NT4 / Windows Server 2003 Trust Relationship, can't get it to work, please help

Posted on 2005-04-20
Medium Priority
Last Modified: 2011-04-14
Hi everyone,

I have been trying to setup a trust between an NT4 domain in our San Fran office, to a Windows 2003 Server we're putting into our Reno office.  I have a VPN tunnel created and working, I can ping the servers by IP and NetBios names without a problem.  I have followed the instructions for a 2 way trust in the following MS article:


Everything goes as it says it does on the 2003 server, but when I try to do it on the NT4 server I get an error that it "Could not find the domain controller for this domain".  

I've added the information for both domains into the LMHOSTS file according to this article:


Made sure all the appropriate spacing was there etc.

I've verified the NetBios name on the 2003 server using a dos command I found here (can't remember it off the top of my head).  

I have WINS servers on both machines but cannot add each server to the other WINS server (access is denied they both say).  

I'm unsure what to do next.  Anyone have any thoughts?  Solutions?
Question by:Longshot9
  • 4
  • 3

Expert Comment

ID: 13829072
Some questions. The NT4 server is it the PDC? Why do you use LMHOST when you have WINS? What kind of trust to you try to set up one-way or two-way?

Author Comment

ID: 13829105
The NT4 server is the PDC on the domain that resides in our San Francisco office.  

Why LMHOST when I have WINS?  Cause i'm trying everything to get it to work.  We have a trust relationship with another NT4 domain in our Los Angeles office, and that PDC is in the LMHOSTS and also in WINS.

2 way trust.

I have also done this in case anyone was going to suggest it.


Expert Comment

ID: 13829861
Refer to Microsoft KB 325874

Start with the PDC:

Start Usrmgr
Click Policies -> Trust Relationships
Add Trusted Domain - <2003 Domain Name>
password: <SET PASSWORD>

Add Trusting Domain - <2003 Domain Name>
password: <SET PASSWORD>

Start -> USRMGR
Double Click Administrators group
Add Domain Admins group from 2003 domain

Then on the 2003 Domain:
Start -> Administrative Tools - Active directory Domains and trusts
Right Click Domain -> Properties
Click the Trusts Tab
Click New Trust
Enter the NetBios Name - <NT DOMAIN NAME>
Select Two-Way
Select Domain Wide Authentication
Select Yes to Confrim the Outgoing Trust
Select yes to Confirm the Incoming Trust

Your trust should now be in place.

If you can ping the servers by name then your HOSTS/LMHOSTS file is configured correctly.

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.


Expert Comment

ID: 13829909
you may need to add the following to the HOSTS file on the PDC (NOT LMHOSTS):  <2003 NETBIOS Domain Name>

Where is the IP of the 2003 PDC Emulator (The first Domain Controller in your enterprise is usually the PDC Emulator).

You can find out which machine is the PDC Emulator by MS KB 324801


Author Comment

ID: 13829986
Thanks for the response brownmattc.  

Well i've got progress, I was able to put it on the NT4 machine without getting any errors, and I can see the 2003 server in Network Neighborhood.  But no luck on the 2003 server, the trust was created but when I tried to map a drive or browse to the NT4 machine in Explorer, I got an errror that the Trust had failed.

Why did it make a difference starting on the NT4 machine?  On that 325874 article it says on a 2 way trust to start on the 2003 machine (which is what I had been doing).

Accepted Solution

brownmattc earned 1500 total points
ID: 13830103
The NT4 side does not require the trust to be in place before you add both side (Trusted and Trusting), The 2003 side requires it.  Don't know why the article is backwards.  I found that same problem about 6 months ago with that article.

Did you add the Domain Admins from the 2003 Domain into the Administrators group on the NT Domain?  If you can add the group then the NT side trusts the 2003 Domain.  Then you need to make sure that you use a Domain Admin account to login.

You may also need to specifically give permission for the 2003 Domain account to access the resources on the NT side.  Go to the sharing permissions or the NTFS permissions and add them in there.

Check in the Application log and the System log to see if an event was created there.  If it was copy it here or check on EventID.net for what it means.


Author Comment

ID: 13835981
"Did you add the Domain Admins from the 2003 Domain into the Administrators group on the NT Domain?"  - Yes, this has bee done.  And I am logged in as the Domain Admin in each respective Domain.  

"You may also need to specifically give permission for the 2003 Domain account to access the resources on the NT side.  Go to the sharing permissions or the NTFS permissions and add them in there." - I'm assuming you're referring to specific shares?  I'm not getting denied trying to access specific shares, i'm getting denied when I try to validate the domain, also when I query the domain using the NLTEST.EXE support tool.  If not, I have no idea what permissions you're referring to.  

"Check in the Application log and the System log to see if an event was created there.  If it was copy it here or check on EventID.net for what it means." - The NT4 PDC is reporting EventID: 3210 on every connection attemp from the 2003 Server.  This is a NETLOGON error, here's the text - "Failed to authenticate with \\RENOSRV1, a domain controller for the domain CDHK-RENO"

Here's the link to the EventID.net info on it -


I tried the suggestion on there to use NLTEST and NETDOM utils, but i'm not familiar with actually how to use them so all I basically did was run a few queries that got access denied.

My boss told me to go ahead and spend the money to call MS so I think i'll do that.  If anyone has any other suggestions they'd be appreciated.

Author Comment

ID: 13921087
Spent literally about 10 hours on the phone with MS to fix this, they made a TON of changes into the registry on both the NT4 side and Win2k3 side to finally get it working.  I don't remember specifically what did the trick unfortunately.  Lucky for me, the tech I got didn't know this shouldn't have been supported cause it involved NT4, but he'd already started support so he had to finish.  And they didn't charge me cause of that either!  Nice.  THanks for your help brownmattic.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question