RE: trying to create trusts on NT4 domain and 2003 domain
- From: v-dashen@xxxxxxxxxxxxxxxxxxxx (David Shen [MSFT])
- Date: Mon, 07 Apr 2008 07:05:34 GMT
Dear Customer,
Thank you for posting in newsgroup.
According to the description, I know the issue is: you can add the trust
from Windows Server 2003 domain to Windows NT domain. However, when you add
trusted domain on the Windows NT4 box, it comes up with the 'could not find
domain controller for this domain.'
If I have any misunderstanding, please feel free to let me know.
Based on the research, here is some information which may be helpful for
you.
Analysis and Suggestion:
=======================
When you try to create a trust between Windows NT4 domain and Windows
Server 2003 domain, you may receive the following error message:
Could not find domain controller for this domain
This error message can occur for the following reasons:
1. Networking issues
Please make sure that both computers are using TCP/IP and that you can
connect to the other computer by using a network utility such as Ping.exe.
You may ping through each other to check if the network between the 2
domain controller is ok.
2. Name resolution issues
Please make sure that the Windows NT-based domain controller can resolve
the host name of the Windows Server 2003-based domain controller, and that
the Windows Server 2003-based domain controller can resolve the NetBIOS
name of the Windows NT-based domain controller. If you cannot resolve the
NetBIOS and host names, you may create an entry in the Lmhosts file on each
domain controller that specifies the location of the other controller.
For more information, please refer to:
LMHOSTS File Information and Predefined Keywords
http://support.microsoft.com/kb/102725
3. Trust issues
On Windows Server 2003 based domain controller, you may set the value of
the RestrictAnonymous registry subkey to 0 to establish the trust.
On a computer that is running Windows Server 2003 Service Pack 1, you may
set the value of the RestrictAnonymous registry subkey to 0 and set the
value of the RestrictNullSessAccess registry subkey to FALSE to establish
the trust.
To set the value of the RestrictNullSessAccess registry subkey to FALSE,
follow these steps:
a. Click Start, click Run, type regedit, and then click OK to open Registry
Editor.
b. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
c. Right-click this registry subkey, point to New, and then click DWORD
Value.
d. Type RestrictNullSessAccess, and then press ENTER.
e. Double-click RestrictNullSessAccess, type 0 in the Value data box, and
then click OK.
f. Exit Registry Editor.
g. Restart the computer.
4. Security issue
On the Windows Server 2003 domain controller, please make sure that the
following settings are configured as shown.
You may configure the Group Policy that is linked to domain level in the
Active Directory to set the security policy.
RestrictAnonymous and RestrictAnonymousSam:Network access: Allow anonymous
SID/Name translation ENABLED
Network access: Do not allow anonymous enumeration of SAM accounts
DISABLED
Network access: Do not allow anonymous enumeration of SAM accounts and
shares DISABLED
Network access: Let Everyone permissions apply to anonymous users
ENABLED
Network access: Named pipes can be accessed anonymously
ENABLED
Network access: Restrict anonymous access to Named Pipes and shares
DISABLED
LM Compatibility:Network security:
LAN Manager authentication level "LM & NTLM responses" or "Send LM & NTLM -
use NTLMV2 session security if negotiated"
SMB Signing, SMB Encrypting, or both:Microsoft network client: Digitally
sign communications (always) DISABLED
Microsoft network client: Digitally sign communications (if server agrees)
ENABLED
Microsoft network server: Digitally sign communications (always)
DISABLED
Microsoft network server: Digitally sign communications (if client agrees)
ENABLED
Domain member: Digitally encrypt or sign secure channel data (always)
DISABLED
Domain member: Digitally encrypt secure channel data (when it is possible)
ENABLED
Domain member: Digitally sign secure channel data (when it is possible)
ENABLED
Domain member: Require strong (Windows 2000 or later) session key
DISABLED
Please note:
After the settings are configured correctly, we need to restart your
computer. The security settings are not enforced until the computer is
restarted.
For your concern about the character when you add trusted domain on Windows
NT4 domain controller, In the Domain box, type the Windows Server
2003-based domain name without the .local portion of the domain name. We
only need to input "mycompany" as the trusted domain name in the case.
For more information:
========================
How to establish trusts with a Windows NT-based domain in Windows Server
2003
http://support.microsoft.com/kb/325874
Trust between a Windows NT domain and an Active Directory domain cannot be
established or it does not work as expected
http://support.microsoft.com/kb/889030
Hope all the information will be helpful.
I look forward to your reply.
Thanks for your time.
David Shen
Microsoft Online Partner Support
.
- Follow-Ups:
- Re: trying to create trusts on NT4 domain and 2003 domain
- From: -keevill-
- Re: trying to create trusts on NT4 domain and 2003 domain
- References:
- trying to create trusts on NT4 domain and 2003 domain
- From: -keevill-
- trying to create trusts on NT4 domain and 2003 domain
- Prev by Date: error creating trust from NT domain to AD domain
- Next by Date: RE: error creating trust from NT domain to AD domain
- Previous by thread: Re: trying to create trusts on NT4 domain and 2003 domain
- Next by thread: Re: trying to create trusts on NT4 domain and 2003 domain
- Index(es):
Relevant Pages
|
