RE: Failed to create a trust relationship between NT4 and 2003 AD

Hi Vincent,

1) There is the same result on W2K3 and NT servers,
Ping IP -- work
Ping -a IP -- work and resolve the NT4 server name
Ping name -- NO RESPONSE
Ping fullname.domain.com -- work

2) Error occurred when use command "net view \\NT4PDC" or "net view \\NT4PDC
/domain:NT4domain" in W2K3 server.
"System error 5 has occurred.
Access is denied."

Error occurred when use command "net view \\W2K3DC" or "net view \\W2K3DC
/domain:W2K3domain" in NT4 server.
"System error 53 has occurred.
The network path was not found."

3) 4) 5) I will try to configure it based on your previous recommendation.
Thanks.

Regards,
ODBC


"Vincent Xu [MSFT]" wrote:

Hi,

OK, check following things:

1. Ping from NT4 to 2003 by IP & Netbios name, let me know the exact output.

2. Net view IP & Netbios name, let me know the exact output.

3. On 2003 server, and open domain security policy & domain controller
security policy in Administrative tools, go to local policies / security
optioins. Check the things I metioned in my previous reply.

4. regarding USER RIGHTS checking , please check local policies/user rights
assignment

5. regarding GROUP MEMBERSHIP, please go to Active Directory Users and
Computers / built-in to check






Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
Thread-Topic: Failed to create a trust relationship between NT4 and 2003
AD
thread-index: AcastTvCb5ImhNzYTTazfwC5/Z9wgA==
X-WBNR-Posting-Host: 202.175.172.23
From: =?Utf-8?B?T0RCQw==?= <ODBC@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <1153325365.444994.27380@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<GQxNDi6qGHA.4728@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Failed to create a trust relationship between NT4 and 2003 AD
Date: Fri, 21 Jul 2006 04:03:01 -0700
Lines: 236
Message-ID: <4AA11258-895C-4731-8D1F-D0D8E21842A7@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.migration
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24528
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.migration

Hi Vincent,

One more question, right now both WINS are pointing to their own DC.
Should
I need to point the NT4 PDC's IP to the primary WINS and DNS of the W2K3
AD
domain and vise versa? Thanks.

Regards,
ODBC


"Vincent Xu [MSFT]" wrote:

Hi,

Seems to be a duplicate post. Whatever, make the reply more detail:

1. Check that the LMHOSTS file is in the correct location and formatted
properly
- Location: %SystemRoot%\System32\Drivers\Etc
- Formatting: Spacing is crucial with the 0x1b entry in the example.
There
needs to be 20 spaces (characters) inside the " " marks. The domain
name is
padded with spaces to use 15 characters. The 16th character is the
backslash followed by the "0x1b" value.

314108 How to Write an LMHOSTS File for Domain Validation and Other
Name
Resolution Issues
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314108

Once loaded into the cache correctly, test connectivity.
- PING each DC (e.g. "ping NT4PDCName" and "ping W2KPDCName")
- NET VIEW each DC (e.g. "net view \\NT4PDCName" and "net view
\\W2KPDCName")

Let me know the results.

2. SECURITY SETTINGS
Most commonly the Active Directory side is the "locked down" side of
the
trust that causes problems. However, both sides must be checked.

For Windows 2000 and 2003 these settings may be applied/configured via
group policy or a local policy (or applied security template). When
determining the current values of these settings it is imperative that
the
proper tools be used or inaccurate readings may occur.

- Enable Winlogon logging
How to Enable Logging for Security Configuration Client Processing
in
Windows 2000
http://support.microsoft.com/?id=245422

- Look at the local cache of the group policy applied security
policies.
Event ID 1000 and event ID 1202 are logged to the event log every
five
minutes in Windows 2003 Server
http://kb/article.asp?id=319352

Ensure the following settings are configured as shown:
RestrictAnonymous and RestrictAnonymousSam
- Network access: Allow anonymous SID/Name translation ENABLED
- Network access: Do not allow anonymous enumeration of SAM accounts
DISABLED
- Network access: Do not allow anonymous enumeration of SAM accounts
and
shares DISABLED
- Network access: Let Everyone permissions apply to anonymous users
ENABLED
- Network access: Named pipes can be accessed anonymously ENABLED
- Network access: Restrict anonymous access to Named Pipes and shares
DISABLED

LM Compatibility
- Network security: LAN Manager authentication level: "LM & NTLM
responses" or
"Send LM & NTLM - use NTLMV2 session
security if negotiated"

SMB Signing and/or Encrypting
- Microsoft network client: Digitally sign communications (always)
DISABLED
- Microsoft network client: Digitally sign communications (if server
agrees) ENABLED
- Microsoft network server: Digitally sign communications (always)
DISABLED
- Microsoft network server: Digitally sign communications (if client
agrees) ENABLED
- Domain member: Digitally encrypt or sign secure channel data
(always)
DISABLED

- Domain member: Digitally encrypt secure channel data (when possible)

ENABLED

- Domain member: Digitally sign secure channel data (when possible)
ENABLED
- Domain member: Require strong (Windows 2000 or later) session key
DISABLED

Once the settings are properly configured, reboot. After reboot ensure
the
values are still set as expected.

With NT4 the only way to verify the settings is with the Regedt32 tool.


Registry and Group Policy locations for the above values:
RestrictAnonymous
- Windows NT registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rdr\Parameters

LM Compatibility
- Windows NT/2000/2003 registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LsaLMCompatibilityLevel

RequireSecuritySignature (server)
- Windows NT registry:

HKey_Local_Machine\System\CurrentControlSet\Services\Rdr\Parameters\RequireS
ecurityS
ignature

RequireSignOrSeal
- Windows NT/2000/2003 registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

SignSecureChannel
- Windows NT/2000/2003 registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

RequireStrongKey
- Windows NT/2000/2003 registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3. USER RIGHTS
Ensure User Rights are set as the following:
- Access this computer from network Everyone
- Deny access to this computer from network Does not contain a
principal
that would affect the PDC (e.g. Everyone, Authenticated Users, etc)

4. GROUP MEMBERSHIP
This aspect only applies to 2003 domain controllers.

Ensure the following group memberships are in place.
Pre-Windows 2000 compatible access group contains:

- Windows 2003: Everyone, Anonymous Logon
Note: "Anonymous Logon" must be added if the "Let Everyone permissions
apply to anonymous users" policy setting is not enabled.

OK, let me know the results.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
From: qqharry@xxxxxxxxx
Newsgroups: microsoft.public.windows.server.migration
Subject: Failed to create a trust relationship between NT4 and 2003 AD
Date: 19 Jul 2006 09:09:25 -0700
Organization: http://groups.google.com
Lines: 41
Message-ID: <1153325365.444994.27380@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 202.175.191.37
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1153325370 26990 127.0.0.1 (19 Jul 2006
16:09:30 GMT)
X-Complaints-To: groups-abuse@xxxxxxxxxx
NNTP-Posting-Date: Wed, 19 Jul 2006 16:09:30 +0000 (UTC)
User-Agent: G2/0.2
X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1),gzip(gfe),gzip(gfe)
Complaints-To: groups-abuse@xxxxxxxxxx
Injection-Info: p79g2000cwp.googlegroups.com;
posting-host=202.175.191.37;
posting-account=CFJK8Q0AAABf04tXj5JHDrHBrD6k-4HR
Path:

TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed00

.sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca.

giganews.com!nntp.giganews.com!postnews.google.com!p79g2000cwp.googlegroups.
com!not-for-mail
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24493
X-Tomcat-NG: microsoft.public.windows.server.migration

Dear all,

I got a NT4 domain with "SP3" only, would like to migrate its user
accounts (> 1000) to a new 2003 AD. Right now I have trouble on
creating the trust relationship between them.

I did the entries for both DCs on LMHOSTS file. I did the WINS service
and created the Static Mapping entries for the opposite DC.

My problem is:

I can't create the one-way or two-way trust relationship between NT
and
2003 AD. On the NT4 PDC, I created a Trusting domain into Policy and
entered the password. But I can't create a Trusted domain and the
error
said "Could not find domain controller for this domain". On the 2003
AD, I created a New Trust and the NT4 domain name can be recognized,
.

Relevant Pages

  • RE: Failed to create a trust relationship between NT4 and 2003 AD
    ... For Windows 2000 and 2003 these settings may be applied/configured via ... Digitally sign communications (if server ... With NT4 the only way to verify the settings is with the Regedt32 tool. ... Failed to create a trust relationship between NT4 and 2003 AD ...
    (microsoft.public.windows.server.migration)
  • RE: Failed to create a trust relationship between NT4 and 2003 AD
    ... is that a must to do for all setting when NT4 ... For Windows 2000 and 2003 these settings may be applied/configured via ... minutes in Windows 2003 Server ... Failed to create a trust relationship between NT4 and 2003 AD ...
    (microsoft.public.windows.server.migration)
  • Re: SceCli Error 1202 filling up the Event Log!
    ... > after restarting the Win2003 server, the secedit.sdb database does not get ... >>> security database and have it recreated. ... >>> configuration\windows settings\security settings, you should inventory ...
    (microsoft.public.win2000.advanced_server)
  • Re: SBS 2003 After Service Pack 1 for SBS
    ... Controllers" groups have been added to the new CERTSVC_DCOM_ACCESS security ... we can have Certificate Services update the DCOM security settings ... down time for the server - probably over a weekend. ... Then please run command "iisreset" to refresh IIS ...
    (microsoft.public.windows.server.sbs)
  • Re: Print Groups
    ... One for test and then one for all printer objects on a server. ... Change the settings on one printer, ... Used to set print queue security. ...
    (microsoft.public.windows.server.clustering)