Trusts between stand alone server and Domain controller

I've set up a stand alone NT server and wanted to add it to an existing NT domain X. Stand alone added correctly got confirmation message "welcome to domain X". When attempting to map a share on the stand alone server
I get an error message "trust relation between the workstation and primary domain failed. On the stand alone server,  the Trusts option is unavailable and grayed out. On the Domain controller trusts is an option between domains only and since the stand alone is only a member no options are available to establish trusts between a stand alone server and NT domains.
Any idea how to set up trusts between a stand alone server and a PDC or have I failed to configure something somewhere?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Steve RoseConnect With a Mentor Commented:
You can not and should not have the need to setup a trust between a Stand alone server and a Domain. Once you have added a stand alone to the domain you need to go to the shares on the Server and add users and or groups from the domain that you want to have access to the shares.

If you are still having problems with a machine once it has been added to a domain you will need to get NETDOM version 1.8 from the resource kit or let me know if you can not find it and I will e-mail it to you. Place it in your WINNT directory and execute the following command from a command prompt.
The capital letters are the command and the lower case letters are variables to be filed in with the NetBIOS name of the computer and the name of your domain.

NETDOM /DOMIAN:domainname MEMBER computernameh /JOINDOMAIN.


Steve RoseCommented: is my e-mail address
citotAuthor Commented:
I tried the NetDom utility and received the message "The RPC Server is unavailable" any clues now?
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Steve RoseCommented:
RPC stands for remote procedure call. This is how NT Services "talk" accross the network.
1)Ping the BDC from the member server by IP to make sure you have basic connectivity.
2)Reboot the member server. Many RPC errors on NT can be eleminated by rebooting.
3)On both machines go to the sevices icon in control panel. Make sure both the Remote procedure call(RPC) locator, and the Remote Procedure Call(RPC) Service, are started. If not highlite it and click on startup, select auto, and system account but make sue there is not a check in Allow Service to Interact with desktop, and there there is not an account specified.
4)Run the netdom command again.

Other questions if the above fails
1)do you have any routers or level 3 switches between the two machines. If so they may be filtering the NetBIOS netlogon ports. Make sure the 135tcp,137upd,138upd,139tcp ports are not blocked.

Make sure the IP given to the Member Server has the same network ID, and subnet mask. Confirm the default gateway is correct.

If there are any routers NetBIOS name resolution will fail and the machines will not be able to find each other to complete the creation of the secure channel (computer account)
If you do have any routers you will need to emplement a LMHOSTS file or if you have a WINS server on the domain put its IP in the TCP/IP properties box. To create a LMHOSTS file drop to a command prompt navigate to the winnt\system32\drivers\etc directory and type in EDIT LMHOSTS. This way you are using a DOS editor to create or edit the file. There are issues when using note pad. Save the file as LMHOSTS with no extension. When creating a LMHOSTS file there must be exactly 20 spaces between the "". Use the tab key to get from colum to colum. If you use the tab key you should end up with the default spacing. Use the following syantax EXACTLY as stated because if there are any errors it will not load till it gets an error it will load till it gets an error and bail completely not loading anything.      computername      #PRE      #DOM:yourdomain      "domainname            \0x1b"      #PRE

Repeate the same line for the BDC only instead of \0x1b use 0x1c
Steve RoseCommented:
After you have loaded a LMHOSTS file type the following command from a command prompt. Pay atention to the case of the switches, this must be correct.




The response to -c should include a listing for your PDC with the following tags
1b, <00>, <03>, and <20>

If you get the message no names in cache then you have typos in the LMHOSTS file.

If any other machine has showing the 1b then your PDC is not winning the domain masterbrowser elections and we will have to address that issue.

Steve RoseCommented:
You probably have the wrong version of NETDOM. The current version has not been made available to the general public via technet. I sent you the correct version in e-mail

citotAuthor Commented:
I do have Netdom 1.8 which I got off the MS Site. One thing I discovered is that one of the RPC services was not started on the stand alone. Once it was started the netdom utility worked well. However, I still received "trust relation between the workstation and primary domain failed" when attempting to map a share from the PDC to the stand alone or from NT clients.  I don't believe I have a connectivity problem because if I add the stand alone server to a workgroup(same name as the Domain) I can map shares with out a hitch.

One other thing I did do was to add a second stand alone server to the same domain and it worked well, I mapped shares logged into the domain etc,. Seems something is not right with the first stand alone server. I'm considering re-installing NT what do you think?
Steve RoseCommented:
Once again you should not be trying to setup Trusts. If the standalone server is installed as a domain controler you can not add it to the domain. You will only be able to add it to the domain after a complete re-install of NT and during the install you should select member server. On a domain controler you can not simply change the name of the domain. The domain names may match at that point but the Network SIDS do not and it will fail. Go to Administative tools common > NT Diag > and network. On this tab it will show which Domain controler validated it and if it is pointing back to its self you have a Domain controler that has been used as a member server. This is not a problem till you try an add it to another domain.

Once again you CAN NOT add a domain controler to another domain with out completely re-installing NT. If there is data on the drives you can install to another directory but then when you are done you will have to re-install all applications.
citotAuthor Commented:
I guess my question is misleading in that I wanted to establish trusts between a domain and a stand alone server. Not a PDC or BDC but a stand alone server which was added to the Domain.  I'm not so concerned about establishing trusts as I am being able to map a share between clients or the PDC to the stand alone server. When I attempt to map shares to the stand alone server, I get the error message "trust relation between the workstation and primary domain failed" is relayed. All I want to do is map users to a share on that stand alone server but it wont let me because it complains about trusts. One other note is that  I've taken it out of the domain and added it to a non existing workgroup a few times. Not sure if this has anything to do with it wigging out? or if it has messed with the SID? if so should I try running a SID utility to change it's SID?

Steve RoseCommented:
It is sounding like you goofed when you installed the Stand alone Server and it has been installed as a Domain controler in affect you created a separate domain and it is the only computer in it.

If you are logging onto the Stand alone server with an ID and password that exists in the domain you probably will not have any problems going to the domain from the stand alone but will have problems coming back the other way.
Steve RoseCommented:
The error you are getting I was able to recreate on a lab machine at work.

The error is missleading in the way it is worded. What it boils down to is the machine has lost it's secure channel between it and the PDC. The member servers Computer account is no longer working.

There are two ways to recreate this secure channel.

Use Netdom.exe which comes with the resource kit but this version is will only work on systems prior to service pack 4, you will need to call Microsoft Support and have them e-mail it to you.
If all you are doing is calling to have them send you a updated file they will not bill you. Or I can send it to you if you like.

The easiest way to do this is to remove the machine in server manager from one of the domain controlers. Sync the domain. On the member server on the identification tab of the network control pannel place a check next to work group, reboot(completely)which basicly places it in a workgroup by it's self. Go bac to this same screen and set it back to join a domian. You should be prompted for a administrators password. Reboot and you should be able to log back in.

If this fails you have one of the following issues.

There is a router or level 3 switch blocking TCP/IP UDP and TCP ports needed. Dont know these off the top of my head but they are between 135-139. I can look up in technet.

You have a NetBIOS name issue mapped out in comments I have already added. Most NetBIOS name problems are due to corrupted WINS
The domain controlers are not winning the browser elections.
Losing browser elections are caused by domain controlers being to busy to respond back fast enough to win the election over a much faster machine.
A UNIX box with SAMBA installed whoes OS level is set to high.
Basic connectivity issues.
Windows 2000 Servers will many time win the Domain master browser election becaue of their OS level and there is a registry setting to stop them from participating.

That is all I have on this topic.
Failed trusts, lost secure channels, domain sync problem, folder replication problem to name a few can and most time are caused by NetBIOS name resolution issues.

All for now
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.