"Eric" <> wrote in message
news:. ..
>> "Eric" <> wrote in message
>> news:. ..
>>> Actually they dont need to connect to the ressources on the NT4 machine.
>>>
>>> I am using a Windows 2003 server member of a PDC NT4 domain.
>>> The PDC NT4 domain is trusted (bidirectionnal trust) with an Active
>>> Directory domain.
>>>
>>> I want to list my AD domain users from my Windows 2003 server member of
>>> my NT4 domain.
>>>
>>> Perhaps I am wrong but in the KB quoted above, it seems that I need to
>>> open only port 138/UDP.
>>>
>>> Am I wrong ?
>>>
>>> Thank you
>>>
>>>> "Eric" <> wrote in message
>>>> news:. ..
>>>>> Hi,
>>>>>
>>>>> thank you for your answer.
>>>>>
>>>>> Are you agree that these port requirements are needed for MEMBER
>>>>> Servers ?
>>>>>
>>>>> When I read the KB, I understand that these ports needs to be opened
>>>>> between PDC and DC but not between MEMBER servers and the PDC Emulator
>>>>> of the trusted domain.
>>>>>
>>>>> Thank you
>>>>>
>>>>>> Hello Eric,
>>>>
>>>> If any clients are to resolve and connect to the resources on the NT4
>>>> machine, they will need NetBIOS opened.
>>>>
>>>> Ace
>>>
>>> -- Eric
>>>
>>>
>>
>>
>> You will also need 139 and all the UDP service response ports opened
>> (also known as emepheral ports: UDP 1024-5000 and if 2008 is involved,
>> may as well open the whole UDP range).
>>
>> So what other ports have you not opened?
>>
>> Also, can you elaborate on this sentence, please?
>>> I want to list my AD domain users from my Windows 2003 server member of
>>> my NT4 domain.
>>
>> Where do you want to "list" the users on the NT4 side? In a resource
>> (shared permissions & security tab permissions or printer properties) or
>> somewhere else?
>>
>> Ace
>
> Thank you Ace.
>
> I am really not sure that I need to open all these ports and I am also not
> sure with the KB about the need to open 138/UDP port.
>
> Indeed, we have another site with exactly the same configuration BUT there
> is no open port between member servers of the remote site (in NT domain)
> and the PDC emulator (in our AD local site) and if I use Wireshark from
> the member server or watch the denied trafic from my firewall, I dont see
> any 137/138 or 139 ports connections attempts and/or denied.
This is while trying to connect to a resource on the NT4 side from a client
on the AD side?
> So, I can confirm that there is no need to open those ports if I want to
> list users of my AD domain from a server member of the NT domain. As you
> said, I am trying to display the AD users from the security tab
> permissions of a server member of the NT domain.
In that case, it's using pass-through authentication through it's own domain
controller across the trust.
> Now, It seems to be a problem with my Active Directory.
> Indeed, if I connect to two local DC (in the site where the NT domain is
> installed), and I launch the command : nltest /sc_query:NT_Domain I have
> the following error : "Trusted DC Connection Status Status = 5 0x5
> ERROR_ACCESS_DENIED"
Then that could mean that you have SMB signing and may need to be disabled
on each DC to allow legacy, backward level NTLM authentication, which
doesn't support SMB Signing.
To disable it, go to the Domain Controller Local Security Policy (in
Administrative Tools), then to "Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options." You will see:
Microsoft network server: Digitally sign communications (always) Policy
Setting: enabled
Microsoft network server: Digitally sign communications (if client agrees)
Policy Setting: enabled
Disable both.
>
> BUT if I launch this same command on a third local DC, recently installed,
> I have the message "Trusted DC Connection Status Status = 0 0x0
> NERR_Success"
But I can't see how a freshly installed 2003 DC will allow communication. So
that leads me to believe either there is a security policy on the older DCs
preventing communication, or it was disabled on the new one, or firewall
rules are preventing it.
>
> When I use wireshark on my client while accessing to the Security Tab, I
> can see that it is pointing to one of the bad DCs.
> I would like to told my member server to point to the newly installed DC.
> I have edited the lmhost file on the member server but the problem
> remains.
It depends on how you edited the lmhosts file. Can you specify exactly what
entry you gave it? Did you follow the following KB?
Trust between a Windows NT domain and an Active Directory domain cannot be
established or it does not work as expected
http://support.microsoft.com/kb/889030/en-us
Here's Paul's article on it:
NT4 / AD Trust ConfigurationAll trust communication traffic flows between
the Windows 2003 PDCe and the PDC. It doesn't matter how you have your
LMHosts table setup or your firewall ...
http://www.pbbergs.com/windows/artic...all_trust.html
>
> Thank you
>
> --
> Eric
>
>
FYI, anytime I see firewall rules are made between organizations and there's
a trust involved, I've always encountered errors. I can tell you how many
times I've seen these issues from my students asking me what is wrong and
what needs to be opened, to customers that I try to troubleshoot trusts when
their corp security policy dictates that only certain ports need to be
opened. I've spent time after time, hours upon hours to capture and read
netmon captures to determine the issue, and the solution is not always the
same. I've never seen problems where the ports are left wide open, and it's
funny, the captures I see are not from the machine to a DC on the other side
of the trust, rather they go to their own DC, which performs the
pass-through. So if the firewalls are blocking any of the DCs with necessary
ports, that will cause it. Like I said, you have a task at hand to read your
captures and not only on member servers, rather between the DCs themselves
across the trust.
I hope that helps.
Ace
Linear Mode
