tomjbarnard
asked on
Trusts between 2003 and NT4 Domains
We are unable to add a “Trusting domain” in NT4 with one of our Windows 2003 domains
(The other 2 2003 domains <> this NT domain trusts work fine)
We just get the error “The User Account Alredy Exists” when you try to add it ?
Any help appriciated
Points for anyone who can get this working!
(The other 2 2003 domains <> this NT domain trusts work fine)
We just get the error “The User Account Alredy Exists” when you try to add it ?
Any help appriciated
Points for anyone who can get this working!
You May Be Unable to Establish a Trust Relationship Between Either Windows 2000 or Windows Server 2003 and Windows NT Domains: -
http://support.microsoft.com/?kbid=295335
http://support.microsoft.com/?kbid=295335
ASKER
yes we do have firewalls...
However we have 2 domians at our other site and we can create the trusts to this no problem
I have put a line like below into the NT4 PDC lmhosts
172.x.x.x londc102 #PRE #DOM:SUPPORT
Thanks
However we have 2 domians at our other site and we can create the trusts to this no problem
I have put a line like below into the NT4 PDC lmhosts
172.x.x.x londc102 #PRE #DOM:SUPPORT
Thanks
Did you see the above article ?
ASKER
Yes the domain is named support not internet
Thanks
Thanks
On 2003 Server: -
Goto \winnt\security\templates\ compatws.i nf
Right click on it > "Install" and then restart 2003 server.
Goto \winnt\security\templates\
Right click on it > "Install" and then restart 2003 server.
ASKER
We have manged to create other trusts to this 2003 DC from our other NT4 domains fine
and we have used an identical setup on the other 2003 Domain on this site and I can create trusts to this fine from this NT4 domain...
So I dont want to change the security on the DC, well only as a last resort
I think the problem lies on the NT side with the "The User Account Alredy Exists" error?
and we have used an identical setup on the other 2003 Domain on this site and I can create trusts to this fine from this NT4 domain...
So I dont want to change the security on the DC, well only as a last resort
I think the problem lies on the NT side with the "The User Account Alredy Exists" error?
I think there is nothing in Event ID related to this? Is there?
Is the joining DC a duplicate name of an existing computer account?
Also you might find the below link useful.
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbi_add_qqne.asp
Regards,
Mike
Also you might find the below link useful.
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbi_add_qqne.asp
Regards,
Mike
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks,
I am getting the following NETLOGON events on the NT4 box
Failed to authenticate with \\XXXX, a Windows NT domain controller for domain SUPPORT.
and
The session setup from the computer XXXX failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is SUPPORT$.
I am getting the following NETLOGON events on the NT4 box
Failed to authenticate with \\XXXX, a Windows NT domain controller for domain SUPPORT.
and
The session setup from the computer XXXX failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is SUPPORT$.
Event ID? It is helpfull for us.
One second....i have to say something here...
From where are you adding this Trust and you get this error ? from Windows 2000 or from Windows NT ?
From where are you adding this Trust and you get this error ? from Windows 2000 or from Windows NT ?
ASKER
Sorry,
On the 2003 box it sets up then you get "Verification was unsucesful because the security database on the server does not have a computer account for this workstation trust relationship."
On the NT4 box you get the above 2 event log errors repeatedly
NETLOGON 3210
Failed to authenticate with \\XXXX, a Windows NT domain controller for domain SUPPORT.
NETLOGON 5723
The session setup from the computer XXXX failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is SUPPORT$.
but you get the dialoge box "the user account already exists" from user manager.
I am guessing it thinks we do have a support$ account setup?
On the 2003 box it sets up then you get "Verification was unsucesful because the security database on the server does not have a computer account for this workstation trust relationship."
On the NT4 box you get the above 2 event log errors repeatedly
NETLOGON 3210
Failed to authenticate with \\XXXX, a Windows NT domain controller for domain SUPPORT.
NETLOGON 5723
The session setup from the computer XXXX failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is SUPPORT$.
but you get the dialoge box "the user account already exists" from user manager.
I am guessing it thinks we do have a support$ account setup?
Then check that account first.
ASKER
How do I check for the hidden account?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nope, no support accounts in AD but...
Been trying nltest and netdom to create the trust or diagnose it more...
When I do:
netdom /domain:NT4domain resource 2003domain password /add
I get
Found PDC \\NT4PDC
The user account alredy exists
So the resource account IS setup (support$), but does not apear in user managers trusts
I guess the question is how do I get rid of it, so I can try again?!?!?
Been trying nltest and netdom to create the trust or diagnose it more...
When I do:
netdom /domain:NT4domain resource 2003domain password /add
I get
Found PDC \\NT4PDC
The user account alredy exists
So the resource account IS setup (support$), but does not apear in user managers trusts
I guess the question is how do I get rid of it, so I can try again?!?!?
ASKER
OK reading help helps!
/delete dioes that job!
but I now get
The user account for the resource domain 'support' exisits but it is not marked as a resource domin account
how do I get rid :(
/delete dioes that job!
but I now get
The user account for the resource domain 'support' exisits but it is not marked as a resource domin account
how do I get rid :(
ASKER
Sorted thanks for everyones help
How? Please tell us.
Thanks!
But please let us know for our future response after all we all are trying to learn something :-)
But please let us know for our future response after all we all are trying to learn something :-)
ASKER
Sorry...
Deleted the support$ resource account using NETDOM on the command line
It looks like something went very wrong the first time I tried to set the trust up? you could not see it (and it did not work) but it was in the SAM.
For anyone else having problems NLTEST.exe and NETDOM.exe are very good tools for diagnosing problems - give much more helpfull output about what DC's they are finding - trying to connect to etc.
Thanks agian for the input - its always good to have a sounding board ;)
Deleted the support$ resource account using NETDOM on the command line
It looks like something went very wrong the first time I tried to set the trust up? you could not see it (and it did not work) but it was in the SAM.
For anyone else having problems NLTEST.exe and NETDOM.exe are very good tools for diagnosing problems - give much more helpfull output about what DC's they are finding - trying to connect to etc.
Thanks agian for the input - its always good to have a sounding board ;)
Thanks for letting us know. :-)
have you put an entry on the NT4 PDC's lmhosts file that points to the Netbios name of the 2003 domain and the IP addrtess of one of its domain controllers