Solved

NT4 to Windows 2003 Domain Trust - Access Denied

Posted on 2004-10-18
3
1,166 Views
Last Modified: 2007-12-19
I am in the process of migrating to AD from NT4 by restructuring and had a Two-way external trust between the domains. This trust has been working fine for months, then on Monday 11th October at around 3pm it broke and will not recreate, even removing it completely at both ends and recreating fails. We have a strict change control policy and I know no changes were made for days before this and I have undone a number of changes, which don't appear related.

The problem is my AD 2003 domain will not trust users in the NT4 domain, but the NT4 domain will trust AD 2003 users.

I know the trust fails as services in the AD with NT4 accounts fail and when I set NTFS security for users on NT4 in my AD I can see the NT4 Domain and users, but when I have finished and check the security settings my NT4 user is listed as an unknow account.

I have attempted to create the trust following Microsoft KB http://support.microsoft.com/default.aspx?scid=kb;EN-US;q306733. I have also done this in the old way were you set up the password on one end and connect to it at the other and then swap round. I have tried to Validate the trusts at the AD end but they all fail with ACCESS DENIED. I found a Microsoft KB that basically says the error you recieve is normal and can be ignored.

I have also used NETDOM command line to remove and recreate the trusts but this also produces ACCESS DENIED. NLTEST reports similar errors and DCDIAG says everything is ok.

The Windows 2003 Active Directory Domain is called "CompanyNamePLC" and a Windows NT4 Domain called "MyCompanyNET".

I have checked the SAM in the registry on the NT PDC and used ADSI Edit on the AD 2003 and the hidden domain accounts and secrets all seem to be in order.
 
At the time I create the trust the NT4 PDC logs the following in the System Log.

Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5722
Date:            18/10/2004
Time:            12:26:15
User:            N/A
Computer:      NT4PDC
Description:
The session setup from the computer AD2003-PDC failed to authenticate. The name of the account referenced in the security database is COMPANYNAMEPLC$.  The following error occurred:
Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0               "..À

Any advice would be gratefully appreciated. We are in the situation of not being able to proceed with the migration if I can't explain why it has failed or how to fix it when it breaks. I know that to tear down the AD and recreate it would probably solve my problem but that is a lot of work for us.

0
Comment
Question by:GeeDoubleU-UK
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 12337733
GeeDoubleU-UK
Check that the two domains are timesynced and check the local security polices on each of the W2k3 DCs to make sure that secure communications are not mandatory as NT cannot handle the same levels of security as W2k3. The settings you want are here:

\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
And are prefixed with:

Microsoft Network Client
Microsoft Network Server

Digitally Sign Communications (always) is a prime candidate.

Just switch off the server side security temporarily and retry your trust.

Cheers

JamesDS
0
 

Author Comment

by:GeeDoubleU-UK
ID: 12338371
Yes!!!

JamesDS you were on the right track with the Security Policy, well done. Around 30 Days earlier we signed off a change control for a default domain controller security policy.

It was the Microsoft Network Server AND "Domain Member: Require Strong (Windows 2000 or Later) Session Key.

Very Obvious when its spelt out, we stupidly just copied a security template and rather than read it, thought we would try it and work around and issues and promptly forgot we had done it!
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12344961
GeeDoubleU-UK
Glad you got it sorted.

Cheers

JamesDS
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now