Establish trust between NT 4 domain and 2003 native

Discussion in 'Active Directory' started by Bill, Sep 1, 2006.

  1. Bill

    Bill Guest

    We keep getting "unable to contact domain" while trying to establish a trust
    connection between a NT 4 domain and 2000 native AD domain. WINS and network
    connectivity are in place, but the trust continues to fail. Does the fact
    that our 2003 domain is in native mode affect the ability to create the
    trust? Any other ideas besides WINS and netbios? We've been using nbtstat
    to test WINS, and it tests successfully, but is there a better way to test?

    thank you
    Bill, Sep 1, 2006
    1. Advertisements

  2. Bill

    Al Mulnick Guest

    Are there any firewalls inbetween or something else that's filtering the

    If the problem were name resolution, I'd expect that the error would be more
    like unable to locate domain controller vs. unable to contact domain.

    Not to say it's impossible, but name resolution and packet filtering are the
    top two reasons you won't be able to establish a trust (check all layers).

    Al Mulnick, Sep 1, 2006
    1. Advertisements

  3. Bill

    Jorge Silva Guest

    How to write an Lmhosts file for domain validation and other name resolution

    How to Configure a Firewall for Domains and Trusts:
    Windows Server 2003 Troubleshooting Trusts:

    Network Address Translators (NATs) can block Netlogon traffic;en-us;172227

    I hope that the information above helps you

    Good Luck
    Jorge Silva
    Systems Administrator
    Jorge Silva, Sep 2, 2006
  4. Bill

    Herb Martin Guest

    Actually that does sound very much like the result of a
    failure to resolve with NetBIOS when setting up external
    trusts (to NT).

    He indicated in his message that WINS was in place, but
    my question would remain: Are ALL of your DCs in both
    the NT and AD domains "WINS Clients"?

    And if you have more than one WINS Server, are the ALL
    Herb Martin, Sep 2, 2006
  5. Bill

    Peter Guest

    Dear Bill,

    It seems that you encountered the same problem as we did. All NTLM trusts
    between our Active Directory and Windows NT4.0 domains were broken after we
    upgraded our W2K3 AD Controllers to SP1. Afterwards, it was not possible to
    create new trusts and we got the same error as you did. We found that the
    issue came from the update Microsoft did on the RPC level in SP1. The new RPC
    protocol is much stronger than the previous one.
    This is how we solved the issue:
    • Registry parameter:
    HKLM\System\currentControlSet\Services\lanmanserver\parameters\RestrictAnonymous = 0
    • Registry parameter:
    HKLM\System\currentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess = 0
    • Install patch: WindowsServer2003-KB899148-x86-enu.exe on all DCs
    • Registry parameter:
    HKLM\Software\Policies\Microsoft\WindowsNT\RPC\Server2003NegotiateDisable = 1

    Peter, Sep 4, 2006
  6. Bill

    Paul Bergson Guest

    Check out my article on NT4 v AD trusts, it will help you with settings as
    well as troubleshooting.
    Select articles and click on "NT4 v AD Trust"
    Paul Bergson, Sep 5, 2006
  7. Bill

    Bill Guest

    thanks Peter, this appeared to be our issue as well, along with the proper
    syntax in the lmhosts file.

    thanks again
    Bill, Sep 5, 2006
  8. Bill

    Paul Bergson Guest

    If you go through my article it will help you build the proper WINS records.
    There is a link that will do it for you.
    Paul Bergson, Sep 6, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.