
DirectiontrustDirection
DisallowTransivityTrustAttributeNon-Transitive
DistinguishedNameDistinguishedName
ForestTransitiveTrustAttributeForest Transitive
IntraForest
IsTreeParent
IsTreeRoot
NameName
ObjectClassObjectClass
ObjectGUIDObjectGUID
SelectiveAuthenticationTrustAttributeCross Organisation
SIDFilteringForestAwareTrustAttributeSSIDHistory
SIDFilteringQuarantinedTrustAttributeQuarantined
Source
TargettrustPartner
TGTDelegationTrustAttributeTGT Delegration
TrustAttributes
TrustTypetrustType
TrustedPolicy
TrustingPolicy
UsesAESKeysmsDS-SupportedEncryptionTypes
UsesRC4EncryptionTrustAttributeRC4 Encryption

This table shows the NetDom command argument that is used to change the corresponding TDO attribute.

Get-ADTrust Parameter NetDom Parameter
Directiontwoway or oneside
ForestTransitiveTransitive
SelectiveAuthenticationSelectiveAuth
SIDFilteringForestAwareSIDHistory
SIDFilteringQuarantinedQuarantine
TGTDelegationEnableTgtDelegation

This page provides the details of the netdom command parameters, and this page provides the details of the TrustAttribute attribute.  This page provides the details of the SID filtering functionality and which SID will be filtered.

The screenshot below shows the enumerate or mnemonics as defined on NetTools.

TrustAttribute

NLTEST Flags – what does 0x20000 mean?

When running NLTEST /DSGETDC command against a domain controller that is Windows 2012R2 or later, the command will display the normal flags plus an extra flag called '0x20000', but what does the 0x20000 flag mean.  First of all it's not an error code, Microsoft have added an additional feature to Windows 2012R2 and later DCs, but NLTEST hasn't been updated to display this flag correctly, even the Windows 2019 version doesn't have this flag defined.

The results deplayed by NLTEST /DSGETDC is the information returned by the DsGetDcName API, this information if defined in the DOMAIN_CONTROLLER_INFO structure.

typedef struct DOMAIN_CONTROLLER_INFOA {
LPSTR DomainControllerName;
LPSTR DomainControllerAddress;
ULONG DomainControllerAddressType;
GUID DomainGuid;
LPSTR DomainName;
LPSTR DnsForestName;
ULONG Flags;
LPSTR DcSiteName;
LPSTR ClientSiteName;
} DOMAIN_CONTROLLER_INFOA, *PDOMAIN_CONTROLLER_INFOA;

The Flags member has the following definitions in the dsgetdc.h file

#define DS_PDC_FLAG 0x00000001 // DC is PDC of Domain
#define DS_GC_FLAG 0x00000004 // DC is a GC of forest
#define DS_LDAP_FLAG 0x00000008 // Server supports an LDAP server
#define DS_DS_FLAG 0x00000010 // DC supports a DS and is a Domain Controller
#define DS_KDC_FLAG 0x00000020 // DC is running KDC service
#define DS_TIMESERV_FLAG 0x00000040 // DC is running time service
#define DS_CLOSEST_FLAG 0x00000080 // DC is in closest site to client
#define DS_WRITABLE_FLAG 0x00000100 // DC has a writable DS
#define DS_GOOD_TIMESERV_FLAG 0x00000200 // DC is running time service (and has clock hardware)
#define DS_NDNC_FLAG 0x00000400 // DomainName is non-domain NC serviced by the LDAP server
#define DS_SELECT_SECRET_DOMAIN_6_FLAG 0x00000800 // DC has some secrets
#define DS_FULL_SECRET_DOMAIN_6_FLAG 0x00001000 // DC has all secrets
#define DS_WS_FLAG 0x00002000 // DC is running web service
#define DS_DS_8_FLAG 0x00004000 // DC is running Win8 or later
#define DS_DS_9_FLAG 0x00008000 // DC is running Win8.1 or later
#define DS_DS_10_FLAG 0x00010000 // DC is running WinThreshold or later
#define DS_KEY_LIST_FLAG 0X00020000 // DC supports key list requests
#define DS_PING_FLAGS 0x000FFFFF // Flags returned on ping
#define DS_DNS_CONTROLLER_FLAG 0x20000000 // DomainControllerName is a DNS name
#define DS_DNS_DOMAIN_FLAG 0x40000000 // DomainName is a DNS name
#define DS_DNS_FOREST_FLAG 0x80000000 // DnsForestName is a DNS name

As you can see 0x20000 is defined in the include file as support for Key List Requests, see the Kerberos Protocol Extension [MS-KILE] section 2.2.11 for more info.  NetTools includes this decode and the result from the same server shows the option for Key List Request are supported.

Process Flow for LDAP Search

This is a quick article that shows the process flow of the LDAP Search feature.  The LDAP Search function consists of a number of functions that are used to execute the query and display the results.  The main function is used to collect and validate the user inputs and connect to the server and execute the query, then a sub function is used to display the results and complete any attribute updates.  The process shown below starts when the user presses the Go button to execute the query.

Invalid characters for Office365 Sync

Office365 specifies a number of characters that can't be includes in a number of key attributes. These invalid characters vary depending on the attribute, for a full list of invalid characters in each attribute see this Microsoft article.

NetTools includes a predefined query that will show which user objects contain these invalid characters. The query is called Users: Invalid characters for O365, which is available in the LDAP Search option. These are the attributes that are included in the search

        • givenName
        • sn
        • mailNickname
        • proxyAddresses
        • UserPrincipalName 
        • mail

To run the query first select the LDAP Search Option in the left hand pane, then click on the Populate button, shown in the red square below, to connect to the AD and populate the Base DN field.

queries

Once the Populate has finished, select the Users: Invalid characters for O365 query from the Favorites dropdown list. If required, change the BaseDN field to limit the scope of the search and then click Go.  A list of all the user objects that contain invalid characters will be displayed.

The query uses the Regex Display filter option to only display the user objects that have invalid characters.  Here are the the query properties:

[Users: Invalid characters for O365]
Options=879892770722381
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=person)(!userAccountControl|=2))
Attributes=userPrincipalName, proxyAddresses;SMTP, givenName, sn,displayName,mailNickname, mail
DisplayFilter=userPrincipalName regx [\"|,/:<>+=;?*'] || givenName regx [\"|,/:<>+=;?*'] || sn regx [\"|,/:<>+=;?*'] || mailNickname regx [\"|,/:<>+=;?*'] || mail regx [\"|,/:<>+=;?*'] || proxyaddresses regx [\"|,/:<>+=;?*']
Filename=
Sort=
Controls=
Authentication=1158
Separator=,

For more information on the available queries see Redefined LDAP Queries  
For details on the favorites option see Favorites

Workaround for SmartScreen

When running NetTools on a Windows 10 machine, it can sometimes trigger the Microsoft Defender SmartScreen and block the execution of NetTools.  This is because NetTools is not signed and SmartScreen blocks apps that have been downloaded.  This is an example of the SmartScreen dialog that is be displayed.

To prevent SmartScreen from blocking NetTools, open the properties of NetTools.exe and check the Unblock option and click OK.

LDAP Search – Credentials

Note: The Credentials option was deprecated in version 1.28.0 and replaced with Connection Profiles

LDAP Search provides the ability to specific the credentials under which a query will be executed, it also provides the ability to select the authentication method that will be used to pass the credentials to the server.

The Credentials dialog is found when the More button is pressed.

credentials

There are nine different authentication methods available:

LDAP_AUTH_SIMPLE, this method requires the DN of the account and password, domain is not required
LDAP_AUTH_DIGEST, Digest authentication package
LDAP_AUTH_DPA, Distributed password authentication. Used by Microsoft Membership System
LDAP_AUTH_MSN, Microsoft Network Authentication Service
LDAP_AUTH_NTLM, this method uses NTLM to authenticate against the directory
LDAP_AUTH_SICILY, covers package negotiation to MSN servers
LDAP_AUTH_DIGEST, this method requires the samaccountname and password
LDAP_AUTH_NEGOTIATE, this method requires either, samaccountname or UPN and password, the domain is optional
ANONYMOUS, the username and password are not required.

See the following MS Article for more details ldap_bind_s

Warning: With the simple bind method the password is sent in clear text to the server, you should use this method in association with an SSL based connection to protect the password.

The default behavior of NetTools is use the negotiate method, when connecting to an Active Directory, you don't need to provide any credentials, the current user's context will be used based on Kerberos authentication.

A number of other options in NetTools use the credentials provided in this dialog to run the option under a different or elevated set of credentials, this is shown as Use the LDAP Search Credentials.

NetTools Basics

nettools

NetTools has a number of common features which are used throughout the program. This post provides details on some of these features.

AD or Server Connections

If NetTools is run on a machine that is joined to an AD domain, by default NetTools will connect to the domain controllers of that domain without needing to specify the server. It will also use the credentials of the user running NetTools to make the connection. If you want to connect to a specific domain controller, different domain, or use a different set of credentials, you use Connection Profiles.  See Connection Profiles for more details.

Server Lists
In most of the options there is a field to specify the server or domain, this field is used to enter a server name or select a Connection Profiles that the test will be run against.  The server and domain fields are optional, if no entry is provided NetTools will either connect to the domain the machine running NetTools to joined to, or use the default Connection Profile, if one has been defined.

Navigation
The toolbar is used to navigate the tests and access a number of features in NetTools.  The toolbar has both fixed buttons and user selected buttons.

The Back and Forward buttons allow you to move backwards and forwards between tests you have used, this is useful if you select a linked option and want to go back to the previous test.  The Connection Profiles button opens the Connection Profiles dialog, which allows you to configure profiles that defines, the LDAP server, GC server, SSL, authentication, credentials and paging properties.  For more details see Connection Profiles. The Resolver button will open the Resolve dialog, which lets you resolve different input types and provides a temporary scratch pad when investigating an issue.  For more details see Resolver.  The Help button opens the help page on the NetTools.net website for the selected test.  The Quick search entry field provides a quick entry method to perform a search of the AD using the User - Search option.

Permissions
You don't need any specific permissions to run NetTools, only execute right on the file system.  With a typical AD implementation a normal user can read a lot of the details in the AD, there are few features that might need elevated rights, i.e. viewing deleted objects or low level replication data shown in the Replication Queues option, where elevated permissions are required this is included in the corresponding Option's web page.  Only other scenario where permissions can be an issue is when NetTools is run on a Domain Controller that has User Access Control (UAC) enabled, the results returned by the local Domain Controller will be reduced unless NetTools is executed with Run as Administrator option.

Where to start
The number of options in NetTools can make it confusing where to start.  The best approach is to start with the Search option under Users or use the quick search option, this allows you to search the AD, be it at the Forest or Domain level for any object in the Active Directory, from there the context menu options allows you to then interrogate the returned objects.  See User Search.

To allow you to find your favorite option quickly, NetTools includes a Pin option, which will add user defined button to the toolbar to allow you to quickly select your commonly used options.  To Pin an item, select the option, then right click on the option name and select the Pin from the context menu, you will be prompted to select an icon for the button.  To remove a Pinned item, simply right click on the button on the toolbar and select Remove.

Option Pinning

Option or test Linking
For a number of the tests the output from one can be used as the input for other tests and options, by selecting the corresponding output entry and right clicking the context menu will display these options.  The User Search option has a number of linked options that are displayed under the use with sub menu.

Copy and Paste
The outputs from the tests can be copied into other functions in NetTools or to external programs.  The Copy and Paste option are displayed in the right click context menus. For table views it's possible to copy the data in a single column, the line, or the entire table. When using the copy column option, mouse position when the right click is pressed, is used to define which column will be selected.  For text based output fields it's possible to copy the text as with standard copy and paste. The Copy works with a single or multiple selected items, and when copying the details from all selected items is copied. A number of keyboard shortcuts are defined, Ctrl+C will copy the the details of from the column of the select items, Ctrl+L will copy all the details of the selected items, Ctrl+T will copy the entire contents of the table, include headers. The Copy to new window context menu option will copy the contains of the view to a new detached window, which provide additional sort and filtering options.  See Copy to new window

Messages\Results pane
On most options, there is a lower pane, this pane is used to display any errors or status report from the execution.  Any error messages or codes returned by the APIs are displayed here.

Exporting Objects
There is the ability to export objects in LDIF file format, this is available from the context menus. See LDIF Export for more details.

Common Dialogs
NetTools has four common dialogs which are available from most context menus on in the results and options.  These are the AD Properties, Attributes, Meta Data,  and Permissions dialogs, these are usually listed at the bottom of the context menus as shown below.

Context Menu
AD Properties
Attributes
Meta Data
Permissions

Resolver
The Resolver dialog provides a scratch pad to temporary store items that you are troubleshooting or investigating. The Resolver dialog is accessed via the toolbar and items can be added to the dialog either from the context menu, pressing Ctrl+R, manual entry, or pasting a list of DN, samaccountname, email, upn or displaynames.  From the Resolver dialog the NetTools options and test can be selected from the context menu in the Resolver dialog.

Resolver Context Menu

NetTools saved configuration
NetTools uses a single configuration file called NetTools.ini, this is used to save any user defined configuration or lists.  NetTools will try to read the configuration from the same location as the exe from executed from.