Half of Trust Moved to Different Subnet

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Andrew Hayes (anonymous_at_discussions.microsoft.com)
Date: 05/31/04 

Date: Mon, 31 May 2004 03:36:01 -0700

Well, I had a working trust relationship between NT4 and W2K, but after I changed the W2K servers IP addresses to a different subnet the trust stopped working even after configuring the routers and what-not.

I changed the LMHOSTS of the NT4 PDC to use the new IP addresses but I'm at a loss of what else needs to be done, but here is what I can do so far

NBTSTAT -c on the NT4 PDC shows:

 W2KDOMAIN <1C> GROUP 192.168.1.163 -1
 W2KDOMAIN <1B> UNIQUE 192.168.1.163 -1
 W2KDC <03> UNIQUE 192.168.1.163 -1
 W2KDC <00> UNIQUE 192.168.1.163 -1
 W2KDC <20> UNIQUE 192.168.1.163 -1

NETDOM QUERY /Domain:W2KDOMAIN PDC shows:

Primary domain controller for the domain:

W2KDC
The command completed successfully.

TRACERT W2KDC shows:

Tracing route to WIN2KDC [192.168.1.163]
over a maximum of 30 hops:

  1 <1 ms <1 ms <1 ms 192.168.0.200
  2 7 ms 5 ms 5 ms 192.168.1.200
  3 8 ms 5 ms 4 ms WIN2KDC [192.168.1.163]

Trace complete.

The problem occurs when I try to verify the trust relationship using NETDOM TRUST W2KDOMAIN /domain:NT4DOMAIN /verify. I get this message:

The secure channel verify on domain controller \\W2KDC for trusting domain
NT4DOMAIN failed with the following error:

There are currently no logon servers available to service the logon request.

The attempt to contact the NetLogon service on domain controller \\NT4PDC
for a secure channel query of trusting domain failed with the following error:

The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.

Performing NETDOM VERIFY NT4PDC /domain:W2KDOMAIN returns:

The secure channel from CVITKO01 to the domain PAYROLL has been verified. The connection
is with the machine.

The command completed successfully.

Does anyone have any ideas on how to get this trust working again? It would be appreciated. Thanks.

Relevant Pages

  • Re: Active Directory Restructure Question
    ... If you are building a new forest you can use the Active Directory ... To start would have to establish dns connectivity both ways, ... Once established you can then go and create your external trust, ... domains for your UNIX/LINUX servers, ...
    (microsoft.public.windows.server.active_directory)
  • Re: network replacement
    ... It sounds much more convoluted once the whoel details are provided. ... I would go with a new domain and setup a trust and migrate using ADMT. ... as servers with a trust between the two. ... same logins; ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Restructure Question
    ... If you are building a new forest you can use the Active Directory Migration ... To start would have to establish dns connectivity both ways, ... Once established you can then go and create your external trust, ... domains for your UNIX/LINUX servers, ...
    (microsoft.public.windows.server.active_directory)
  • RE: Failed to create a trust relationship between NT4 and 2003 AD
    ... For NT4 trust Windows 2003 issue, I agree with you that it could be a name ... Since NT4 don't use DNS, ... For Windows 2000 and 2003 these settings may be applied/configured ...
    (microsoft.public.windows.server.migration)
  • Re: Migration of NT4 to Server 2003
    ... (including the existing NT4 BDC's) ... changes will not get replicated to the NT BDCs. ... > file servers from the old domain to the new domain groups. ... > I have a new box to install W2K3 AD and Exchange 2003 on. ...
    (microsoft.public.windows.server.migration)