Solved

The trust relationship between this workstation and the primary domain failed.

Posted on 2004-10-23
525 Views
Last Modified: 2008-01-09
Hi,

I've a w2k3 AD domain.  Within this domain there are two w2k servers amongst the w2k3 boxes.  I also have an NT4 domain with some old NT4 servers awaiting upgrade.

My problem:  If I try and map a drive from a w2k box in the w2k3 domain to a server in the NT4 domain it fails with the following message:

"The trust relationship between this workstation and the primary domain failed."

This does work if tried from a w2k3 server in the same domain.  There is a two way trust between the domains which I have tested with NLTEST and Netdom but they seem okay.  I've also removed the w2k boxes from the domain, cleared all references to them, made sure these chnages were replicated and rejoined.  This has not helped the situation.

(NT4 boxes are on SP6a and the w2k servers are at SP4).

Help!

Cheers

Mark.

0
Question by:dalems
    5 Comments
     
    LVL 9

    Expert Comment

    by:BigC666
    0
     

    Author Comment

    by:dalems
    Thanks for the info.  My w2k3 domain is native and contains only w2k and w2k3 servers.  The NT4 domain is just that, no other OS's in there.  There is a two way trust between the two. (My XP workstation is in the AD domain, I logon to the AD domian and I access trusting resources in the NT4 domain all day).

    Mapping a drive from a w2k3 server to an NT server works fine.  Doing the exact same thing from either of the w2k boxes in the same domain fails with the error mentioned above.

    I can't see that I've a trust problem between the domains it seems something specific to w2k. <Shrug> I'm at a loss here.

    0
     

    Author Comment

    by:dalems
    A little more info.  I've verified the domain trusts with NETDOM from both a w2k and a w2k3 server in the same domain.  The w2k output states that access is denied... this doesn't happen on w2k3.  See below:

    run on W2K server in child domain of AD root domain

    C:\Program Files\Support Tools>netdom query /domain:ADChild /verify trust
    Direction Trusted\Trusting domain           Via domain                    Status
    ========= =======================           ==========                    ======
    <->       AD Root Domain                                                          Access denied
    <->       NT4Domain                                                              Access denied
    The command completed successfully.


    run on W2K3 server in child domain of AD root domain

    C:\Program Files\Support Tools>netdom query /domain:ADChild /verify trust
    Direction Trusted\Trusting domain                         Trust type  Status
    ========= =======================                         ==========  ======

    <->       AD Root Domain
    Direct
     Verified

    <->       NT4Domain
    Direct
     Verified
    0
     

    Author Comment

    by:dalems
    Think I now know why this problem was occuring and have a suitable work around for it.   There is a hotfix from Microsoft which may actaully fix the problem but I'm going to stick with the work around for now as I'm phasing out my w2k boxes.

    The error messages in regard to trusts were misleading.  The problem was down to 'LAN Manager Authentication Level' settings.  All my AD servers (w2k & w2k3) had the following registry setting;

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel = 4

    This is defined in the local security policy under "Network Security:LAN Manager authentication level"  A setting of 4 translates to "Send NTLMv2 response only\refuse LM".  Now for some reason the w2k3 machines could talk to NT4 with this settings but the w2k boxes couldn't.  The following MS support doc details the probable reason why.

    305379 Authentication Problems in Windows 2000 with NTLM 2 Levels Above 2 in a Windows NT 4.0 Domain
    http://support.microsoft.com/?id=305379

    To get around this I just set the w2k machines at a lower level; 0.  This translates to "Send LM & NTLM response".  Problem solved.
    0
     

    Accepted Solution

    by:
    Question answered by asker or dialog valuable.
    Closed, 500 points refunded.
    ee_ai_construct (replacement part #xm34)
    Community Support Admin
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
    This video Micro Tutorial is the first in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles al…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    857 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now