Re: NT4.0 to 2003 Trust Error
- From: v-xuwen@xxxxxxxxxxxxxxxxxxxx (Vincent Xu [MSFT])
- Date: Mon, 10 Jul 2006 06:41:11 GMT
Hi ,
Check following things on Windows 2003 PDC.
1. Edit the Default Domain Controllers Policy and navigate to:Computer
Configuration\Windows Settings\Security Settings\Local Policies\Security
Options
2. Configure the following options:
- For a Windows 2003 domain:
"Network access: Do not allow anonymous enumeration of SAM accounts" ->
Disable
"Network access: Do not allow anonymous enumeration of SAM accounts and
shares" ->
Disable
3. Also configure the following options:
- For a Windows 2003 domain:
Domain member: Require strong (Windows 2000 or later) session key -> Disable
4. This change requires a reboot of the server. Reboot the PDC and check
the
registry entries:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA,
restrictanonymous -> 0
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,
requirestrongkey -> 0
Note that if these registry entries do not match these values it means that
there
is at least another policy that is also defining the effective
restrictanonymous
and/or requirestrongkey values.
We would follow these steps also in that policy.
5. Now we will be able to create and verify the trust relationship
successfully.
Thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
23:05:19 GMT)From: "sdavis821@xxxxxxxxx" <sdavis821@xxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
Subject: Re: NT4.0 to 2003 Trust Error
Date: 8 Jul 2006 16:05:13 -0700
Organization: http://groups.google.com
Lines: 116
Message-ID: <1152399913.373495.122260@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <1152138492.889803.162200@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
<vFU7RNMoGHA.4260@xxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 207.181.143.34
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1152399919 12542 127.0.0.1 (8 Jul 2006
rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4,gzip(gfe),gzip(gfe)X-Complaints-To: groups-abuse@xxxxxxxxxx
NNTP-Posting-Date: Sat, 8 Jul 2006 23:05:19 +0000 (UTC)
In-Reply-To: <vFU7RNMoGHA.4260@xxxxxxxxxxxxxxxxxxxxx>
User-Agent: G2/0.2
X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed00Complaints-To: groups-abuse@xxxxxxxxxx
Injection-Info: s13g2000cwa.googlegroups.com; posting-host=207.181.143.34;
posting-account=xdtzWQ0AAAAdMQdDejwOPUdj8DWckzGJ
Path:
..sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca.
giganews.com!nntp.giganews.com!postnews.google.com!s13g2000cwa.googlegroups.
com!not-for-mail
microsoft.public.windows.server.migration:24366Xref: TK2MSFTNGXA01.phx.gbl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,X-Tomcat-NG: microsoft.public.windows.server.migration
Vincent Xu [MSFT] wrote:
Hi,
My suggestions:
1. Check lmhosts file.
314108 How to Write an LMHOSTS File for Domain Validation and Other Name
Resolution Issues
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314108
Done, still have issue.
2. NLTEST /SC_QUERY:<window NT DOMAIN_NAME_TO_CHECK>
let me know the exact output.
I am getting syntax of the command is incorrect,
: nltest /sc_query:<ntdomain>
i cannot get to run on nt machine to verify. i can see that it shows
both domains when i do a /TRUSTED_DOMAINS from the 03domain it shows:
0 ntdomain (nt 4) (direct outbound) (direct inbound) ( attr:
quarantined )
1 03domain 03domain.com (nt 5) (forect tree root) (primary domain)
(native)
3. Check "Network access: Do not allow anonymous enumeration of SAM
accounts" -> Disable
rights.requirestrongkey -> 0
done still not working.
Now, recreate the trust to see if it helps.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
posting-host=207.181.143.34;======================================================
--------------------
22:28:17 GMT)From: sdavis821@xxxxxxxxx
Newsgroups: microsoft.public.windows.server.migration
Subject: NT4.0 to 2003 Trust Error
Date: 5 Jul 2006 15:28:12 -0700
Organization: http://groups.google.com
Lines: 22
Message-ID: <1152138492.889803.162200@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 207.181.143.34
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1152138497 24512 127.0.0.1 (5 Jul 2006
rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4,gzip(gfe),gzip(gfe)X-Complaints-To: groups-abuse@xxxxxxxxxx
NNTP-Posting-Date: Wed, 5 Jul 2006 22:28:17 +0000 (UTC)
User-Agent: G2/0.2
X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
Complaints-To: groups-abuse@xxxxxxxxxx
Injection-Info: 75g2000cwc.googlegroups.com;
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed00posting-account=xdtzWQ0AAAAdMQdDejwOPUdj8DWckzGJ
Path:
..sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca.
giganews.com!nntp.giganews.com!postnews.google.com!75g2000cwc.googlegroups.c
(DIGITAL).om!not-for-mail
microsoft.public.windows.server.migration:24329Xref: TK2MSFTNGXA01.phx.gbl
X-Tomcat-NG: microsoft.public.windows.server.migration
Hello,
I have an NT4.0 Domain (DIGINK) and an Windows 2003 Domain
(http://groups.google.com/group/microsoft.public.windows.server.migration/NT 4.0 PDC (DI_NT1) Windows 2003 AD (ATLANTIS)
Windows 2003 is in native mode
I can create the trust in Windows 2003 no issue.
When i try to connect the NT4.0 domain in i get Access is denied.
I can ping both pdc's from the other using system names.
if i type the wrong password it tells me its the wrong password.
should work fine.
Followed directions with every microsoft article i found.
Checked with this post:
browse_thread/thread/34d749b6227a1d23/5648a3120caf98c%235648a3120caf98c)
And i still cannot find where the error is.
Can anyone help?
.
- Follow-Ups:
- Re: NT4.0 to 2003 Trust Error
- From: sdavis821@xxxxxxxxx
- Re: NT4.0 to 2003 Trust Error
- References:
- NT4.0 to 2003 Trust Error
- From: sdavis821
- Re: NT4.0 to 2003 Trust Error
- From: sdavis821@xxxxxxxxx
- NT4.0 to 2003 Trust Error
- Prev by Date: RE: After migrate from NT4 -> Win2K3 problem
- Next by Date: In-place Upgrade from WIN NT4.0 to Windows 2003 AD
- Previous by thread: Re: NT4.0 to 2003 Trust Error
- Next by thread: Re: NT4.0 to 2003 Trust Error
- Index(es):
Relevant Pages
|
