• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2014
  • Last Modified:

Re-establish trust relationship between NT 4.0 & Active Directory Server 2003

Pre-existing condition. An NT 4.0 Server was replaced with Small Business Server 2003 and Active Directory. Server 2003 indicates trust relationship is broken. NT 4.0 Server NET LOGON service is set to Automatic but won't start. When attempting to start NET LOGON on NT 4.0 Server, the following error appears:

Could not start the NET LOGON service on\\servername

error 1787: The SAM database on the Windows NT Server does not have a computer account for this workstation trust relationship.

How do I resolve on tthis error on the NT 4.0 Server in an Active Directory Server 2003 environment?  
0
gas_bugs
Asked:
gas_bugs
  • 5
  • 3
  • 2
1 Solution
 
oBdACommented:
That question is not quite clear.
What exactly do you mean with "replaced", what is this NT4 server that won't start the netlogon service (the 'replaced' one?), and what relation exists/should exist between this NT4 server and the W2k3 server: are these two different domains with a trust relationship, is the NT4 a member in the AD domain, is it a BDC in the AD?
0
 
gas_bugsAuthor Commented:
NT 4.0 Server NET LOGON service is set to Automatic but won't start. When attempting to start NET LOGON on NT 4.0 Server, the following error appears:

Could not start the NET LOGON service on\\servername

error 1787: The SAM database on the Windows NT Server does not have a computer account for this workstation trust relationship.

Maybe this issue is best resolved by first addressing the error 1787. It seems the servers can't talk if NET LOGON is broken.

W2k3 is PDC running AD.  NT40 was DC, but AD is running on W2k3 PDC. It is unclear what the role of the NT40 server is assuming at this time.
0
 
oBdACommented:
Your domain setup is still not clear. You need to be way more precise in your description if you want someone who is not familiar with your network (and that means just about everybody on this site) to be able to help you.
Did you do an *upgrade* of the NT4 domain to AD, and the NT4 DC is now a BDC of the AD domain, or did you do a *migration* from NT4 to AD, with two independent DCs and a trust established between them?
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
gas_bugsAuthor Commented:
I'm a new hire, so I'm trying to figure out how the NT40 server fits into the network. My understanding is that  dcpromo was used to demote the NT40 server from DC role, the w2k3 server became the PDC, & AD was implemented.

Here is 1 Event ID error being generated on the w2k3 PDC:

Source: NETLOGON
Category: None
Type: Error
Event ID: 5723

The session setup from computer 'servername' failed because the security database does not contain a trust account 'sername$' referenced by the specified computer.  

USER ACTION  
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem:  

If 'SERVERNAME$' is a legitimate machine account for the computer 'SERVERNAME', then 'SERVERNAME' should be rejoined to the domain.  

If 'SERVERNAME$' is a legitimate interdomain trust account, then the trust should be recreated.  


Otherwise, assuming that 'SERVERNAME$' is not a legitimate account, the following action should be taken on 'SERVERNAME':  

If 'SERVERNAME' is a Domain Controller, then the trust associated with 'SERVERNAME$' should be deleted.  

If 'SERVERNAME' is not a Domain Controller, it should be disjoined from the domain.
- - - - - - - - - - - - - - - -

On the w2k3 PDC, the "Help and Support" Service is not listed in "Services" (separate issue). Attempts to click the Microsoft url fails bec. "Help and Support" Service does not exist on w2k3 PDC.

Plus the NT40 computer or SERVERNAME is not found in the AD structure. The w2k3 PDC server can see the NT40 computer & open, map and access its folders & files. but no one else can.
0
 
ChiefITCommented:
It sounds like and looks like your NT4 server is trying to authenticate using NTLMhash. If the 2k3 server is set up to not allow NTLMhash to authenticate with, the netlogon service may be stopped by your 2k3 server. However, I find this to be interesting because the NT server was demoted and is only a member server on a workgroup at this point in time. Since you are trying to use the netlogon service to authenticate with the 2003 DC, you will have to make the 2k3 server backwards compatible by allowing NTLMhash authentication.

NTLMhash is a very hackable security protocol. So, it is a security breach to make NTLMhash authentication allowed on your domain. If you are looking for information on NTLMhash and how to make these compatible, then, please look at the following article:

I definately recommend taking what you need off of the NT computer and decommision it, then go back to kerberos.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html
0
 
gas_bugsAuthor Commented:
Thanks a bunch for the input. It's a Monday, so I'm working through your suggestions as time allows. I'll post updates regarding issues already discussed.

Resolved the following:
On the w2k3 PDC, the "Help and Support" Service is not listed in "Services" (separate issue). Attempts to click the Microsoft url fails bec. "Help and Support" Service does not exist on w2k3 PDC.
Resolution is (my thanks to Justin Crosby):
Type "cmd" in "Run"
Type "cd %windidr%\PCHealth\HelpCtr\Binaries"
Type "start /w helpsvc /svchost netsvcs /reserver /install"
Goto "Services"
Start "Help and Support" service.
http://blogs.technet.com/sbs/archive/2007/03/20/help-and-support-service-missing-after-installing-windows-2003-service-pack-2.aspx

Next, continue dealing with NT40 issue.
0
 
ChiefITCommented:
How goes the battle?
0
 
gas_bugsAuthor Commented:
ChiefIT,

I've printed your suggestion, followed the links and read the articles. It's a unique situation, that I've been unable to resolve. As an alternatative solution, we're attempting to move an old Borland database off the NT40 Server. The issue with that process is, the Borland product is copyrighted 1996, and is using Interbase in ODBC. Getting it to run on an XP Pro workstation hasn't worked yet. Whenever the database issue is resolved, the NT40 Server will be taken out of service.

If anyone has any experience with Borland and Interbase, your comments would be appreciated as well.
Thanks.
0
 
ChiefITCommented:
http://soft.softoogle.com/ap/borland-database-engine-download-145.shtml

What version are you using. This site says 5.2 Borland engine works with XP. It's a free download. You know what that means.

You know what the term "Free" means on the internet, right?
0
 
gas_bugsAuthor Commented:
The hard drive bearings are whining. The NT 4.0 server data is backed up. The server has been on the network for approx 14 yrs. We used a database conversion utility program from

http://www.spectralcore.com/

The free trial of Full Convert worked great, so we purchased the product and converted the old database .


Issue Resolved
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now