Solved

Re-establish trust relationship between NT 4.0  & Active Directory Server 2003

Posted on 2008-06-25
10
1,896 Views
Last Modified: 2013-12-28
Pre-existing condition. An NT 4.0 Server was replaced with Small Business Server 2003 and Active Directory. Server 2003 indicates trust relationship is broken. NT 4.0 Server NET LOGON service is set to Automatic but won't start. When attempting to start NET LOGON on NT 4.0 Server, the following error appears:

Could not start the NET LOGON service on\\servername

error 1787: The SAM database on the Windows NT Server does not have a computer account for this workstation trust relationship.

How do I resolve on tthis error on the NT 4.0 Server in an Active Directory Server 2003 environment?  
0
Comment
Question by:gas_bugs
  • 5
  • 3
  • 2
10 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 21870006
That question is not quite clear.
What exactly do you mean with "replaced", what is this NT4 server that won't start the netlogon service (the 'replaced' one?), and what relation exists/should exist between this NT4 server and the W2k3 server: are these two different domains with a trust relationship, is the NT4 a member in the AD domain, is it a BDC in the AD?
0
 

Author Comment

by:gas_bugs
ID: 21870234
NT 4.0 Server NET LOGON service is set to Automatic but won't start. When attempting to start NET LOGON on NT 4.0 Server, the following error appears:

Could not start the NET LOGON service on\\servername

error 1787: The SAM database on the Windows NT Server does not have a computer account for this workstation trust relationship.

Maybe this issue is best resolved by first addressing the error 1787. It seems the servers can't talk if NET LOGON is broken.

W2k3 is PDC running AD.  NT40 was DC, but AD is running on W2k3 PDC. It is unclear what the role of the NT40 server is assuming at this time.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 21872747
Your domain setup is still not clear. You need to be way more precise in your description if you want someone who is not familiar with your network (and that means just about everybody on this site) to be able to help you.
Did you do an *upgrade* of the NT4 domain to AD, and the NT4 DC is now a BDC of the AD domain, or did you do a *migration* from NT4 to AD, with two independent DCs and a trust established between them?
0
 

Author Comment

by:gas_bugs
ID: 21875006
I'm a new hire, so I'm trying to figure out how the NT40 server fits into the network. My understanding is that  dcpromo was used to demote the NT40 server from DC role, the w2k3 server became the PDC, & AD was implemented.

Here is 1 Event ID error being generated on the w2k3 PDC:

Source: NETLOGON
Category: None
Type: Error
Event ID: 5723

The session setup from computer 'servername' failed because the security database does not contain a trust account 'sername$' referenced by the specified computer.  

USER ACTION  
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem:  

If 'SERVERNAME$' is a legitimate machine account for the computer 'SERVERNAME', then 'SERVERNAME' should be rejoined to the domain.  

If 'SERVERNAME$' is a legitimate interdomain trust account, then the trust should be recreated.  


Otherwise, assuming that 'SERVERNAME$' is not a legitimate account, the following action should be taken on 'SERVERNAME':  

If 'SERVERNAME' is a Domain Controller, then the trust associated with 'SERVERNAME$' should be deleted.  

If 'SERVERNAME' is not a Domain Controller, it should be disjoined from the domain.
- - - - - - - - - - - - - - - -

On the w2k3 PDC, the "Help and Support" Service is not listed in "Services" (separate issue). Attempts to click the Microsoft url fails bec. "Help and Support" Service does not exist on w2k3 PDC.

Plus the NT40 computer or SERVERNAME is not found in the AD structure. The w2k3 PDC server can see the NT40 computer & open, map and access its folders & files. but no one else can.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21896197
It sounds like and looks like your NT4 server is trying to authenticate using NTLMhash. If the 2k3 server is set up to not allow NTLMhash to authenticate with, the netlogon service may be stopped by your 2k3 server. However, I find this to be interesting because the NT server was demoted and is only a member server on a workgroup at this point in time. Since you are trying to use the netlogon service to authenticate with the 2003 DC, you will have to make the 2k3 server backwards compatible by allowing NTLMhash authentication.

NTLMhash is a very hackable security protocol. So, it is a security breach to make NTLMhash authentication allowed on your domain. If you are looking for information on NTLMhash and how to make these compatible, then, please look at the following article:

I definately recommend taking what you need off of the NT computer and decommision it, then go back to kerberos.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html
0
 

Author Comment

by:gas_bugs
ID: 21902468
Thanks a bunch for the input. It's a Monday, so I'm working through your suggestions as time allows. I'll post updates regarding issues already discussed.

Resolved the following:
On the w2k3 PDC, the "Help and Support" Service is not listed in "Services" (separate issue). Attempts to click the Microsoft url fails bec. "Help and Support" Service does not exist on w2k3 PDC.
Resolution is (my thanks to Justin Crosby):
Type "cmd" in "Run"
Type "cd %windidr%\PCHealth\HelpCtr\Binaries"
Type "start /w helpsvc /svchost netsvcs /reserver /install"
Goto "Services"
Start "Help and Support" service.
http://blogs.technet.com/sbs/archive/2007/03/20/help-and-support-service-missing-after-installing-windows-2003-service-pack-2.aspx

Next, continue dealing with NT40 issue.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22013092
How goes the battle?
0
 

Author Comment

by:gas_bugs
ID: 22016747
ChiefIT,

I've printed your suggestion, followed the links and read the articles. It's a unique situation, that I've been unable to resolve. As an alternatative solution, we're attempting to move an old Borland database off the NT40 Server. The issue with that process is, the Borland product is copyrighted 1996, and is using Interbase in ODBC. Getting it to run on an XP Pro workstation hasn't worked yet. Whenever the database issue is resolved, the NT40 Server will be taken out of service.

If anyone has any experience with Borland and Interbase, your comments would be appreciated as well.
Thanks.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22357667
http://soft.softoogle.com/ap/borland-database-engine-download-145.shtml

What version are you using. This site says 5.2 Borland engine works with XP. It's a free download. You know what that means.

You know what the term "Free" means on the internet, right?
0
 

Accepted Solution

by:
gas_bugs earned 0 total points
ID: 22402246
The hard drive bearings are whining. The NT 4.0 server data is backed up. The server has been on the network for approx 14 yrs. We used a database conversion utility program from

http://www.spectralcore.com/

The free trial of Full Convert worked great, so we purchased the product and converted the old database .


Issue Resolved
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
pdf to word 13 59
Windows PC - Reset to default condition 12 51
Home folder in File server 8 41
Unable to log into domain computer 4 10
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now