The trust relationship between this workstation and the primary domain failed.

Hi,

I've a w2k3 AD domain.  Within this domain there are two w2k servers amongst the w2k3 boxes.  I also have an NT4 domain with some old NT4 servers awaiting upgrade.

My problem:  If I try and map a drive from a w2k box in the w2k3 domain to a server in the NT4 domain it fails with the following message:

"The trust relationship between this workstation and the primary domain failed."

This does work if tried from a w2k3 server in the same domain.  There is a two way trust between the domains which I have tested with NLTEST and Netdom but they seem okay.  I've also removed the w2k boxes from the domain, cleared all references to them, made sure these chnages were replicated and rejoined.  This has not helped the situation.

(NT4 boxes are on SP6a and the w2k servers are at SP4).

Help!

Cheers

Mark.

dalemsAsked:
Who is Participating?
 
ee_ai_constructCommented:
Question answered by asker or dialog valuable.
Closed, 500 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin
0
 
BigC666Commented:
0
 
dalemsAuthor Commented:
Thanks for the info.  My w2k3 domain is native and contains only w2k and w2k3 servers.  The NT4 domain is just that, no other OS's in there.  There is a two way trust between the two. (My XP workstation is in the AD domain, I logon to the AD domian and I access trusting resources in the NT4 domain all day).

Mapping a drive from a w2k3 server to an NT server works fine.  Doing the exact same thing from either of the w2k boxes in the same domain fails with the error mentioned above.

I can't see that I've a trust problem between the domains it seems something specific to w2k. <Shrug> I'm at a loss here.

0
 
dalemsAuthor Commented:
A little more info.  I've verified the domain trusts with NETDOM from both a w2k and a w2k3 server in the same domain.  The w2k output states that access is denied... this doesn't happen on w2k3.  See below:

run on W2K server in child domain of AD root domain

C:\Program Files\Support Tools>netdom query /domain:ADChild /verify trust
Direction Trusted\Trusting domain           Via domain                    Status
========= =======================           ==========                    ======
<->       AD Root Domain                                                          Access denied
<->       NT4Domain                                                              Access denied
The command completed successfully.


run on W2K3 server in child domain of AD root domain

C:\Program Files\Support Tools>netdom query /domain:ADChild /verify trust
Direction Trusted\Trusting domain                         Trust type  Status
========= =======================                         ==========  ======

<->       AD Root Domain
Direct
 Verified

<->       NT4Domain
Direct
 Verified
0
 
dalemsAuthor Commented:
Think I now know why this problem was occuring and have a suitable work around for it.   There is a hotfix from Microsoft which may actaully fix the problem but I'm going to stick with the work around for now as I'm phasing out my w2k boxes.

The error messages in regard to trusts were misleading.  The problem was down to 'LAN Manager Authentication Level' settings.  All my AD servers (w2k & w2k3) had the following registry setting;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel = 4

This is defined in the local security policy under "Network Security:LAN Manager authentication level"  A setting of 4 translates to "Send NTLMv2 response only\refuse LM".  Now for some reason the w2k3 machines could talk to NT4 with this settings but the w2k boxes couldn't.  The following MS support doc details the probable reason why.

305379 Authentication Problems in Windows 2000 with NTLM 2 Levels Above 2 in a Windows NT 4.0 Domain
http://support.microsoft.com/?id=305379

To get around this I just set the w2k machines at a lower level; 0.  This translates to "Send LM & NTLM response".  Problem solved.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.