• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 433
  • Last Modified:

NT4 / Windows Server 2003 Trust Relationship, can't get it to work, please help

Hi everyone,

I have been trying to setup a trust between an NT4 domain in our San Fran office, to a Windows 2003 Server we're putting into our Reno office.  I have a VPN tunnel created and working, I can ping the servers by IP and NetBios names without a problem.  I have followed the instructions for a 2 way trust in the following MS article:

http://support.microsoft.com/?kbid=325874

Everything goes as it says it does on the 2003 server, but when I try to do it on the NT4 server I get an error that it "Could not find the domain controller for this domain".  

I've added the information for both domains into the LMHOSTS file according to this article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;180094

Made sure all the appropriate spacing was there etc.

I've verified the NetBios name on the 2003 server using a dos command I found here (can't remember it off the top of my head).  

I have WINS servers on both machines but cannot add each server to the other WINS server (access is denied they both say).  

I'm unsure what to do next.  Anyone have any thoughts?  Solutions?
0
Longshot9
Asked:
Longshot9
  • 4
  • 3
1 Solution
 
joedoe58Commented:
Some questions. The NT4 server is it the PDC? Why do you use LMHOST when you have WINS? What kind of trust to you try to set up one-way or two-way?
0
 
Longshot9Author Commented:
The NT4 server is the PDC on the domain that resides in our San Francisco office.  

Why LMHOST when I have WINS?  Cause i'm trying everything to get it to work.  We have a trust relationship with another NT4 domain in our Los Angeles office, and that PDC is in the LMHOSTS and also in WINS.

2 way trust.

I have also done this in case anyone was going to suggest it.

http://support.microsoft.com/kb/q296405/
0
 
brownmattcCommented:
Refer to Microsoft KB 325874

Start with the PDC:

Start Usrmgr
Click Policies -> Trust Relationships
Add Trusted Domain - <2003 Domain Name>
password: <SET PASSWORD>

Add Trusting Domain - <2003 Domain Name>
password: <SET PASSWORD>

Start -> USRMGR
Double Click Administrators group
Add Domain Admins group from 2003 domain



Then on the 2003 Domain:
Start -> Administrative Tools - Active directory Domains and trusts
Right Click Domain -> Properties
Click the Trusts Tab
Click New Trust
Enter the NetBios Name - <NT DOMAIN NAME>
Select Two-Way
Select Domain Wide Authentication
Password: <SAME PASSWORD AS ABOVE>
Select Yes to Confrim the Outgoing Trust
Select yes to Confirm the Incoming Trust


Your trust should now be in place.

If you can ping the servers by name then your HOSTS/LMHOSTS file is configured correctly.

Matt
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
brownmattcCommented:
you may need to add the following to the HOSTS file on the PDC (NOT LMHOSTS):

1.1.1.1  <2003 NETBIOS Domain Name>

Where 1.1.1.1 is the IP of the 2003 PDC Emulator (The first Domain Controller in your enterprise is usually the PDC Emulator).

You can find out which machine is the PDC Emulator by MS KB 324801

Matt
0
 
Longshot9Author Commented:
Thanks for the response brownmattc.  

Well i've got progress, I was able to put it on the NT4 machine without getting any errors, and I can see the 2003 server in Network Neighborhood.  But no luck on the 2003 server, the trust was created but when I tried to map a drive or browse to the NT4 machine in Explorer, I got an errror that the Trust had failed.

Why did it make a difference starting on the NT4 machine?  On that 325874 article it says on a 2 way trust to start on the 2003 machine (which is what I had been doing).
0
 
brownmattcCommented:
The NT4 side does not require the trust to be in place before you add both side (Trusted and Trusting), The 2003 side requires it.  Don't know why the article is backwards.  I found that same problem about 6 months ago with that article.

Did you add the Domain Admins from the 2003 Domain into the Administrators group on the NT Domain?  If you can add the group then the NT side trusts the 2003 Domain.  Then you need to make sure that you use a Domain Admin account to login.

You may also need to specifically give permission for the 2003 Domain account to access the resources on the NT side.  Go to the sharing permissions or the NTFS permissions and add them in there.

Check in the Application log and the System log to see if an event was created there.  If it was copy it here or check on EventID.net for what it means.

Matt
0
 
Longshot9Author Commented:
"Did you add the Domain Admins from the 2003 Domain into the Administrators group on the NT Domain?"  - Yes, this has bee done.  And I am logged in as the Domain Admin in each respective Domain.  

"You may also need to specifically give permission for the 2003 Domain account to access the resources on the NT side.  Go to the sharing permissions or the NTFS permissions and add them in there." - I'm assuming you're referring to specific shares?  I'm not getting denied trying to access specific shares, i'm getting denied when I try to validate the domain, also when I query the domain using the NLTEST.EXE support tool.  If not, I have no idea what permissions you're referring to.  

"Check in the Application log and the System log to see if an event was created there.  If it was copy it here or check on EventID.net for what it means." - The NT4 PDC is reporting EventID: 3210 on every connection attemp from the 2003 Server.  This is a NETLOGON error, here's the text - "Failed to authenticate with \\RENOSRV1, a domain controller for the domain CDHK-RENO"

Here's the link to the EventID.net info on it -

http://www.eventid.net/display.asp?eventid=3210&eventno=1115&source=NETLOGON&phase=1

I tried the suggestion on there to use NLTEST and NETDOM utils, but i'm not familiar with actually how to use them so all I basically did was run a few queries that got access denied.

My boss told me to go ahead and spend the money to call MS so I think i'll do that.  If anyone has any other suggestions they'd be appreciated.
0
 
Longshot9Author Commented:
Spent literally about 10 hours on the phone with MS to fix this, they made a TON of changes into the registry on both the NT4 side and Win2k3 side to finally get it working.  I don't remember specifically what did the trick unfortunately.  Lucky for me, the tech I got didn't know this shouldn't have been supported cause it involved NT4, but he'd already started support so he had to finish.  And they didn't charge me cause of that either!  Nice.  THanks for your help brownmattic.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now