Longshot9
asked on
NT4 / Windows Server 2003 Trust Relationship, can't get it to work, please help
Hi everyone,
I have been trying to setup a trust between an NT4 domain in our San Fran office, to a Windows 2003 Server we're putting into our Reno office. I have a VPN tunnel created and working, I can ping the servers by IP and NetBios names without a problem. I have followed the instructions for a 2 way trust in the following MS article:
http://support.microsoft.com/?kbid=325874
Everything goes as it says it does on the 2003 server, but when I try to do it on the NT4 server I get an error that it "Could not find the domain controller for this domain".
I've added the information for both domains into the LMHOSTS file according to this article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;180094
Made sure all the appropriate spacing was there etc.
I've verified the NetBios name on the 2003 server using a dos command I found here (can't remember it off the top of my head).
I have WINS servers on both machines but cannot add each server to the other WINS server (access is denied they both say).
I'm unsure what to do next. Anyone have any thoughts? Solutions?
I have been trying to setup a trust between an NT4 domain in our San Fran office, to a Windows 2003 Server we're putting into our Reno office. I have a VPN tunnel created and working, I can ping the servers by IP and NetBios names without a problem. I have followed the instructions for a 2 way trust in the following MS article:
http://support.microsoft.com/?kbid=325874
Everything goes as it says it does on the 2003 server, but when I try to do it on the NT4 server I get an error that it "Could not find the domain controller for this domain".
I've added the information for both domains into the LMHOSTS file according to this article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;180094
Made sure all the appropriate spacing was there etc.
I've verified the NetBios name on the 2003 server using a dos command I found here (can't remember it off the top of my head).
I have WINS servers on both machines but cannot add each server to the other WINS server (access is denied they both say).
I'm unsure what to do next. Anyone have any thoughts? Solutions?
Some questions. The NT4 server is it the PDC? Why do you use LMHOST when you have WINS? What kind of trust to you try to set up one-way or two-way?
ASKER
The NT4 server is the PDC on the domain that resides in our San Francisco office.
Why LMHOST when I have WINS? Cause i'm trying everything to get it to work. We have a trust relationship with another NT4 domain in our Los Angeles office, and that PDC is in the LMHOSTS and also in WINS.
2 way trust.
I have also done this in case anyone was going to suggest it.
http://support.microsoft.com/kb/q296405/
Why LMHOST when I have WINS? Cause i'm trying everything to get it to work. We have a trust relationship with another NT4 domain in our Los Angeles office, and that PDC is in the LMHOSTS and also in WINS.
2 way trust.
I have also done this in case anyone was going to suggest it.
http://support.microsoft.com/kb/q296405/
Refer to Microsoft KB 325874
Start with the PDC:
Start Usrmgr
Click Policies -> Trust Relationships
Add Trusted Domain - <2003 Domain Name>
password: <SET PASSWORD>
Add Trusting Domain - <2003 Domain Name>
password: <SET PASSWORD>
Start -> USRMGR
Double Click Administrators group
Add Domain Admins group from 2003 domain
Then on the 2003 Domain:
Start -> Administrative Tools - Active directory Domains and trusts
Right Click Domain -> Properties
Click the Trusts Tab
Click New Trust
Enter the NetBios Name - <NT DOMAIN NAME>
Select Two-Way
Select Domain Wide Authentication
Password: <SAME PASSWORD AS ABOVE>
Select Yes to Confrim the Outgoing Trust
Select yes to Confirm the Incoming Trust
Your trust should now be in place.
If you can ping the servers by name then your HOSTS/LMHOSTS file is configured correctly.
Matt
Start with the PDC:
Start Usrmgr
Click Policies -> Trust Relationships
Add Trusted Domain - <2003 Domain Name>
password: <SET PASSWORD>
Add Trusting Domain - <2003 Domain Name>
password: <SET PASSWORD>
Start -> USRMGR
Double Click Administrators group
Add Domain Admins group from 2003 domain
Then on the 2003 Domain:
Start -> Administrative Tools - Active directory Domains and trusts
Right Click Domain -> Properties
Click the Trusts Tab
Click New Trust
Enter the NetBios Name - <NT DOMAIN NAME>
Select Two-Way
Select Domain Wide Authentication
Password: <SAME PASSWORD AS ABOVE>
Select Yes to Confrim the Outgoing Trust
Select yes to Confirm the Incoming Trust
Your trust should now be in place.
If you can ping the servers by name then your HOSTS/LMHOSTS file is configured correctly.
Matt
you may need to add the following to the HOSTS file on the PDC (NOT LMHOSTS):
1.1.1.1 <2003 NETBIOS Domain Name>
Where 1.1.1.1 is the IP of the 2003 PDC Emulator (The first Domain Controller in your enterprise is usually the PDC Emulator).
You can find out which machine is the PDC Emulator by MS KB 324801
Matt
1.1.1.1 <2003 NETBIOS Domain Name>
Where 1.1.1.1 is the IP of the 2003 PDC Emulator (The first Domain Controller in your enterprise is usually the PDC Emulator).
You can find out which machine is the PDC Emulator by MS KB 324801
Matt
ASKER
Thanks for the response brownmattc.
Well i've got progress, I was able to put it on the NT4 machine without getting any errors, and I can see the 2003 server in Network Neighborhood. But no luck on the 2003 server, the trust was created but when I tried to map a drive or browse to the NT4 machine in Explorer, I got an errror that the Trust had failed.
Why did it make a difference starting on the NT4 machine? On that 325874 article it says on a 2 way trust to start on the 2003 machine (which is what I had been doing).
Well i've got progress, I was able to put it on the NT4 machine without getting any errors, and I can see the 2003 server in Network Neighborhood. But no luck on the 2003 server, the trust was created but when I tried to map a drive or browse to the NT4 machine in Explorer, I got an errror that the Trust had failed.
Why did it make a difference starting on the NT4 machine? On that 325874 article it says on a 2 way trust to start on the 2003 machine (which is what I had been doing).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"Did you add the Domain Admins from the 2003 Domain into the Administrators group on the NT Domain?" - Yes, this has bee done. And I am logged in as the Domain Admin in each respective Domain.
"You may also need to specifically give permission for the 2003 Domain account to access the resources on the NT side. Go to the sharing permissions or the NTFS permissions and add them in there." - I'm assuming you're referring to specific shares? I'm not getting denied trying to access specific shares, i'm getting denied when I try to validate the domain, also when I query the domain using the NLTEST.EXE support tool. If not, I have no idea what permissions you're referring to.
"Check in the Application log and the System log to see if an event was created there. If it was copy it here or check on EventID.net for what it means." - The NT4 PDC is reporting EventID: 3210 on every connection attemp from the 2003 Server. This is a NETLOGON error, here's the text - "Failed to authenticate with \\RENOSRV1, a domain controller for the domain CDHK-RENO"
Here's the link to the EventID.net info on it -
http://www.eventid.net/display.asp?eventid=3210&eventno=1115&source=NETLOGON&phase=1
I tried the suggestion on there to use NLTEST and NETDOM utils, but i'm not familiar with actually how to use them so all I basically did was run a few queries that got access denied.
My boss told me to go ahead and spend the money to call MS so I think i'll do that. If anyone has any other suggestions they'd be appreciated.
"You may also need to specifically give permission for the 2003 Domain account to access the resources on the NT side. Go to the sharing permissions or the NTFS permissions and add them in there." - I'm assuming you're referring to specific shares? I'm not getting denied trying to access specific shares, i'm getting denied when I try to validate the domain, also when I query the domain using the NLTEST.EXE support tool. If not, I have no idea what permissions you're referring to.
"Check in the Application log and the System log to see if an event was created there. If it was copy it here or check on EventID.net for what it means." - The NT4 PDC is reporting EventID: 3210 on every connection attemp from the 2003 Server. This is a NETLOGON error, here's the text - "Failed to authenticate with \\RENOSRV1, a domain controller for the domain CDHK-RENO"
Here's the link to the EventID.net info on it -
http://www.eventid.net/display.asp?eventid=3210&eventno=1115&source=NETLOGON&phase=1
I tried the suggestion on there to use NLTEST and NETDOM utils, but i'm not familiar with actually how to use them so all I basically did was run a few queries that got access denied.
My boss told me to go ahead and spend the money to call MS so I think i'll do that. If anyone has any other suggestions they'd be appreciated.
ASKER
Spent literally about 10 hours on the phone with MS to fix this, they made a TON of changes into the registry on both the NT4 side and Win2k3 side to finally get it working. I don't remember specifically what did the trick unfortunately. Lucky for me, the tech I got didn't know this shouldn't have been supported cause it involved NT4, but he'd already started support so he had to finish. And they didn't charge me cause of that either! Nice. THanks for your help brownmattic.