NT40 & W2K AD Trust.

  • Thread starter Thread starter bash
  • Start date Start date
B

bash

I have an Active directory domain under server 2000 in
native mode. I also have NT 4.0 domain.

I would like to establish trust between these two domains.

I followed the instructions in Technet article Q306733 and
Q180094.

I even created an LMHOSTS file on each server with the
other server's info in it:

********* LMHOSTS on AD 2000 ********
192.168.1.251 NT40PDC #PRE #DOM:SHAQUILLE
192.168.1.251 "SHAQUILLE \0x1b" #PRE
*************************************

********* LMHOSTS on NT4.0 **********
192.168.1.253 W2K-AD #PRE #DOM:WIN
192.168.1.253 "WIN \0x1b" #PRE
*************************************

On the W2K server I can ping the NT40 server by IP and by
NETBIOS name.

On the NT40 server I can ping the W2K server by IP and by
NETBIOS name.

I run NBTSTAT -R on the W2K server then NBTSTAT -c, I get

***********
SHAQUILLE <1C> GROUP 192.168.1.251 -1
SHAQUILLE <1B> UNIQUE 192.168.1.251 -1
NT40PDC <03> UNIQUE 192.168.1.251 -1
NT40PDC <00> UNIQUE 192.168.1.251 -1
NT40PDC <20> UNIQUE 192.168.1.251 -1
***********

I run NBTSTAT -R on the NT40 server then NBTSTAT -c, I get
***********
W2K-AD <03> UNIQUE 192.168.1.253 -1
W2K-AD <00> UNIQUE 192.168.1.253 -1
W2K-AD <20> UNIQUE 192.168.1.253 -1
WIN <1C> GROUP 192.168.1.253 -1
WIN <1B> UNIQUE 192.168.1.253 -1
***********

When I try to establish the trust using the NT40 server, I
get "Could not find domain controller for this domain"

When I try to establish the trust using the W2K server, I
get "Shaquille domain cannot be contacted."

When I try to search for one server on the other server
using search for computers utility under Windows Explorer,
I can't find the other server.

Any ideas? Am I missing something?

TIA,

Bash
 
Bash,

First, good work on getting name resolution out of the picture. The 1B/1C
often are the root cause, so that is a great place to start.

Next thing I'd be looking at are things like smb signing, lmcompat and
restrict anonymous.
To do that, hop on to the W2K PDCe and check out the following reg keys:
HKLM\System\CurrentControlSet\Control\LSA
Check out what restrictanonymous and lmcompatbilitylevel are set to. If
anything above 0, change them to be 0 and reboot the PDCe. The trust can
work with them turned up, but for the sake of troubleshooting this is a good
step.
I don't have a W2K box in front of me but another thing to check is in the
local security policy of the machine, somewhere down in security
settings\local policies\security options. It should be something like
Digitally sign communications (always) and we want that set to disabled.

Let's turn those settings down, reboot and see if we can set up the trust
then.

~Eric
 
Eric,

Thank you for taking the time to look at my post!

I check all the items you recommened to check and they are
in the setting your recommend for troubleshooting.

Both restrictanonymous and lmcompatbilitylevel are set to
0.

The Digitally sign communications client (always) and the
Digitally sign communications server (always) are both
disabled.

It the fact that my W2K is AD in native mode? Do I have to
have it in mixed mode?

TIA,
Bash




-----Original Message-----
Bash,

First, good work on getting name resolution out of the picture. The 1B/1C
often are the root cause, so that is a great place to start.

Next thing I'd be looking at are things like smb signing, lmcompat and
restrict anonymous.
To do that, hop on to the W2K PDCe and check out the following reg keys:
HKLM\System\CurrentControlSet\Control\LSA
Check out what restrictanonymous and lmcompatbilitylevel are set to. If
anything above 0, change them to be 0 and reboot the PDCe. The trust can
work with them turned up, but for the sake of troubleshooting this is a good
step.
I don't have a W2K box in front of me but another thing to check is in the
local security policy of the machine, somewhere down in security
settings\local policies\security options. It should be something like
Digitally sign communications (always) and we want that set to disabled.

Let's turn those settings down, reboot and see if we can set up the trust
then.

~Eric


--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights.


bash said:
I have an Active directory domain under server 2000 in
native mode. I also have NT 4.0 domain.

I would like to establish trust between these two domains.

I followed the instructions in Technet article Q306733 and
Q180094.

I even created an LMHOSTS file on each server with the
other server's info in it:

********* LMHOSTS on AD 2000 ********
192.168.1.251 NT40PDC #PRE #DOM:SHAQUILLE
192.168.1.251 "SHAQUILLE \0x1b" #PRE
*************************************

********* LMHOSTS on NT4.0 **********
192.168.1.253 W2K-AD #PRE #DOM:WIN
192.168.1.253 "WIN \0x1b" #PRE
*************************************

On the W2K server I can ping the NT40 server by IP and by
NETBIOS name.

On the NT40 server I can ping the W2K server by IP and by
NETBIOS name.

I run NBTSTAT -R on the W2K server then NBTSTAT -c, I get

***********
SHAQUILLE <1C> GROUP 192.168.1.251 -1
SHAQUILLE <1B> UNIQUE 192.168.1.251 -1
NT40PDC <03> UNIQUE 192.168.1.251 -1
NT40PDC <00> UNIQUE 192.168.1.251 -1
NT40PDC <20> UNIQUE 192.168.1.251 -1
***********

I run NBTSTAT -R on the NT40 server then NBTSTAT -c, I get
***********
W2K-AD <03> UNIQUE 192.168.1.253 -1
W2K-AD <00> UNIQUE 192.168.1.253 -1
W2K-AD <20> UNIQUE 192.168.1.253 -1
WIN <1C> GROUP 192.168.1.253 -1
WIN <1B> UNIQUE 192.168.1.253 -1
***********

When I try to establish the trust using the NT40 server, I
get "Could not find domain controller for this domain"

When I try to establish the trust using the W2K server, I
get "Shaquille domain cannot be contacted."

When I try to search for one server on the other server
using search for computers utility under Windows Explorer,
I can't find the other server.

Any ideas? Am I missing something?

TIA,

Bash
Click to expand...


.
Click to expand...
 
I got it to work!

The problem was due to the fact I was binding two IP
addresses to the single NIC on the NT40 server. Once I
setup the NIC with the same IP network as the W2K server,
things started to work just fine.

Thank you everyone for your support.

-----Original Message-----
Eric,

Thank you for taking the time to look at my post!

I check all the items you recommened to check and they are
in the setting your recommend for troubleshooting.

Both restrictanonymous and lmcompatbilitylevel are set to
0.

The Digitally sign communications client (always) and the
Digitally sign communications server (always) are both
disabled.

It the fact that my W2K is AD in native mode? Do I have to
have it in mixed mode?

TIA,
Bash




-----Original Message-----
Bash,

First, good work on getting name resolution out of the picture. The 1B/1C
often are the root cause, so that is a great place to start.

Next thing I'd be looking at are things like smb
Click to expand...
signing,
lmcompat and
restrict anonymous.
To do that, hop on to the W2K PDCe and check out the following reg keys:
HKLM\System\CurrentControlSet\Control\LSA
Check out what restrictanonymous and lmcompatbilitylevel are set to. If
anything above 0, change them to be 0 and reboot the PDCe. The trust can
work with them turned up, but for the sake of troubleshooting this is a good
step.
I don't have a W2K box in front of me but another thing to check is in the
local security policy of the machine, somewhere down in security
settings\local policies\security options. It should be something like
Digitally sign communications (always) and we want that set to disabled.

Let's turn those settings down, reboot and see if we can set up the trust
then.

~Eric


--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights.


bash said:
I have an Active directory domain under server 2000 in
native mode. I also have NT 4.0 domain.

I would like to establish trust between these two domains.

I followed the instructions in Technet article Q306733 and
Q180094.

I even created an LMHOSTS file on each server with the
other server's info in it:

********* LMHOSTS on AD 2000 ********
192.168.1.251 NT40PDC #PRE #DOM:SHAQUILLE
192.168.1.251 "SHAQUILLE \0x1b" #PRE
*************************************

********* LMHOSTS on NT4.0 **********
192.168.1.253 W2K-AD #PRE #DOM:WIN
192.168.1.253 "WIN \0x1b" #PRE
*************************************

On the W2K server I can ping the NT40 server by IP and by
NETBIOS name.

On the NT40 server I can ping the W2K server by IP and by
NETBIOS name.

I run NBTSTAT -R on the W2K server then NBTSTAT -c, I get

***********
SHAQUILLE <1C> GROUP 192.168.1.251 -1
SHAQUILLE <1B> UNIQUE 192.168.1.251 -1
NT40PDC <03> UNIQUE 192.168.1.251 -1
NT40PDC <00> UNIQUE 192.168.1.251 -1
NT40PDC <20> UNIQUE 192.168.1.251 -1
***********

I run NBTSTAT -R on the NT40 server then NBTSTAT -c, I get
***********
W2K-AD <03> UNIQUE 192.168.1.253 -1
W2K-AD <00> UNIQUE 192.168.1.253 -1
W2K-AD <20> UNIQUE 192.168.1.253 -1
WIN <1C> GROUP 192.168.1.253 -1
WIN <1B> UNIQUE 192.168.1.253 -1
***********

When I try to establish the trust using the NT40 server, I
get "Could not find domain controller for this domain"

When I try to establish the trust using the W2K
Click to expand...
Click to expand...
server,
I


.
Click to expand...
.
Click to expand...
 
Good good, glad it is going.
Mixed/native mode seems to be a FAQ, and I'm not sure where it came from.
Mixed vs. native mode only affects operations within the domain. One can
still establish trusts with external NT4 domains without a problem.
The same holds true for domains and forests at 2003 functional level.

~Eric

--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights.


Bash said:
I got it to work!

The problem was due to the fact I was binding two IP
addresses to the single NIC on the NT40 server. Once I
setup the NIC with the same IP network as the W2K server,
things started to work just fine.

Thank you everyone for your support.

-----Original Message-----
Eric,

Thank you for taking the time to look at my post!

I check all the items you recommened to check and they are
in the setting your recommend for troubleshooting.

Both restrictanonymous and lmcompatbilitylevel are set to
0.

The Digitally sign communications client (always) and the
Digitally sign communications server (always) are both
disabled.

It the fact that my W2K is AD in native mode? Do I have to
have it in mixed mode?

TIA,
Bash




-----Original Message-----
Bash,

First, good work on getting name resolution out of the picture. The 1B/1C
often are the root cause, so that is a great place to start.

Next thing I'd be looking at are things like smb
Click to expand...
signing,
lmcompat and
restrict anonymous.
To do that, hop on to the W2K PDCe and check out the following reg keys:
HKLM\System\CurrentControlSet\Control\LSA
Check out what restrictanonymous and lmcompatbilitylevel are set to. If
anything above 0, change them to be 0 and reboot the PDCe. The trust can
work with them turned up, but for the sake of troubleshooting this is a good
step.
I don't have a W2K box in front of me but another thing to check is in the
local security policy of the machine, somewhere down in security
settings\local policies\security options. It should be something like
Digitally sign communications (always) and we want that set to disabled.

Let's turn those settings down, reboot and see if we can set up the trust
then.

~Eric


--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights.


I have an Active directory domain under server 2000 in
native mode. I also have NT 4.0 domain.

I would like to establish trust between these two domains.

I followed the instructions in Technet article Q306733 and
Q180094.

I even created an LMHOSTS file on each server with the
other server's info in it:

********* LMHOSTS on AD 2000 ********
192.168.1.251 NT40PDC #PRE #DOM:SHAQUILLE
192.168.1.251 "SHAQUILLE \0x1b" #PRE
*************************************

********* LMHOSTS on NT4.0 **********
192.168.1.253 W2K-AD #PRE #DOM:WIN
192.168.1.253 "WIN \0x1b" #PRE
*************************************

On the W2K server I can ping the NT40 server by IP and by
NETBIOS name.

On the NT40 server I can ping the W2K server by IP and by
NETBIOS name.

I run NBTSTAT -R on the W2K server then NBTSTAT -c, I get

***********
SHAQUILLE <1C> GROUP 192.168.1.251 -1
SHAQUILLE <1B> UNIQUE 192.168.1.251 -1
NT40PDC <03> UNIQUE 192.168.1.251 -1
NT40PDC <00> UNIQUE 192.168.1.251 -1
NT40PDC <20> UNIQUE 192.168.1.251 -1
***********

I run NBTSTAT -R on the NT40 server then NBTSTAT -c, I get
***********
W2K-AD <03> UNIQUE 192.168.1.253 -1
W2K-AD <00> UNIQUE 192.168.1.253 -1
W2K-AD <20> UNIQUE 192.168.1.253 -1
WIN <1C> GROUP 192.168.1.253 -1
WIN <1B> UNIQUE 192.168.1.253 -1
***********

When I try to establish the trust using the NT40 server, I
get "Could not find domain controller for this domain"

When I try to establish the trust using the W2K
Click to expand...
server,
I
get "Shaquille domain cannot be contacted."

When I try to search for one server on the other server
using search for computers utility under Windows Explorer,
I can't find the other server.

Any ideas? Am I missing something?

TIA,

Bash



.
Click to expand...
.
Click to expand...
Click to expand...
 
Back
Top