evlthoma
asked on
2003 domain to 2000 domain trust
I'm having troulbe creating a trust between a 2003 Domain (in mixed mode) and a 2000 Domain (also in mixed mode) in diffent forests. The domains do not share DNS information, but the PDCs for both domains have the other domain's PDC in their lmhost file. I can ping the PDCs from across the domains, I can see the PDCs using net view across the domains, but when I try and verify a trust I get "cannot find a domain controller."
ASKER
jhautani
I had both those entries in the lmhost. I gave up, lowered my security settings on DNS and added seconday DNS zones on the PDC in both domains. I can now verify from the 2003 to the 2000 domain, but I get a "no login server in available" when I try to validate from 2000 to 2003.
I had both those entries in the lmhost. I gave up, lowered my security settings on DNS and added seconday DNS zones on the PDC in both domains. I can now verify from the 2003 to the 2000 domain, but I get a "no login server in available" when I try to validate from 2000 to 2003.
Take a look at this KB article, whether it applies to you:
http://support.microsoft.com/default.aspx?kbid=246261
http://support.microsoft.com/default.aspx?kbid=246261
ASKER
I have all the symptoms listed in the KB aritcle, except they are occuring on a 2003 Domain not a 2000. RestrictAnonymous is set to "0" in the 2003 registry. I am having trouble with the following:
Down-level member workstations or servers are not able to set up a netlogon secure channel.
Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all.
The Browser service is not able to retrieve domain lists or server lists.
Down-level member workstations or servers are not able to set up a netlogon secure channel.
Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all.
The Browser service is not able to retrieve domain lists or server lists.
Do you have more than one DC in your 2003 domain? If you have, do they all have RestrictAnonymous set to 0?
Take a look at this KB article about incompatibilties concerning security settings:
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
Take a look at this KB article about incompatibilties concerning security settings:
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
ASKER
I have 3 DCs in the 2003 domain and they all have RestrictAnonymous set to 0 and RestrictAnonymousSAM set to 1. Along with 2003 to 2000 trust problem, I have a couple of NT BDCs that can no longer connect to the domain and workstations on the 2003 domain can not browse their "Network Neighborhood," so it seems like it should be a RestrictAnonymous problem, I just don't see where.
ASKER
The problems seemed to resolve themselves after I did the following:
Disabled the 2nd NICs in the DCs
Changed the Domain Security Policy setting "Network access: Allow anonymous SID/Name translation" to "Enabled"
I was then able to verify the trust.
Thanks for the help.
Disabled the 2nd NICs in the DCs
Changed the Domain Security Policy setting "Network access: Allow anonymous SID/Name translation" to "Enabled"
I was then able to verify the trust.
Thanks for the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1.2.3.4 OTHERPDC #PRE #DOM:OTHERDOMAIN
Try adding the following line to lmhosts to find the domain's master browser:
1.2.3.4 "OTHERDOMAIN \0x1b" #PRE
where 1.2.3.4 is the IP of your other domain's PDC
Note that the backslash MUST be the 16th character in the string: use spaces to pad
hope this helps