Can't establish trust between NT4 and W2K3 domains

Discussion in 'Server Setup' started by MJG, Mar 11, 2005.

  1. MJG

    MJG Guest

    I am trying to establish a trust between two domains. One domain has NT 4
    domain controllers, the other has 2003. I have tried absolutely everything
    suggested on technet, from changing registry entries to LMHOSTS entries,
    enable LMHOSTS lookup, everything. Both sides get the typical ' no logon
    servers available to service your logon request'. Both sides can ping the
    other, the domains show up INTERMITTENTLY in the network neighbourhood. A
    trust was previously established when both sides were on NT4. I have tried
    moving FSMO roles to another machine. Static entries in WINS. DNS seems
    fine. There is a static route using the correct gateway. At one point we
    were able to establish a trust in one direction (2003 domain could access
    NT4), but after removing the trust and re-adding it, as suggested, now
    neither side works. Event logs show nothing at all. It is interesting to
    note that when I try to validate the trust from W2k3, if I enter an invalid
    password in the username/password combination, the prompt comes back
    immediately asking me to re-enter. If I use the correct administrator
    password, after a few seconds it comes back with the 'no logon servers'
    message. This seems to tell me it is hitting the other domain. The trust
    has been removed and added back countless times, of course the NT side can't
    even add one side of the trust. I have also tried setting up a one way
    trust, then converting it to a two-way. I have exhausted all my ideas.
    DCDIAG and NETDIAG all complete successfully. I am completely out of ideas.
    Any help is greatly appreciated....
     
    MJG, Mar 11, 2005
    #1
    1. Advertisements

  2. Hi MJG,

    Start from the NT machine. Attempt to map to a share on the
    PDC emulator in the W2k3 domain first by tcp/ip address and
    then by name. If either fails what is the exact error message.
    Now attempt to establish a trust relationship from the NT side.
    Immediately after the failed attempt open a dos prompt and run
    nbtstat -c. Post the results or verify at least the following pertaining
    to the W2k3 are in the cache without conflict: computername 00, 03,
    and 20 along with domain name 1b and 1c. All should be pointing
    towards the W2k3 PDC emulator. If they are incorrect post the TTL
    or time to live values for each. If all is correct then something is
    blocking
    the necessary ports in order for this to occur. There are a few different
    authentication issues related to this error which I'll get to after you
    respond
    but make sure the W2k3 machine is not running a personal firewall e.g.,
    Nortons Personal firewall.
     
    Michael Giorgio - MS MVP, Mar 11, 2005
    #2
    1. Advertisements

  3. MJG

    Jeff Cochran Guest

    Dumb as it sounds, I've had the exact same thing happen. Gave up on a
    Friday and left, came in Moday and the trust was working. Twice since
    I've had issues with trusts taking a period of time to work, both
    times it was at least a day of leaving it alone before it functioned.

    Jeff
     
    Jeff Cochran, Mar 11, 2005
    #3
  4. MJG

    MJG Guest

    When trying to map using the address it replies the following:

    There are currently no logon servers available to service this request.

    When trying to map using the server name it replies the following:

    The network path was not found.


    Using an nbtstat –c command these are the entries for Gerrard:

    Domainname 1C Group 172.16.4.199 -1

    Domainname 1B Unique 172.16.4.199 -1

    PDCNAME 00 Unique 172.16.4.199 -1

    PDCNAME 03 Unique 172.16.4.199 -1

    PDCNAME 20 Unique 172.16.4.199 -1



    I show no conflicts.
     
    MJG, Mar 14, 2005
    #4
  5. Something is blocking the necessary NetBIOS ports in
    order for the trust relationship to be established. Use network
    monitor or another packet sniffer on each side of the router
    to see exactly where the packets are being dropped. You'll
    need to start the monitor and then attempt to create a trust
    relationship.
     
    Michael Giorgio - MS MVP, Mar 14, 2005
    #5
  6. MJG

    MJG Guest

    We have identical CISCO managed routers between the two domains, I'm told
    that they pass all IP traffic. However, our provider went in and made some
    minor changes which may or may not have had any effect. I used a packet
    sniffer as suggested on the W2k3 domain. I was able to capture NetBIOS
    requests & corresponding responses from the NT 4 domain.

    Working from the W2K3 domain, Using NLTEST I can successfully query the
    secure channel (/SC_QUERY:DOMAIN) and get a list of domain controllers
    (/dclist:Domain) on the NT 4 domain. Using NBTSTAT -a, I can query the
    remote machines name table.

    WhenI try to validate the trust now, I get

    "The security database on the server does not have a computer account for
    this workstation trust relationship"....

    Is this still a name resolution problem???
     
    MJG, Mar 15, 2005
    #6
  7. No, this is not name resolution. This error tells us the server has
    been contacted and has responded. Make sure you are logged into
    the W2k3 DC with domain administrator privileges. Then check the
    following registry settings on the W2k3 DC:

    Set the following values to 0 (zero):

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMcompatibilitylevel
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous
     
    Michael Giorgio - MS MVP, Mar 15, 2005
    #7
  8. MJG

    MJG Guest

    I checked the registry entries as suggested. Restrictanonymous was already 0,
    the other was changed and the DC rebooted.

    Still unable to establish the trust.

    nltest/sc_query:nt4domain returns 1355 0x54b ERROR_NO_SUCH_DOMAIN

    nltest/dclist returns all the nt4 controllers and correctly identifies the PDC

    The results of nbtstat -c are given below


    Name Type Host Address Life [sec]

    ------------------------------------------------------------

    PDC <03> UNIQUE 10.40.40.12 -1

    PDC <00> UNIQUE 10.40.40.12 -1

    PDC <20> UNIQUE 10.40.40.12 -1

    W2K3DOMAIN <1C> GROUP 172.16.4.141 -1

    NT4DOMAIN <1C> GROUP 10.40.40.12 -1

    NT4DOMAIN <1B> UNIQUE 10.40.40.12 -1


    when executing any of the failed nltests, the protocol analyzer shows
    absolutely nothing. Does this mean that the request isn't even hitting the
    adapter? I've checked LMhosts file, LMhosts lookup, etc... The netbios cache
    above appears to be correct...
     
    MJG, Mar 15, 2005
    #8
  9. Sorry I didn't get back to you sooner MJG. Yes it's possible the
    computer itself is filtering outgoing NetBIOS. Software firewall
    setting, or perhaps an AntiVirus app running a personal firewall
    feature.
     
    Michael Giorgio - MS MVP, Mar 22, 2005
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.