Native Mode Win2K Domain and NT4 Domain Trust - Can it be done?
We are on a Win2K Native Mode Domain and have just merged with another company which is on an NT4 Domain. The NT4 Domain will be upgraded to Win3K at a later date, but for now, can a trust relationship be established between the two safely, if so, how? Be, specific, please. Any known issues and does Microsoft approve of it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
bbao
i am afrarid that you can not implement this on-way trust from NT4 to W2K becuase your W2K servers are using NATIVE mode which is NOT compatible with NT4's NTLM authentication. anyway, give it try if it is conveniency.
Really? That's interesting, because I've actually done it before.
Actually, bbao, I'm not sure where you get your information, but Windows Server 2000 maintains compatibility with down-level clients (Windows NT 4.0, Windows 95, and Windows 98), so it uses the NTLM and LM authentication protocol for logins, even when in "native" mode. This means that the stronger Kerberos v5 authentication is not used for those systems. NTLM and LM are still used. NTLMv2, released in Service Pack 4 for Windows NT 4, is supported in Windows 2000 if you properly configure the clients and servers.
You can safely create a one-way or two-way trust between a W2k(3) domain running in native mode and an NT4 domain. You only need to pay attention to the "RestrictAnonymous" value and, of course, that your NetBIOS name resolution works OK. The KB309682 article is about one-trusts only; here are some more links that might be helpful (with KB308195, I created a two-way trust between a W2k3 domain running in W2k3 native mode and an NT4 domain without any problems):
HOW TO: Establish Trusts with a Windows NT-Based Domain in Windows 2000
http://support.microsoft.com/?kbid=308195
How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/?kbid=180094
HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows NT 4.0 Domain
http://support.microsoft.com/?kbid=306733
HOW TO: Determine Trust Relationship Configurations
http://support.microsoft.com/?kbid=228477
Unable to Bring Up the User List from a Windows NT 4.0 Trusted Domain on a Windows 2000-Based Server
http://support.microsoft.com/?kbid=291684
The RestrictAnonymous Value Breaks the Trust in a Mixed-Domain Environment
http://support.microsoft.com/?kbid=296403
HOW TO: Set up a One-Way Non-Transitive Trust in Windows 2000
http://support.microsoft.com/?kbid=309682
Cannot Set Up Trust in Window 2000 Domain from Windows NT 4.0
http://support.microsoft.com/?kbid=255551
HOW TO: Establish Trusts with a Windows NT-Based Domain in Windows 2000
http://support.microsoft.com/?kbid=308195
How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/?kbid=180094
HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows NT 4.0 Domain
http://support.microsoft.com/?kbid=306733
HOW TO: Determine Trust Relationship Configurations
http://support.microsoft.com/?kbid=228477
Unable to Bring Up the User List from a Windows NT 4.0 Trusted Domain on a Windows 2000-Based Server
http://support.microsoft.com/?kbid=291684
The RestrictAnonymous Value Breaks the Trust in a Mixed-Domain Environment
http://support.microsoft.com/?kbid=296403
HOW TO: Set up a One-Way Non-Transitive Trust in Windows 2000
http://support.microsoft.com/?kbid=309682
Cannot Set Up Trust in Window 2000 Domain from Windows NT 4.0
http://support.microsoft.com/?kbid=255551
Native mode will only stop you having WinNT domain controllers in your domain. As above, you can set up external trusts using AD sites and services.
i can setup the trust between nt 4.0 and windows 2000 domains but cannot verify trust kepp getting access is denied.
I have used lmhosts files still no luck. Both domains are from two companies that have merged.
I have used lmhosts files still no luck. Both domains are from two companies that have merged.