2003 to NT Domain Trust not working.

  • Thread starter Thread starter Eric Trevore
  • Start date Start date
E

Eric Trevore

Quick Summary of problem: Everything works perfectly
within the NT domain. Everything works perfectly within
the Windows 2000 domain. Everything works as expected
when connecting to shares between the two non-trusting
domains. NT domain cannot find domain controller for 2000
domain when workstations try to join the domain or when
PDC tries to create a trust. Windows 2000 domain
controllers cannot find domain controllers for NT domain
when validating trusts.

Details:
There are two domains, a Windows NT domain named domNT
and a Windows 2000 domain named dom2K.com (NETBIOS name:
dom2K).

Everything works fine within domNT (the Windows NT
domain). The domain contains an NT Server 4.0 PDC, NT
Server 4.0 BDC, 2000 Member Servers, NT 4.0 Workstation
clients, and XP clients. Each computer has the latest
service pack applied. Each computer is on the 10.0.0.x
network. Every computer can ping all other computers on
both domains. Every computer in the domain can connect to
every other computer in its domain.

Everything works fine within dom2K (the Windows 2000
domain). The domain contains a 2000 Server as the forest
root domain controller, 2000 Server domain controller,
and XP clients. Each computer is also on the 10.0.0.x
network. Every computer can ping all other computers in
both domains. Every computer in the domain can connect to
every other computer in its domain.

One of the Windows 2000 member servers runs WINS. Both
domains use this WINS server. Both domains use DNS on the
dom2K domain controllers. All computers can resolve
names. Computers in both domains can navigate to Network
Neighberhood/My Network Places->Entire Network and see
both domains and computers within each domain.

A computer in domNT can connect to a resource in dom2K
with the following command line (users have accounts in
each domain):

net use \\dom2Ksrv1\share
2Kpassword /user:dom2K\2Kusername

A computer in dom2K can connect to a resource in domNT
with the following command line (users have accounts in
each domain):

net use \\domNTsrv1\share
NTpassword /user:domNT\NTusername

There are no network connectivity issues. There are no
routing issues. There are no name resolution issues. Here
are the problems:

1. When an NT workstation in domNT tries to join dom2K,
there is an error message "Could not find domain
controller for this domain." NETBIOS name dom2K is used,
not dom2K.com.

2. When dom2K is added as a trusted domain in domNT on
the NT 4.0 PDC in domNT, there is an error message "Could
not find domain controller for this domain." (I can add
dom2K as a trusting domain because there is no validation
process; NT allows and automatically accepts anything
added to the trusting domain box.) NETBIOS name dom2K is
used, not dom2K.com.

3. When domNT is added as a trusting or trusted domain in
dom2K it is accepted but during the validation process,
when a valid domain admin username/password is entered,
the validation fails with an error message

The verification of the incoming trust failed with the
following error(s):
The target system domNTsrv1 does not support NetLogon
trust password verification. A secure channel reset will
be attempted.
The secure channel reset failed with error 1355: The
specified domain either does not exist or could not be
contacted.

The verification of the outgoing trust failed with the
following error(s):
The trust password verification test was inconclusive.
A secure channel reset will be attempted.
The secure channel reset failed with error 1311: There
are currently no logon servers available to service the
logon request.

When either the trusting domain or trusted domain is re-
validated, the following error message
appears "Verification of the trust between the domain
dom2K.com and the domain domNT was unsuccessful because:
There are currently no logon servers available to service
the logon request."

But a logon server is available because with a bad
username/password combination, a dialog box appears "To
complete this operation, you must log on to domain domNT
as a user with permission to modify trusts" that asks for
the username and password again.

Although using LMHOSTS should not be necessary, it was
still implemented because some websites suggested it. All
domain controllers are using the same WINS server and
enable LMHOSTS is checked. On the domain controllers in
domNT, the LMHOSTS file is as follows:

10.0.0.8 dom2Ksrv1 #PRE #DOM:dom2K
10.0.0.8 "dom2K \0x1b" #PRE

On the domain controllers in dom2K, the LMHOSTS file is
as follows:

10.0.0.16 domNTsrv1 #PRE #DOM:domNT
10.0.0.16 "domNT \0x1b" #PRE

The same error messages still appear. What must be done
in order to enable a trust relationship between the two
domains?

None of the following articles were of any use:

Q111565 How to Create a Trust Relationship from One
Computer
Q139410 Err Msg: There are Currently No Logon Servers
Available...
Q175025 How to Build and Reset a Trust Relationship from
a Command Line
Q196464 An Overview of Active Directory
Q255551 Cannot Set Up Trust in Window 2000 Domain from
Windows NT 4.0
 
Eric, I am having the same problems as you were, how did you manage to resolve the problem?

Many thanks
Carl

Eric Trevore said:
Quick Summary of problem: Everything works perfectly
within the NT domain. Everything works perfectly within
the Windows 2000 domain. Everything works as expected
when connecting to shares between the two non-trusting
domains. NT domain cannot find domain controller for 2000
domain when workstations try to join the domain or when
PDC tries to create a trust. Windows 2000 domain
controllers cannot find domain controllers for NT domain
when validating trusts.

Details:
There are two domains, a Windows NT domain named domNT
and a Windows 2000 domain named dom2K.com (NETBIOS name:
dom2K).

Everything works fine within domNT (the Windows NT
domain). The domain contains an NT Server 4.0 PDC, NT
Server 4.0 BDC, 2000 Member Servers, NT 4.0 Workstation
clients, and XP clients. Each computer has the latest
service pack applied. Each computer is on the 10.0.0.x
network. Every computer can ping all other computers on
both domains. Every computer in the domain can connect to
every other computer in its domain.

Everything works fine within dom2K (the Windows 2000
domain). The domain contains a 2000 Server as the forest
root domain controller, 2000 Server domain controller,
and XP clients. Each computer is also on the 10.0.0.x
network. Every computer can ping all other computers in
both domains. Every computer in the domain can connect to
every other computer in its domain.

One of the Windows 2000 member servers runs WINS. Both
domains use this WINS server. Both domains use DNS on the
dom2K domain controllers. All computers can resolve
names. Computers in both domains can navigate to Network
Neighberhood/My Network Places->Entire Network and see
both domains and computers within each domain.

A computer in domNT can connect to a resource in dom2K
with the following command line (users have accounts in
each domain):

net use \\dom2Ksrv1\share
2Kpassword /user:dom2K\2Kusername

A computer in dom2K can connect to a resource in domNT
with the following command line (users have accounts in
each domain):

net use \\domNTsrv1\share
NTpassword /user:domNT\NTusername

There are no network connectivity issues. There are no
routing issues. There are no name resolution issues. Here
are the problems:

1. When an NT workstation in domNT tries to join dom2K,
there is an error message "Could not find domain
controller for this domain." NETBIOS name dom2K is used,
not dom2K.com.

2. When dom2K is added as a trusted domain in domNT on
the NT 4.0 PDC in domNT, there is an error message "Could
not find domain controller for this domain." (I can add
dom2K as a trusting domain because there is no validation
process; NT allows and automatically accepts anything
added to the trusting domain box.) NETBIOS name dom2K is
used, not dom2K.com.

3. When domNT is added as a trusting or trusted domain in
dom2K it is accepted but during the validation process,
when a valid domain admin username/password is entered,
the validation fails with an error message

The verification of the incoming trust failed with the
following error(s):
The target system domNTsrv1 does not support NetLogon
trust password verification. A secure channel reset will
be attempted.
The secure channel reset failed with error 1355: The
specified domain either does not exist or could not be
contacted.

The verification of the outgoing trust failed with the
following error(s):
The trust password verification test was inconclusive.
A secure channel reset will be attempted.
The secure channel reset failed with error 1311: There
are currently no logon servers available to service the
logon request.

When either the trusting domain or trusted domain is re-
validated, the following error message
appears "Verification of the trust between the domain
dom2K.com and the domain domNT was unsuccessful because:
There are currently no logon servers available to service
the logon request."

But a logon server is available because with a bad
username/password combination, a dialog box appears "To
complete this operation, you must log on to domain domNT
as a user with permission to modify trusts" that asks for
the username and password again.

Although using LMHOSTS should not be necessary, it was
still implemented because some websites suggested it. All
domain controllers are using the same WINS server and
enable LMHOSTS is checked. On the domain controllers in
domNT, the LMHOSTS file is as follows:

10.0.0.8 dom2Ksrv1 #PRE #DOM:dom2K
10.0.0.8 "dom2K \0x1b" #PRE

On the domain controllers in dom2K, the LMHOSTS file is
as follows:

10.0.0.16 domNTsrv1 #PRE #DOM:domNT
10.0.0.16 "domNT \0x1b" #PRE

The same error messages still appear. What must be done
in order to enable a trust relationship between the two
domains?

None of the following articles were of any use:

Q111565 How to Create a Trust Relationship from One
Computer
Q139410 Err Msg: There are Currently No Logon Servers
Available...
Q175025 How to Build and Reset a Trust Relationship from
a Command Line
Q196464 An Overview of Active Directory
Q255551 Cannot Set Up Trust in Window 2000 Domain from
Windows NT 4.0
 
Hi Cabland,

I have the same Problems,
Try to get a trust between NT4.0 and W2k3
I worked Thru KB 325874
I have made A WINS replication between the two Domains,
I can connect to Shares on eacht Domains
the trust was Succesfully done on the NT 4.0 side
but on the W2k3 side i get still the same error message

The verification of the outgoing trust failed with the following error(s):
The trust password verification test was inconclusive.
A secure channel reset will be attempted.
The secure channel reset failed with error 1311: There are currently no logon servers available to service the logon request.

how dir you fix the Problem?
 
Hi Jan_70

I did manage to get the trust working eventually, although it took several attempts.

Have you create host files with entries for each of the domains? The spacing needs to ne be exact in this, I'll post the contents of the lmhost file here a little later today when I get to the office.
 
Hi cabland,
no so far I used only lmhost and WINS.
I will tryit with thedomain entzries in the host file.
 
Back
Top