[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


The trust relationship between this workstation and the primary domain failed.

Posted on 2004-10-23
Medium Priority
Last Modified: 2008-01-09

I've a w2k3 AD domain.  Within this domain there are two w2k servers amongst the w2k3 boxes.  I also have an NT4 domain with some old NT4 servers awaiting upgrade.

My problem:  If I try and map a drive from a w2k box in the w2k3 domain to a server in the NT4 domain it fails with the following message:

"The trust relationship between this workstation and the primary domain failed."

This does work if tried from a w2k3 server in the same domain.  There is a two way trust between the domains which I have tested with NLTEST and Netdom but they seem okay.  I've also removed the w2k boxes from the domain, cleared all references to them, made sure these chnages were replicated and rejoined.  This has not helped the situation.

(NT4 boxes are on SP6a and the w2k servers are at SP4).




Question by:dalems
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Expert Comment

ID: 12390225

Author Comment

ID: 12398369
Thanks for the info.  My w2k3 domain is native and contains only w2k and w2k3 servers.  The NT4 domain is just that, no other OS's in there.  There is a two way trust between the two. (My XP workstation is in the AD domain, I logon to the AD domian and I access trusting resources in the NT4 domain all day).

Mapping a drive from a w2k3 server to an NT server works fine.  Doing the exact same thing from either of the w2k boxes in the same domain fails with the error mentioned above.

I can't see that I've a trust problem between the domains it seems something specific to w2k. <Shrug> I'm at a loss here.


Author Comment

ID: 12398731
A little more info.  I've verified the domain trusts with NETDOM from both a w2k and a w2k3 server in the same domain.  The w2k output states that access is denied... this doesn't happen on w2k3.  See below:

run on W2K server in child domain of AD root domain

C:\Program Files\Support Tools>netdom query /domain:ADChild /verify trust
Direction Trusted\Trusting domain           Via domain                    Status
========= =======================           ==========                    ======
<->       AD Root Domain                                                          Access denied
<->       NT4Domain                                                              Access denied
The command completed successfully.

run on W2K3 server in child domain of AD root domain

C:\Program Files\Support Tools>netdom query /domain:ADChild /verify trust
Direction Trusted\Trusting domain                         Trust type  Status
========= =======================                         ==========  ======

<->       AD Root Domain

<->       NT4Domain

Author Comment

ID: 12491239
Think I now know why this problem was occuring and have a suitable work around for it.   There is a hotfix from Microsoft which may actaully fix the problem but I'm going to stick with the work around for now as I'm phasing out my w2k boxes.

The error messages in regard to trusts were misleading.  The problem was down to 'LAN Manager Authentication Level' settings.  All my AD servers (w2k & w2k3) had the following registry setting;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel = 4

This is defined in the local security policy under "Network Security:LAN Manager authentication level"  A setting of 4 translates to "Send NTLMv2 response only\refuse LM".  Now for some reason the w2k3 machines could talk to NT4 with this settings but the w2k boxes couldn't.  The following MS support doc details the probable reason why.

305379 Authentication Problems in Windows 2000 with NTLM 2 Levels Above 2 in a Windows NT 4.0 Domain

To get around this I just set the w2k machines at a lower level; 0.  This translates to "Send LM & NTLM response".  Problem solved.

Accepted Solution

ee_ai_construct earned 0 total points
ID: 12527128
Question answered by asker or dialog valuable.
Closed, 500 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Explore the ways to Unlock VBA Project Password Excel 2010 & 2013 documents. Go through the article and perform the steps carefully to remove VBA Excel .xls file.
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question