RE: [ActiveDir] external trust between NT4 domain and windows 200 3 fails
Yea, all of the dc is SP1 installed long time back. There is few other NT4 trust in win2k3 domain, by not taking the risk, so we decided not to re-apply again. Further, we've only a single domain, no child; policy settings are identical among them. Thanks for the info. However, the nt4 domain owner decided to upgrade the box to win2k. Best Regards, Raynus Ky CHOO Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies Hotline: 215-8485 (24x5) Telnet: 215-7290 E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Saturday, March 04, 2006 4:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] external trust between NT4 domain and windows 200 3 fails Is the w2k3 forest SP1? If so then the security settings in the default DC policy may have to be altered. I had this issue which caused be to role back SP1 upgrades until I could resolve the trust issues between SP1 and NT4.0 the settings that had to change were not the ones detailed in the trouble shooting trusts that Microsoft has published. How do I know this? - I applied them and they did nothing. To resolve the issue I had a root domain with two child domains the trust worked with one SP1 child domain and not the other - they both had different Default Domain Controller Group Policy Settings- so I exported the working one to the failing domain and voila - the trusts worked. I then had to do some more clean up work afterwards as the security objects from the NT4.0 domain only would then appear as SIDS an not their nice NT 4.0 name, sorry I cannot help anymore but there is now 20 miles between me and my office so I can't detail anymore info. Oh and the other common gothca - if you are an international company make sure the keyboards in each domain are the same language. HTH Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio J Mr ANOSC/FCBS Sent: 03 March 2006 20:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] external trust between NT4 domain and windows 200 3 fails It's been a while, but I created a bunch of these a while back. First off, remove the trusts from both sides. Then reboot both the NT PDC and the 2003 PDCE. When they come back up try to establish the trust again. If it still fails then look at the tips below. Make sure that the RestrictAnonymous is set to 0 on both the NT PDC and the 2003 PDCE. Key should be located under the following path, create it if its not there: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA Also, make sure that the LMCompatabilitylevel key is set to a level that will work on both the PDC/PDCE, i.e. NT PDC = 4 and 2003 PDCE = 5. Key is also located under the same path. Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] external trust between NT4 domain and windows 2003 fails You might get more information if you run a network trace (e.g. using NetMon). Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 4 March 2006 8:21 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] external trust between NT4 domain and windows 2003 fails Hi, Need help desperately to setup trust between NT4 and win2k3. I've error 'domain controller not found'. I'm pretty sure the name resolution for each other is fine (by lhmost), the trust was working before, however after it's broke, I can't re-establish again. Seen someone has the same error, http://www.experts-exchange.com/Operating_Systems/WinNT/Q_21631912.html, has tried the MSKB Article 325874 troubleshooting, but couldn't help much. Best Regards, Raynus Ky CHOO Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies Hotline: 215-8485 (24x5) Telnet: 215-7290 E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] external trust between NT4 domain and windows 200 3 fails
It's been a while, but I created a bunch of these a while back. First off, remove the trusts from both sides. Then reboot both the NT PDC and the 2003 PDCE. When they come back up try to establish the trust again. If it still fails then look at the tips below. Make sure that the RestrictAnonymous is set to 0 on both the NT PDC and the 2003 PDCE. Key should be located under the following path, create it if its not there: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA Also, make sure that the LMCompatabilitylevel key is set to a level that will work on both the PDC/PDCE, i.e. NT PDC = 4 and 2003 PDCE = 5. Key is also located under the same path. Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] external trust between NT4 domain and windows 2003 fails You might get more information if you run a network trace (e.g. using NetMon). Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 4 March 2006 8:21 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] external trust between NT4 domain and windows 2003 fails Hi, Need help desperately to setup trust between NT4 and win2k3. I've error 'domain controller not found'. I'm pretty sure the name resolution for each other is fine (by lhmost), the trust was working before, however after it's broke, I can't re-establish again. Seen someone has the same error, http://www.experts-exchange.com/Operating_Systems/WinNT/Q_21631912.html, has tried the MSKB Article 325874 troubleshooting, but couldn't help much. Best Regards, Raynus Ky CHOO Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies Hotline: 215-8485 (24x5) Telnet: 215-7290 E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] external trust between NT4 domain and windows 200 3 fails
Is the w2k3 forest SP1? If so then the security settings in the default DC policy may have to be altered. I had this issue which caused be to role back SP1 upgrades until I could resolve the trust issues between SP1 and NT4.0 the settings that had to change were not the ones detailed in the trouble shooting trusts that Microsoft has published. How do I know this? - I applied them and they did nothing. To resolve the issue I had a root domain with two child domains the trust worked with one SP1 child domain and not the other - they both had different Default Domain Controller Group Policy Settings- so I exported the working one to the failing domain and voila - the trusts worked. I then had to do some more clean up work afterwards as the security objects from the NT4.0 domain only would then appear as SIDS an not their nice NT 4.0 name, sorry I cannot help anymore but there is now 20 miles between me and my office so I can't detail anymore info. Oh and the other common gothca - if you are an international company make sure the keyboards in each domain are the same language. HTH Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio J Mr ANOSC/FCBS Sent: 03 March 2006 20:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] external trust between NT4 domain and windows 200 3 fails It's been a while, but I created a bunch of these a while back. First off, remove the trusts from both sides. Then reboot both the NT PDC and the 2003 PDCE. When they come back up try to establish the trust again. If it still fails then look at the tips below. Make sure that the RestrictAnonymous is set to 0 on both the NT PDC and the 2003 PDCE. Key should be located under the following path, create it if its not there: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA Also, make sure that the LMCompatabilitylevel key is set to a level that will work on both the PDC/PDCE, i.e. NT PDC = 4 and 2003 PDCE = 5. Key is also located under the same path. Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] external trust between NT4 domain and windows 2003 fails You might get more information if you run a network trace (e.g. using NetMon). Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 4 March 2006 8:21 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] external trust between NT4 domain and windows 2003 fails Hi, Need help desperately to setup trust between NT4 and win2k3. I've error 'domain controller not found'. I'm pretty sure the name resolution for each other is fine (by lhmost), the trust was working before, however after it's broke, I can't re-establish again. Seen someone has the same error, http://www.experts-exchange.com/Operating_Systems/WinNT/Q_21631912.html, has tried the MSKB Article 325874 troubleshooting, but couldn't help much. Best Regards, Raynus Ky CHOO Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies Hotline: 215-8485 (24x5) Telnet: 215-7290 E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
