?
Solved

2003 domain to 2000 domain trust

Posted on 2004-08-18
9
Medium Priority
?
264 Views
Last Modified: 2011-04-14
I'm having troulbe creating a trust between a 2003 Domain (in mixed mode) and a 2000 Domain (also in mixed mode) in diffent forests. The domains do not share DNS information, but the PDCs for both domains have the other domain's PDC in their lmhost file. I can ping the PDCs from across the domains, I can see the PDCs using net view across the domains, but when I try and verify a trust I get "cannot find a domain controller."
0
Comment
Question by:evlthoma
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 10

Expert Comment

by:jhautani
ID: 11834583
Do you have the '#pre #dom:otherdomain' at the end of server line in lmhosts, like
1.2.3.4 OTHERPDC #PRE #DOM:OTHERDOMAIN

Try adding the following line to lmhosts to find the domain's master browser:
1.2.3.4  "OTHERDOMAIN     \0x1b" #PRE
where 1.2.3.4 is the IP of your other domain's PDC
Note that the backslash MUST be the 16th character in the string: use spaces to pad

hope this helps
0
 

Author Comment

by:evlthoma
ID: 11834943
jhautani

I had both those entries in the lmhost. I gave up, lowered my security settings on DNS and added seconday DNS zones on the PDC in both domains. I can now verify from the 2003 to the 2000 domain, but I get a "no login server in available" when I try to validate from 2000 to 2003.
0
 
LVL 10

Expert Comment

by:jhautani
ID: 11835182
Take a look at this KB article, whether it applies to you:
http://support.microsoft.com/default.aspx?kbid=246261
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:evlthoma
ID: 11836122
I have all the symptoms listed in the KB aritcle, except they are occuring on a 2003 Domain not a 2000. RestrictAnonymous is set to "0" in the 2003 registry. I am having trouble with the following:
Down-level member workstations or servers are not able to set up a netlogon secure channel.
Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all.
The Browser service is not able to retrieve domain lists or server lists.
0
 
LVL 10

Expert Comment

by:jhautani
ID: 11838569
Do you have more than one DC in your 2003 domain? If you have, do they all have RestrictAnonymous set to 0?

Take a look at this KB article about incompatibilties concerning security settings:
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
0
 

Author Comment

by:evlthoma
ID: 11841475
I have 3 DCs in the 2003 domain and they all have RestrictAnonymous set to 0 and RestrictAnonymousSAM set to 1. Along with 2003 to 2000 trust problem, I have a couple of NT BDCs that can no longer connect to the domain and workstations on the 2003 domain can not browse their "Network Neighborhood,"  so it seems like it should be a RestrictAnonymous problem, I just don't see where.
0
 

Author Comment

by:evlthoma
ID: 11870907
The problems seemed to resolve themselves after I did the following:
Disabled the 2nd NICs in the DCs
Changed the Domain Security Policy setting "Network access: Allow anonymous SID/Name translation" to "Enabled"

I was then able to verify the trust.

Thanks for the help.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12734553
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question