Unable to create trust between NT4 and 2003 domains

Discussion in 'Server Migration' started by Curtis Fray, Jul 21, 2004.

  1. Curtis Fray

    Curtis Fray Guest

    Hi,

    I'm trying to set up trusts between a Windows NT and 2003 domain (in a test
    environment) to experiment with the ADMT tool. Unfortunately I can't get the
    trust working.

    Here's a description of what I have, and what I've done:

    2003SERVER in the domain 2003DOM
    NTSERVER in the domain NTDOM

    I have set up the necessary details in the LMHOST files on both computers
    and can ping both servers by name and IP.
    I have followed the instructions as per MS article Q325874 with regards to
    setting up the two way trusts on 2003SERVER and get the messages it says I
    should. I then set up the NTSERVER trusts, again as per its instructions,
    and after adding 2003DOM as a trusted domain I get a message saying the
    "Trust Relationship with 2003DOM successfully established". I then set up
    the Trusting Domain and give it the same password used for the trusts on
    2003SERVER (different from the admin password).
    All seems ok. However, when I try and access a resource on 2003SERVER from
    NTSERVER I get an error saying "The trust relationship between the primary
    domain and the trusted domain failed". And when I try and Validate the
    trusts on 2003SERVER, I get an error saying "Verification of the trust
    between the domains was unsuccessful because: Access is denied. To repair a
    trust to a pre-Windows 2000 domain you must remove and re-add the trust on
    both sides".
    I've checked the event viewer on both servers and have found the following
    errors:

    NTSERVER
    Event ID: 5722
    Source: NETLOGON
    Description: The session setup from the computer 2003SERVER failed to
    authenticate. The name of the account referenced in the security database is
    2003DOM$. The following error occurred: Access is Denied.

    2003SERVER
    Event ID: 3210
    Source: NETLOGON
    Description: This computer could not authenticate with \\NTSERVER, a Windows
    domain controller for domain NTDOM, and therefore this computer might deny
    logon requests. This inability to authenticate might be caused by another
    computer on the same network using the same name or the password for this
    computer account is not recognized. If this message appears again, contact
    your system administrator.

    I've tried re-boots, re-setting up trusts, and tried setting up in a
    different order (ie, the NT4 ones first) but so far nothing's worked.

    Any suggestions would be greatly appreciated.

    Curtis.

    ====================================
    When replying by email please remove the X
    ====================================
     
    Curtis Fray, Jul 21, 2004
    #1
    1. Advertisements

  2. Hi Curtis,

    Thanks for your posting here.

    Please try to set the values as following in the Windows 2003 domain level
    GPO.

    Secure channel: Require strong (Windows 2000 or later) session key -
    disabled

    Then run the "gpupdate /force" command.

    Now refer to the article of Q325874 to recreate the trusts.

    HOW TO: Establish Trusts with a Windows NT-Based Domain in Windows
    http://support.microsoft.com/?id=325874

    What is the result?

    Regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Jul 22, 2004
    #2
    1. Advertisements

  3. Curtis Fray

    Curtis Fray Guest

    Hi Bob,

    That did the trick. Thanks for coming to the rescue!!

    Curtis.
     
    Curtis Fray, Jul 22, 2004
    #3
  4. My pleasure!

    Regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Jul 22, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.