RE: Failed to create a trust relationship between NT4 and 2003 AD

Hi,

OK, let's perform troubleshooting step by step:

For NT4 trust Windows 2003 issue, I agree with you that it could be a name
resolution issue. Since NT4 don't use DNS, it should use wins. We should
check LMhosts file first. I suspect the LMHosts is not created properly.
Please refer to following article carefully to check the lmhosts file:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;314108


The contents of the LMHOSTS file will appear as such:
1.1.1.1 NT4PDCName #DOM:NT4DomainName #PRE
1.1.1.1 "NT4DomainName \0x1b" #PRE
2.2.2.2 W2KPDCName #DOM:W2KDomainName #PRE
2.2.2.2 "W2KDomainName \0x1b" #PRE


the \ should be the sixteenth character. It is important.

Then use command NBTSTAT -R to load it into cache.

Then use command NBTSTAT -C to display the cache.

If the file is written properly, the cache will appear as such:
NT4PDCName <03> UNIQUE 1.1.1.1 -1
NT4PDCName <00> UNIQUE 1.1.1.1 -1
NT4PDCName <20> UNIQUE 1.1.1.1 -1
NT4DomainName <1C> GROUP 1.1.1.1 -1
NT4DomainName <1B> UNIQUE 1.1.1.1 -1
W2KPDCName <03> UNIQUE 2.2.2.2 -1
W2KPDCName <00> UNIQUE 2.2.2.2 -1
W2KPDCName <20> UNIQUE 2.2.2.2 -1
W2KDomainName <1C> GROUP 2.2.2.2 -1
W2KDomainName <1B> UNIQUE 2.2.2.2 -1

Let me know the output. Thanks.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
Thread-Topic: Failed to create a trust relationship between NT4 and 2003
AD
thread-index: AcavB18RYjvMWLCkTv+xxLNvz9w7ZA==
X-WBNR-Posting-Host: 202.175.171.187
From: =?Utf-8?B?T0RCQw==?= <ODBC@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <1153325365.444994.27380@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<GQxNDi6qGHA.4728@xxxxxxxxxxxxxxxxxxxxx>
<4AA11258-895C-4731-8D1F-D0D8E21842A7@xxxxxxxxxxxxx>
<TVu$W8urGHA.5392@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Failed to create a trust relationship between NT4 and 2003 AD
Date: Mon, 24 Jul 2006 02:56:02 -0700
Lines: 346
Message-ID: <A365DE87-397A-4007-9964-75EC16EA7442@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.migration
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24551
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.migration

Hi Vincent,

After I applied the above policy setting in Domain Security Setting on
the
W2K3 server, I reloaded it and tried the net view command from NT4
server. It
seems still the same. However, I haven't applied the setting in NT4
registry
yet. Is that the setting all you provided change to value "0" ? But my
problem seems now is only W2K3 server can trust NT4 domain by just
"access
deny". From NT4 server I even can't resolve the W2K3 domain name by
"network
path not found" ? Is that the problem from WINS or LMHOST or else?
Thanks a
lot.

All below registries in NT4 should set to "0" ????
- Windows NT registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rdr\Parameters

LM Compatibility
- Windows NT/2000/2003 registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LsaLMCompatibilityLeve
l

RequireSecuritySignature (server)
- Windows NT registry:

HKey_Local_Machine\System\CurrentControlSet\Services\Rdr\Parameters\Requir
eS
ecurityS
ignature

RequireSignOrSeal
- Windows NT/2000/2003 registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

SignSecureChannel
- Windows NT/2000/2003 registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

RequireStrongKey
- Windows NT/2000/2003 registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters


Regards,
ODBC


"Vincent Xu [MSFT]" wrote:

Hi,

OK, check following things:

1. Ping from NT4 to 2003 by IP & Netbios name, let me know the exact
output.

2. Net view IP & Netbios name, let me know the exact output.

3. On 2003 server, and open domain security policy & domain controller
security policy in Administrative tools, go to local policies /
security
optioins. Check the things I metioned in my previous reply.

4. regarding USER RIGHTS checking , please check local policies/user
rights
assignment

5. regarding GROUP MEMBERSHIP, please go to Active Directory Users and
Computers / built-in to check






Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
Thread-Topic: Failed to create a trust relationship between NT4 and
2003
AD
thread-index: AcastTvCb5ImhNzYTTazfwC5/Z9wgA==
X-WBNR-Posting-Host: 202.175.172.23
From: =?Utf-8?B?T0RCQw==?= <ODBC@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <1153325365.444994.27380@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<GQxNDi6qGHA.4728@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Failed to create a trust relationship between NT4 and
2003 AD
Date: Fri, 21 Jul 2006 04:03:01 -0700
Lines: 236
Message-ID: <4AA11258-895C-4731-8D1F-D0D8E21842A7@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.migration
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24528
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.migration

Hi Vincent,

One more question, right now both WINS are pointing to their own DC.
Should
I need to point the NT4 PDC's IP to the primary WINS and DNS of the
W2K3
AD
domain and vise versa? Thanks.

Regards,
ODBC


"Vincent Xu [MSFT]" wrote:

Hi,

Seems to be a duplicate post. Whatever, make the reply more detail:

1. Check that the LMHOSTS file is in the correct location and
formatted
properly
- Location: %SystemRoot%\System32\Drivers\Etc
- Formatting: Spacing is crucial with the 0x1b entry in the
example.
There
needs to be 20 spaces (characters) inside the " " marks. The domain
name is
padded with spaces to use 15 characters. The 16th character is the
backslash followed by the "0x1b" value.

314108 How to Write an LMHOSTS File for Domain Validation and Other
Name
Resolution Issues
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314108

Once loaded into the cache correctly, test connectivity.
- PING each DC (e.g. "ping NT4PDCName" and "ping W2KPDCName")
- NET VIEW each DC (e.g. "net view \\NT4PDCName" and "net view
\\W2KPDCName")

Let me know the results.

2. SECURITY SETTINGS
Most commonly the Active Directory side is the "locked down" side
of
the
trust that causes problems. However, both sides must be checked.

For Windows 2000 and 2003 these settings may be applied/configured
via
group policy or a local policy (or applied security template). When
determining the current values of these settings it is imperative
that
the
proper tools be used or inaccurate readings may occur.

- Enable Winlogon logging
How to Enable Logging for Security Configuration Client
Processing
in
Windows 2000
http://support.microsoft.com/?id=245422

- Look at the local cache of the group policy applied security
policies.
Event ID 1000 and event ID 1202 are logged to the event log
every
five
minutes in Windows 2003 Server
http://kb/article.asp?id=319352

Ensure the following settings are configured as shown:
RestrictAnonymous and RestrictAnonymousSam
- Network access: Allow anonymous SID/Name translation ENABLED
- Network access: Do not allow anonymous enumeration of SAM
accounts
DISABLED
- Network access: Do not allow anonymous enumeration of SAM
accounts
and
shares DISABLED
- Network access: Let Everyone permissions apply to anonymous
users
ENABLED
- Network access: Named pipes can be accessed anonymously
ENABLED
- Network access: Restrict anonymous access to Named Pipes and
shares
DISABLED

LM Compatibility
- Network security: LAN Manager authentication level: "LM & NTLM
responses" or
"Send LM & NTLM - use NTLMV2 session
security if negotiated"

SMB Signing and/or Encrypting
- Microsoft network client: Digitally sign communications (always)

DISABLED
- Microsoft network client: Digitally sign communications (if
server
agrees) ENABLED
- Microsoft network server: Digitally sign communications (always)

DISABLED
- Microsoft network server: Digitally sign communications (if
client
agrees) ENABLED
- Domain member: Digitally encrypt or sign secure channel data
(always)
DISABLED

- Domain member: Digitally encrypt secure channel data (when
possible)

ENABLED

- Domain member: Digitally sign secure channel data (when
possible)
ENABLED
- Domain member: Require strong (Windows 2000 or later) session
key
DISABLED

Once the settings are properly configured, reboot. After reboot
ensure
the
values are still set as expected.

With NT4 the only way to verify the settings is with the Regedt32
tool.


Registry and Group Policy locations for the above values:
RestrictAnonymous
- Windows NT registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rdr\Parameters

LM Compatibility
- Windows NT/2000/2003 registry:


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LsaLMCompatibilityLevel

RequireSecuritySignature (server)
- Windows NT registry:


HKey_Local_Machine\System\CurrentControlSet\Services\Rdr\Parameters\RequireS
ecurityS
ignature

RequireSignOrSeal
- Windows NT/2000/2003 registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

SignSecureChannel
- Windows NT/2000/2003 registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

RequireStrongKey
- Windows NT/2000/2003 registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3. USER RIGHTS
Ensure User Rights are set as the following:
- Access this computer from network Everyone
- Deny access to this computer from network Does not contain a
principal
that would affect the PDC (e.g. Everyone, Authenticated Users, etc)

4. GROUP MEMBERSHIP
This aspect only applies to 2003 domain controllers.

Ensure the following group memberships are in place.
Pre-Windows 2000 compatible access group contains:

- Windows 2003: Everyone, Anonymous Logon
Note: "Anonymous Logon" must be added if the "Let Everyone
permissions
apply to anonymous users" policy setting is not enabled.

OK, let me know the results.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your
newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
From: qqharry@xxxxxxxxx
Newsgroups: microsoft.public.windows.server.migration
Subject: Failed to create a trust relationship between NT4 and
2003 AD
Date: 19 Jul 2006 09:09:25 -0700
Organization: http://groups.google.com
Lines: 41
Message-ID: <1153325365.444994.27380@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 202.175.191.37
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1153325370 26990 127.0.0.1 (19 Jul
2006
16:09:30 GMT)
X-Complaints-To: groups-abuse@xxxxxxxxxx
NNTP-Posting-Date: Wed, 19 Jul 2006 16:09:30 +0000 (UTC)
User-Agent: G2/0.2
X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;
SV1),gzip(gfe),gzip(gfe)
Complaints-To: groups-abuse@xxxxxxxxxx
Injection-Info: p79g2000cwp.googlegroups.com;
posting-host=202.175.191.37;
posting-account=CFJK8Q0AAABf04tXj5JHDrHBrD6k-4HR
Path:


TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed00


..sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca.


giganews.com!nntp.giganews.com!postnews.google.com!p79g2000cwp.googlegroups.
com!not-for-mail
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:24493
X-Tomcat-NG: microsoft.public.windows.server.migration

Dear all,

I got a NT4 domain with "SP3" only, would like to migrate its user
accounts (> 1000) to a new 2003 AD. Right now I have trouble on
creating the trust relationship between them.

I did the entries for both DCs on LMHOSTS file. I did the WINS
service
and created the Static Mapping entries for the opposite DC.

My problem is:

I can't create the one-way or two-way trust relationship between
NT
and
2003 AD. On the NT4 PDC, I created a Trusting domain into Policy
and
entered the password. But I can't create a Trusted domain and the
error
said "Could not find domain controller for this domain". On the
2003
AD, I created a New Trust and the NT4 domain name can be
recognized,


.

Relevant Pages
Loading