Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

can I create a trust between domains that have 2003 DC and 2008 DC?

Posted on 2011-03-18
10
Medium Priority
?
294 Views
Last Modified: 2012-05-11
I have a domain running a 2003 environment in level 2 because it still has some older NT 4 BDC in it running some software programs for the company.
I want to create a trust from that domain to a domain running a single 2008 DC environment. Can it be done and how?
Thanks.
0
Comment
Question by:raffie613
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35168387
Haven't tested in a mixed domain like that, you can try and then if it doesn't work turn off the cryptographic algorithms setting as described here

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/05/10/considerations-when-upgrading-your-active-directory-to-windows-server-2008-and-2008-r2.aspx

I'm guessing it will work because you have a 2003 PDCe.  

Out of curiosity why do you still have NT domain controllers in that domain?

Thanks

Mike
0
 
LVL 3

Expert Comment

by:barane
ID: 35168680
Hi,

Creating a trust between NT 4.0 and 2008 doesn't work at many cases  because Nt4.0 uses NTLMv1is used for Authentication.

NTLMv1 is not much secure because it doesn't support encryption , so it has been denied in Windows 2008. But If your NT4.0 uses NTLMv2 for authentication then you have to perform n number of changes in 2008 GP for the trust creation

Just be careful if objects uses NTLMv1 for authentication  then after upgrading to NTLMv2, it  will not support the previous version authentication.

To Upgrade your NT4.0 authentication level then your NT 4.0 should be equipped with SP4

external trust is supported for  Windows Server 2008–based domain and a Windows NT–based domain.

Trusts that are created between Windows NT 4.0 domains and AD DS domains are one way and nontransitive, and they require NetBIOS name resolution for that You have to modify the LMhostfiles in NT4.0 to have an name resolution

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35168730
...but in this case his domain is 2003...have you tested that?
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 3

Expert Comment

by:barane
ID: 35169008
Hey I misunderstood that he tries to connect between 2008 and NT so i had given the explanation.
If its 2003 to 2008 i would agree with your solution
0
 

Accepted Solution

by:
raffie613 earned 0 total points
ID: 35182276
It is a 2003 domain mainly, we had to keep the two NT BDC machines for now because of cost issue with the software that is running on them. I do not need them at all for any type of authentication.
I wonder if I upgrade the level of my AD will machines on the network still be able to use the software runniong on those NT machines.
0
 
LVL 3

Expert Comment

by:barane
ID: 35182603
Yes you could able to access software running on NT
0
 

Author Comment

by:raffie613
ID: 35182625
So if I do the level upgrade using ADMT, I won't lose any connectivity to my NT 4 BDC machines?
0
 
LVL 3

Expert Comment

by:barane
ID: 35182754
is the migration to 2003 else 2008.If it is 2008 you have to think off
0
 

Author Comment

by:raffie613
ID: 35183076
what do you mean think off?
I would just upgrade the AD level from 2 to 1.
0
 

Author Closing Comment

by:raffie613
ID: 35499834
no one else had anything worth while.
0

Featured Post

[Webinar] Protection from Cyberattacks

In this session, we’ll dive into the complexities of modern cyber threats and why only multi-vector protection can keep today’s businesses secure through the various stages of a cyberattack, across multiple vectors. Thursday September 14, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question