Another Trust issue

  • Thread starter Thread starter MS News
  • Start date Start date
M

MS News

I have three domains. Two NT and one AD. I can establish a trust between one
of the NT1 domains and the AD domain, and I can establish a trust between
the two NT domains, but I can not establish a trust between the second NT2
domain and the AD domain. I get the error "No logon servers available"

I have checked the lmhosts and removed and added the trusts several times
between the NT2 and the AD domain and still nothing.

Using the Domain monitor on the AD server I can see NT1 fine. The NT2 domain
is red with no trusted domains listed in that column. When I look at the
properties for NT2 I see the following: DC Name - \\NT2Server, DC State -
OnLine, DC Status - AccDeni, Replication Status - Unknown, Connection to
PDC - BadPath, Link to Trusted Domain - Success

Using the Domain Monitor on the NT2 server I can see the NT1 fine. The AD is
red with all the lines filled in properly. When I select the properties I
have two servers listed, which are both AD DCs. The first server is insync
and everything looks good. the second server has DC Status - NoLogSr,
Connection to PDC - Bad Path, Link to Trusted Domain - Error
 
I'm not sure what exactly you put in your lmhosts file, but but for those
two that aren't working, be sure that it includes the 1B registration for
both the nt4 pdc and your win2k pdce. If that isn't there, you can look at
the following to get it in there, and be sure that you see the registration
with you run nbtstat;
180094 How to Write an LMHOSTS File for Domain Validation and Other Name
http://support.microsoft.com/?id=180094

Also compare the following registry entries between the one nt4 pdc that
will set the trust with win2k, and the one where it won't.
Restrictanonymous is a fairly common cause, and may need to be set to "0",
at least initially to get the trust established;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Lmcompatibilitylevel

And

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\restrictanonymous





--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
I did all that, still no luck.

David Brandt said:
I'm not sure what exactly you put in your lmhosts file, but but for those
two that aren't working, be sure that it includes the 1B registration for
both the nt4 pdc and your win2k pdce. If that isn't there, you can look at
the following to get it in there, and be sure that you see the registration
with you run nbtstat;
180094 How to Write an LMHOSTS File for Domain Validation and Other Name
http://support.microsoft.com/?id=180094

Also compare the following registry entries between the one nt4 pdc that
will set the trust with win2k, and the one where it won't.
Restrictanonymous is a fairly common cause, and may need to be set to "0",
at least initially to get the trust established;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Lmcompatibilitylevel

And

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\restrictanonymous





--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
AD
Click to expand...
 
Open a dos prompt and run nbtstat -c on the W2k DC
then mark, copy and post the contents. You can mask
the names and tcp/ip addresses.
 
Local Area Connection:
Node IpAddress: [10.0.0.8] Scope Id: []

NetBIOS Remote Cache Name Table

Name Type Host Address Life [sec]
------------------------------------------------------------
AD <1C> GROUP 10.0.0.12 -1
NT1 <1C> GROUP 10.10.0.24 -1
NT1 <1C> GROUP 10.0.0.67 -1
NT1 <1B> UNIQUE 10.0.0.67 -1
NT1Server <03> UNIQUE 10.0.0.67 -1
NT1Server <00> UNIQUE 10.0.0.67 -1
NT1Server <20> UNIQUE 10.0.0.67 -1
NT2 <1B> UNIQUE 10.10.0.24 -1
NT2Server <03> UNIQUE 10.10.0.24 -1
NT2Server <00> UNIQUE 10.10.0.24 -1
NT2Server <20> UNIQUE 10.10.0.24 -1
 
From the win2k server.

C:\WINDOWS\system32\drivers\etc>net view \\nt2
System error 5 has occurred.

Access is denied.
 
This might help. I orginally installed the 2k3 server with a different
domain name. At that time the trust worked. I then decided to change the
domain name so I completely reinstalled the 2k3 with the same server name,
but new domain name. Now the trust does not work.
 
I don't know if this mens anything or not.
I added the AD server to the Server Manager in the NT2 computer. If I select
the AD server I can see everything. Not only that but I can change to the AD
domain in the Server Manager and see all the computer, shares and everything
in the AD domain. But if I try to add AD domain users to a folder it can't
browse the corp domain. I am assuming that that means that one way of the
trust works, but not the other.
 
Assuming the NT1 1c group name pointing towards
tcp/ip address 10.10.0.24 is a typo and should be NT2?
I think name resolution looks good. I suspect something
is blocking the necessary netbios traffic between the two
domains e.g., router or firewall.

MS News said:
Local Area Connection:
Node IpAddress: [10.0.0.8] Scope Id: []

NetBIOS Remote Cache Name Table

Name Type Host Address Life [sec]
------------------------------------------------------------
AD <1C> GROUP 10.0.0.12 -1
NT1 <1C> GROUP 10.10.0.24 -1
NT1 <1C> GROUP 10.0.0.67 -1
NT1 <1B> UNIQUE 10.0.0.67 -1
NT1Server <03> UNIQUE 10.0.0.67 -1
NT1Server <00> UNIQUE 10.0.0.67 -1
NT1Server <20> UNIQUE 10.0.0.67 -1
NT2 <1B> UNIQUE 10.10.0.24 -1
NT2Server <03> UNIQUE 10.10.0.24 -1
NT2Server <00> UNIQUE 10.10.0.24 -1
NT2Server <20> UNIQUE 10.10.0.24 -1


message news:uxqfE%[email protected]...
Open a dos prompt and run nbtstat -c on the W2k DC
then mark, copy and post the contents. You can mask
the names and tcp/ip addresses.
Click to expand...
Click to expand...
 
Your correct looks like a typo.

There is a router separating the two domains. I have an NT trust between the
two working. NT1 and NT2 trust each other fine. NT1 is on the same side of
the router as AD.

In another email I mentioned that I had the trust working at one time. I
changed the name of the AD domain by completely reinstalling win2k3. I used
the same server name, but different domain name. Now I can not get it to
connect.

Michael Giorgio - MS MVP said:
Assuming the NT1 1c group name pointing towards
tcp/ip address 10.10.0.24 is a typo and should be NT2?
I think name resolution looks good. I suspect something
is blocking the necessary netbios traffic between the two
domains e.g., router or firewall.

MS News said:
Local Area Connection:
Node IpAddress: [10.0.0.8] Scope Id: []

NetBIOS Remote Cache Name Table

Name Type Host Address Life [sec]
------------------------------------------------------------
AD <1C> GROUP 10.0.0.12 -1
NT1 <1C> GROUP 10.10.0.24 -1
NT1 <1C> GROUP 10.0.0.67 -1
NT1 <1B> UNIQUE 10.0.0.67 -1
NT1Server <03> UNIQUE 10.0.0.67 -1
NT1Server <00> UNIQUE 10.0.0.67 -1
NT1Server <20> UNIQUE 10.0.0.67 -1
NT2 <1B> UNIQUE 10.10.0.24 -1
NT2Server <03> UNIQUE 10.10.0.24 -1
NT2Server <00> UNIQUE 10.10.0.24 -1
NT2Server <20> UNIQUE 10.10.0.24 -1


message news:uxqfE%[email protected]...
Open a dos prompt and run nbtstat -c on the W2k DC
then mark, copy and post the contents. You can mask
the names and tcp/ip addresses.

I did all that, still no luck.
Click to expand...
Click to expand...
Click to expand...
 
Interestingly enough the error you are seeing is
specific to name resolution e.g., the Ad domain
cannot resolve the domain name 1c group name.
Immediately after attempting to create the trust
relationship open a dos prompt and run nbtstat -c
now what do you see? If you see any entries with
a TTL or time to live of 600 seconds or less post
them.
 
Here is something that might be interesting. My AD domain name consists of
two parts. (corp.ad) I also have two DCs in that AD. Server1 and server2,
both DCs for the corp.ad domain.

corp is the domain that I am trying to set up the trust with. I am using
server1.

If I do a net view \\corp I get server2 share information. If I ping corp it
pings server2

If I do a new view \\corp.ad I get server1 share information. If I ping
corp.ad I get a bad IP address.
 
Sounds like they both have the same netbios domain name.
By default corp will be the netbios domain name of an AD
domain. Go into system properties and click on computer
name then click change and more. You'll should see the
netbios name.
 
If the NT domain name is the same as the
netbios domain name the trusts will fail.
 
In a previous reply I asked you for the netbios
names of the NT 4.0 domain and the problem
W2k domain. The NT 4.0 domain name is
not "corp"? The W2k domain name is not
corp.ad? The W2k domain would have a
default netbios name of corp not corp.ad.
 
domain NT1 netbios NTServer1
domain NT2 netbios NTServer2
domain CORP or CORP.AD netbios ADServer1
domain CORP or CORP.AD netbios ADServer2


NT1 and Corp trust works fine, both on same subnet.
NT1 and NT2 trust works fine, different subnets
NT2 and Corp no logon servers to complete trust looks like one way works.

I think it has to do with a SID. The trust worked until I renamed the Corp
Active Directory by reinstalling win2k3 on ADServer1 and ADServer2
 
Sounds to me like something is blocking Netbios
packets in either domain. Attempt to map to a
share across domains first by name the by tcp/ip
address. If you get errors what are they?
 
H:\>net use X: \\NT2Server\c$
Enter the user name for 'nt2server': msnews
Enter the password for nt2server:
System error 1311 has occurred.

There are currently no logon servers available to service the logon request.
H:\>

I get the same thing when I map with and IP.
 
Back
Top