Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

NT4 to Windows 2003 Domain Trust - Access Denied

Posted on 2004-10-18
3
Medium Priority
?
1,179 Views
Last Modified: 2007-12-19
I am in the process of migrating to AD from NT4 by restructuring and had a Two-way external trust between the domains. This trust has been working fine for months, then on Monday 11th October at around 3pm it broke and will not recreate, even removing it completely at both ends and recreating fails. We have a strict change control policy and I know no changes were made for days before this and I have undone a number of changes, which don't appear related.

The problem is my AD 2003 domain will not trust users in the NT4 domain, but the NT4 domain will trust AD 2003 users.

I know the trust fails as services in the AD with NT4 accounts fail and when I set NTFS security for users on NT4 in my AD I can see the NT4 Domain and users, but when I have finished and check the security settings my NT4 user is listed as an unknow account.

I have attempted to create the trust following Microsoft KB http://support.microsoft.com/default.aspx?scid=kb;EN-US;q306733. I have also done this in the old way were you set up the password on one end and connect to it at the other and then swap round. I have tried to Validate the trusts at the AD end but they all fail with ACCESS DENIED. I found a Microsoft KB that basically says the error you recieve is normal and can be ignored.

I have also used NETDOM command line to remove and recreate the trusts but this also produces ACCESS DENIED. NLTEST reports similar errors and DCDIAG says everything is ok.

The Windows 2003 Active Directory Domain is called "CompanyNamePLC" and a Windows NT4 Domain called "MyCompanyNET".

I have checked the SAM in the registry on the NT PDC and used ADSI Edit on the AD 2003 and the hidden domain accounts and secrets all seem to be in order.
 
At the time I create the trust the NT4 PDC logs the following in the System Log.

Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5722
Date:            18/10/2004
Time:            12:26:15
User:            N/A
Computer:      NT4PDC
Description:
The session setup from the computer AD2003-PDC failed to authenticate. The name of the account referenced in the security database is COMPANYNAMEPLC$.  The following error occurred:
Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0               "..À

Any advice would be gratefully appreciated. We are in the situation of not being able to proceed with the migration if I can't explain why it has failed or how to fix it when it breaks. I know that to tear down the AD and recreate it would probably solve my problem but that is a lot of work for us.

0
Comment
Question by:GeeDoubleU-UK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
JamesDS earned 1500 total points
ID: 12337733
GeeDoubleU-UK
Check that the two domains are timesynced and check the local security polices on each of the W2k3 DCs to make sure that secure communications are not mandatory as NT cannot handle the same levels of security as W2k3. The settings you want are here:

\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
And are prefixed with:

Microsoft Network Client
Microsoft Network Server

Digitally Sign Communications (always) is a prime candidate.

Just switch off the server side security temporarily and retry your trust.

Cheers

JamesDS
0
 

Author Comment

by:GeeDoubleU-UK
ID: 12338371
Yes!!!

JamesDS you were on the right track with the Security Policy, well done. Around 30 Days earlier we signed off a change control for a default domain controller security policy.

It was the Microsoft Network Server AND "Domain Member: Require Strong (Windows 2000 or Later) Session Key.

Very Obvious when its spelt out, we stupidly just copied a security template and rather than read it, thought we would try it and work around and issues and promptly forgot we had done it!
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12344961
GeeDoubleU-UK
Glad you got it sorted.

Cheers

JamesDS
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question