I am in the process of migrating to AD from NT4 by restructuring and had a Two-way external trust between the domains. This trust has been working fine for months, then on Monday 11th October at around 3pm it broke and will not recreate, even removing it completely at both ends and recreating fails. We have a strict change control policy and I know no changes were made for days before this and I have undone a number of changes, which don't appear related.
The problem is my AD 2003 domain will not trust users in the NT4 domain, but the NT4 domain will trust AD 2003 users.
I know the trust fails as services in the AD with NT4 accounts fail and when I set NTFS security for users on NT4 in my AD I can see the NT4 Domain and users, but when I have finished and check the security settings my NT4 user is listed as an unknow account.
I have attempted to create the trust following Microsoft KB http://support.microsoft.com/default.aspx?scid=kb;EN-US;q306733
. I have also done this in the old way were you set up the password on one end and connect to it at the other and then swap round. I have tried to Validate the trusts at the AD end but they all fail with ACCESS DENIED. I found a Microsoft KB that basically says the error you recieve is normal and can be ignored.
I have also used NETDOM command line to remove and recreate the trusts but this also produces ACCESS DENIED. NLTEST reports similar errors and DCDIAG says everything is ok.
The Windows 2003 Active Directory Domain is called "CompanyNamePLC" and a Windows NT4 Domain called "MyCompanyNET".
I have checked the SAM in the registry on the NT PDC and used ADSI Edit on the AD 2003 and the hidden domain accounts and secrets all seem to be in order.
At the time I create the trust the NT4 PDC logs the following in the System Log.
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
The session setup from the computer AD2003-PDC failed to authenticate. The name of the account referenced in the security database is COMPANYNAMEPLC$. The following error occurred:
Access is denied.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
0000: 22 00 00 c0 "..À
Any advice would be gratefully appreciated. We are in the situation of not being able to proceed with the migration if I can't explain why it has failed or how to fix it when it breaks. I know that to tear down the AD and recreate it would probably solve my problem but that is a lot of work for us.