AD trusts

  • Thread starter Thread starter U Garfield
  • Start date Start date
U

U Garfield

I am having a problem getting a NT4.0 sp6 PBC to trust a
Win2000 sp3
AD controller. The machines a physically connected on the
same
ethernet. They can ping each other, The AD domain is in
Wins as is the
Win2000 controller.

I am following the Microsoft Doc 308195, when I get to the
first step
"add trusted Domains" I get the error: "Could not find
domain
controller for this domain". I continued with the win2000
trusts winNT
and this is what I can do.

I can mount a drive fron the Win2000 server on the NT PDC
at the
command prompt using "net use z: \\NTserver\netlogon" with
no password
needed, cannot do it with "map network drive". I can mount
a drive
using "Map Network Drive" on the Win2000 server without
using a
password. The NT4.0 PDC sees the AD domain in network
neighborhood,
the Win2000 server sees the NT4.0 domain in network
neighborhood.

I added the NT computer in the AD computer list the
Win2000 controller
IP is in WINS and LMHOSTS see below

# LMHOSTS file on ntsrvr
10.10.20.17 win2000srv #PRE #DOM:ADDOMAIN #Domain
controller
10.10.20.17 "ADDOMAIN \0x1C" #PRE
10.10.20.13 ntsrvr
10.10.20.17 "ADDOMAIN \0x00" #PRE

Not getting a two way trust working is preventing me from
using ADMT
in the AD controller to move my users, I run user
migration tool, test
migration settings, I get "Access denied Error code=5,
domain=NTDOMAIN"


HELP!!!

Ursula
 
The error indicates that there is a name resolution problem. Verify that
your lmhosts file is correct. If the spacing isn't correct it can cause the
file to fail. Take a look at "180094 How to Write an LMHOSTS File for
Domain Validation and Other Name http://support.microsoft.com/?id=180094".

You also need to verify that you checked the option for "enable lmhosts
lookup" on the tcp/ip properties of the NT server. If all is well you
should be able to run nbtstat -c and see the domain records in the cache.

I find it easier to create a trust from the command line using netdom. You
can create both sides at once from the win2k server. I've included the
syntax below. Name resolution will need to be working in order for this to
work.



NETDOM TRUST /d:myntdom mywin2kdom /ADD /TWOWAY /Ud:myntdom\administrator
/Pd:*


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
I included the LMHOST file in my first post. I got the
NETDOM TRUST command to work and now I see, the two way
trust setup in my NT and 2000 servers, but when I run ADMT
migrate users, I am getting "Access is denied, (Error
code=5, domain=MYNT-DOMAIN)

My domain name has a "-" in it does that matter?

When I used the NETDOM command I used the NT domain admin
name and password.

Ursula
-----Original Message-----
The error indicates that there is a name resolution problem. Verify that
your lmhosts file is correct. If the spacing isn't correct it can cause the
file to fail. Take a look at "180094 How to Write an LMHOSTS File for
Domain Validation and Other Name http://support.microsoft.com/?id=180094".

You also need to verify that you checked the option for "enable lmhosts
lookup" on the tcp/ip properties of the NT server. If all is well you
should be able to run nbtstat -c and see the domain records in the cache.

I find it easier to create a trust from the command line using netdom. You
can create both sides at once from the win2k server. I've included the
syntax below. Name resolution will need to be working in order for this to
work.



NETDOM TRUST /d:myntdom
Click to expand...
mywin2kdom /ADD /TWOWAY /Ud:myntdom\administrator
 
I tried adding the NT administrator to the AD admin group,
but I do not see the NT domain. I also tried to add the AD
administrator to the NT admin group and I di dnot see a
selection to change groups, so on the NT PDC, under user,
I selected "select Doamin" and selected the ADDOMAIN and I
got, "cannot find domain controller for this domain".

Now on the Win2000 controller, I am getting:

C:\Documents and Settings\Administrator.FL>net use z:
\\ntpdc\netlogon
System error 1385 has occurred.

Logon failure: the user has not been granted the requested
logon type at this
computer.

Ursula
 
I'm getting a very similar problem as described here. I have an AD
Server (SVRDC) (I've turned WINS off and am just using lmhosts file)
My NT4 SP6a server is SVR-PDC (Note the dash) It has WINS ans DNS
installed. Per others suggestions, though, I'm using an LMHOSTS file
on that server as well.

Here is where my situation seems to be unique. Using either command
line tools or the GUI tools, I'm able to create a full two way trust!
And it seems to hold (known by monitoring with DOMMON) for about 15
minutes OR until I attempt to "use" the trust. In either case, the
NT4 trusting of the AD fails. The AD trusting of the NT4 seems to
remain in tact.

This just has me baffeled! On a related note, I have an NT4 BDC
called (SPOT) with no DASH. The DOMMON utility shows that the SPOT
server retains its trust. (This of course does me no real good since
only the PDC has the SAM database that I need to connect to for ADMT
V2 to work!)

Does anyone have any suggestions, reasons, etc...

Thanks,
Sean Earnhardt
 
OK I got the trust to work using the Net Dom command, but in order for
ADMT to work I had to map a drive, using net use and the NT Admin
username and then password. I amnaged to migrate th eusers angrouos,
but I try to migrate the computers, and the program hangs.

Any Ideas.

Ursula
 
Back
Top