jabo210
asked on
Trust between NT domain and W2k domain -- "Access is denied"
I have been unable to setup a trust between my NT domain and my new W2k domain, in preparation for migrating the old domain to the new (with ADMT).
The NT PDC (NT 4 SP 6a) and ping the W2k DC (W2k SP3), as well as access any shared folders, via Network Neighborhood (or even via IE). Likewise, the W2k DC can access the NT PDC -- only noticeable difference is speed: the NT PDC is slow in accessing any other machine (regardless of domain or OS) on the network.
LMHOSTS files have the 1b and 1c records for the other machine and domain.
Errors:
1. When attemtpting to set up either Trusted or Trusting relationship from the NT machine, "Access is Denied."
2. W2k cannot verify any trust setup from its side. "Secure channel reset (SC) on domain controller \\NTPDC on domain NTDOMAIN to domain W2KDOMAIN failed with error: The specified domain either does not exist or could not be contacted."
3. When testing migration settings in AD Migration Tool, ADMT returns: "You are not an administrator on the source domain. (domain=NTDOMAIN)."
No Failure Audits show up in the Security log after attempting to setup the trust in NT.
What do I do now?
The NT PDC (NT 4 SP 6a) and ping the W2k DC (W2k SP3), as well as access any shared folders, via Network Neighborhood (or even via IE). Likewise, the W2k DC can access the NT PDC -- only noticeable difference is speed: the NT PDC is slow in accessing any other machine (regardless of domain or OS) on the network.
LMHOSTS files have the 1b and 1c records for the other machine and domain.
Errors:
1. When attemtpting to set up either Trusted or Trusting relationship from the NT machine, "Access is Denied."
2. W2k cannot verify any trust setup from its side. "Secure channel reset (SC) on domain controller \\NTPDC on domain NTDOMAIN to domain W2KDOMAIN failed with error: The specified domain either does not exist or could not be contacted."
3. When testing migration settings in AD Migration Tool, ADMT returns: "You are not an administrator on the source domain. (domain=NTDOMAIN)."
No Failure Audits show up in the Security log after attempting to setup the trust in NT.
What do I do now?
ASKER
Why not? MS has a tool called Active Directory Migration Tool (see KB 260871) which is specifically designed to migrate users from a NT domain to a W2k domain. It requires a trust relationship between the two domains.
I misread your question - sorry!. I thought you were trying to join the win2k server onto the existing nt4 domain.
Maybe your answer lies within the migration tool features?
goold luck.
Maybe your answer lies within the migration tool features?
goold luck.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This shows the steps required. You can follow the link if you like or read it below http://support.microsoft.com/default.aspx?scid=kb;en-us;260871
HOW TO: Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
This article was previously published under Q260871
IN THIS TASK
SUMMARY
Trusts
Groups
Auditing
Registry
Administrative Shares
User Rights
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SUMMARY
You can use the Active Directory Migration tool (ADMT) to migrate users, groups, and computers from one domain to another. This article describes how to perform a migration from a Microsoft Windows NT 4.0-based domain to a Windows 2000-based domain.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
NOTE: This article assumes that the source domain is running Windows NT 4.0 Service Pack 4 or later, and that the target domain is a Windows 2000-based domain in Native mode.
You should run ADMT from the primary domain controller (PDC) that is the Flexible Single Master Operation (FSMO) role holder in the target domain.
back to the top
Trusts
Configure the source domain to trust the target domain.
Configure the target domain to trust the source domain.
back to the top
Groups
Add the Domain Admins global group from the source domain to the Administrators local group in the target domain.
Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.
Create a new local group in the source domain called Source Domain$$$ (this group should have no members).
back to the top
Auditing
Enable auditing for the success and failure of user and group management on the source domain.
Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.
back to the top
Registry
On the PDC in the source domain, add the TcpipClientSupport:REG_DWO
back to the top
Administrative Shares
Administrative shares must exist on the domain controller (DC) in the target domain on which you run ADMT, as well as on any computers on which an agent will be dispatched.
back to the top
User Rights
You must log on to the computer on which you run ADMT with an account that has the following rights:
Domain Administrator rights in the target domain
Is a member of the Administrators group in the source domain
Administrator rights on each computer you migrate
Administrator rights on each computer on which you translate security
Therefore, logging into the PDC that is the FSMO role holder in the target domain with the source domain\Administrator account suffices, assuming that the source domain\Domain Administrators group belongs to each computer's Administrators group.
HOW TO: Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
This article was previously published under Q260871
IN THIS TASK
SUMMARY
Trusts
Groups
Auditing
Registry
Administrative Shares
User Rights
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SUMMARY
You can use the Active Directory Migration tool (ADMT) to migrate users, groups, and computers from one domain to another. This article describes how to perform a migration from a Microsoft Windows NT 4.0-based domain to a Windows 2000-based domain.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
NOTE: This article assumes that the source domain is running Windows NT 4.0 Service Pack 4 or later, and that the target domain is a Windows 2000-based domain in Native mode.
You should run ADMT from the primary domain controller (PDC) that is the Flexible Single Master Operation (FSMO) role holder in the target domain.
back to the top
Trusts
Configure the source domain to trust the target domain.
Configure the target domain to trust the source domain.
back to the top
Groups
Add the Domain Admins global group from the source domain to the Administrators local group in the target domain.
Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.
Create a new local group in the source domain called Source Domain$$$ (this group should have no members).
back to the top
Auditing
Enable auditing for the success and failure of user and group management on the source domain.
Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.
back to the top
Registry
On the PDC in the source domain, add the TcpipClientSupport:REG_DWO
back to the top
Administrative Shares
Administrative shares must exist on the domain controller (DC) in the target domain on which you run ADMT, as well as on any computers on which an agent will be dispatched.
back to the top
User Rights
You must log on to the computer on which you run ADMT with an account that has the following rights:
Domain Administrator rights in the target domain
Is a member of the Administrators group in the source domain
Administrator rights on each computer you migrate
Administrator rights on each computer on which you translate security
Therefore, logging into the PDC that is the FSMO role holder in the target domain with the source domain\Administrator account suffices, assuming that the source domain\Domain Administrators group belongs to each computer's Administrators group.
ASKER
As you can see from the KB on the ADMT, one must have the TRUSTS setup to use ADMT. The TRUSTS are the problem, not ADMT.
ASKER
At this point, I have decided to migrate using Exmerge to export all my users' mailboxes and personal folders and then import them into Exchange 2000 server, after setting up the users in Active Directory.
It is not the ideal solution, but since we have only a few users, it will suffice.
It is not the ideal solution, but since we have only a few users, it will suffice.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jabo210:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
What your trying to do simply cannot be done!