Solved

Access denied when verifying a trust between a 2000 and 2003 domain

Posted on 2007-11-29
5
592 Views
Last Modified: 2013-12-23
OK, here is the problem. I am trying to create a two-way trust between a 2000 domain and a 2003 domain. We have many other trusts and domains so this is nothing new. I creat the trust from the 2003 server and have it create both. I can verify from the 2003 domain but when I verify from the 2000 domain I receive an Active Directory Access Denied error. I have other 2000 domains that trust the 2003 domain that work fine. I have checked the DNS lookup zones and everything seems to be correct. part of it must be working because I can ping and browse the 2000 domain from the 2003 however I cannot browse the 2003 domain from the 2000. Any ideas???

Thanks,
Larry

Open in new window

0
Comment
Question by:lschroeder
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 13

Accepted Solution

by:
Kini pradeep earned 500 total points
ID: 20379419
can you check the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters

on both the windows 2000 and win 2003 Dc's ?
also can you check the Lmcompatibilitylevel under the LSA key in the registry .
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
0
 
LVL 37

Expert Comment

by:bbao
ID: 20380897
can you please let us know the exact error message you got? thanks.
0
 

Author Comment

by:lschroeder
ID: 20382720
When I try and verify the trust from the Windows 2000 domain and enter the user name and password for the 2003 domain I receive an Active Directory "Access Denied" error. That is all I receive.

Thanks,
Larry
0
 

Author Comment

by:lschroeder
ID: 20383345
The LM compatibility os as follows:
2000server 0
2003server 2

I have attached copies of the other registry entries.

The 2003 server does have other successful trusts with 2000 domains. as does the 2000 domain

Thanks for the help!
Larry
registry entried from the 2000server:
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f,\
  00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\
  45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\
  00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\
  54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\
  00,6b,00,53,00,76,00,72,00,00,00,48,00,79,00,64,00,72,00,61,00,4c,00,73,00,\
  50,00,69,00,70,00,65,00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,\
  00,4c,00,69,00,63,00,65,00,6e,00,73,00,69,00,6e,00,67,00,00,00,00,00
"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,46,\
  00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000003
"Guid"=hex:78,8d,48,15,03,2e,9d,4a,90,03,8e,28,b7,df,9e,57
"CachedOpenLimit"=dword:00000000
"srvcomment"="PNTUSADC01 - PDC/File/Print Server"
"users"=dword:ffffffff
"hidden"=dword:00000000
"announce"=dword:000000f0
"anndelta"=dword:00000bb8
"userpath"="c:\\"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00
 
Here is the entries from the 2003 server:
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000001
"restrictnullsessaccess"=dword:00000001
"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f,\
  00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\
  45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,48,\
  00,79,00,64,00,72,00,61,00,4c,00,73,00,50,00,69,00,70,00,65,00,00,00,54,00,\
  65,00,72,00,6d,00,53,00,65,00,72,00,76,00,4c,00,69,00,63,00,65,00,6e,00,73,\
  00,69,00,6e,00,67,00,00,00,6e,00,65,00,74,00,6c,00,6f,00,67,00,6f,00,6e,00,\
  00,00,6c,00,73,00,61,00,72,00,70,00,63,00,00,00,73,00,61,00,6d,00,72,00,00,\
  00,62,00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,00,00
"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,46,\
  00,53,00,24,00,00,00,00,00
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  73,00,72,00,76,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000003
"CachedOpenLimit"=dword:00000000
"srvcomment"="Warrington Domain Controller"
"AdjustedNullSessionPipes"=dword:00000001
"Guid"=hex:36,2e,b8,20,cc,b9,3c,4e,b4,08,ce,ca,ec,e1,78,83
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,6b,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"OtherDomains"=hex(7):00,00

Open in new window

0
 

Author Comment

by:lschroeder
ID: 20404031
Figured it out after comparing the registry entries with different machines. Needed to enable security signature on the 2000 machine. Thanks!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question