W2K Domain Trust not working with NT Domain

[GPL]

I am trying to set up a trust between my W2K domain with 2 DC's and an NT
domain with one PDC in it. They are on the same network/subnet.

On the NT4 PDC I set up an LMHOSTS file like so:

10.192.0.3 W2KDC #PRE #DOM:FOURTOUCH
10.192.0.3 "FOURTOUCH \0x1b" #PRE

W2KDC being the DC that is also the PDC emulator and FOURTOUCH being the w2k
domain.

I have tried to follow Q306733, "HOW TO: Create a Trust Between a Windows
2000 Domain and a Windows NT 4.0 Domain", Q180094 "How to Write an LMHOSTS
File for Domain Validation and Other Name Resolution Issues", and Q163409m
NetBIOS Suffixes (16th Character of the NetBIOS Name).

On the W2k DC when I put the name of the NT domain into the "Domains that
trust this domain" section it asks me if I want to Verify new trust?

If I have it verify the trust it tells me the secure channel query on the DC
in the NTDOMAIN failed with error "The specified domain either does not
exist or cannot be contacted" and an SC reset will be attempted. The reset
then fails with the same error about it not existing or cannot be contacted.

I even setup an LMHOSTS file for the W2K DC. If I did not do this I would
get an RPC server unavailable error before. I have the following setup on
the W2K DC LMHOSTS file, this is the NT4 PDC and its domain:

10.192.0.7 CASSIOPEIA #PRE #DOM:CONSTELLATION
10.192.0.7 "CONSTELLATION \0x1b" #PRE

When I do an NBTSTAT -R and an NBTSTAT -c on the W2K DC I get the following:

C:\>nbtstat -c

Local Area Connection:
Node IpAddress: [10.192.0.3] Scope Id: []
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
CASSIOPEIA <03> UNIQUE 10.192.0.7 -1
CASSIOPEIA <00> UNIQUE 10.192.0.7 -1
CASSIOPEIA <20> UNIQUE 10.192.0.7 -1
CONSTELLATION <1C> GROUP 10.192.0.7 -1
CONSTELLATION <1B> UNIQUE 10.192.0.7 -1


...and I get this on the NT4 PDC:

C:\>nbtstat -c

NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
W2KDC <03> UNIQUE 10.192.0.3 -1
W2KDC <00> UNIQUE 10.192.0.3 -1
W2KDC <20> UNIQUE 10.192.0.3 -1
FOURTOUCH <1C> GROUP 10.192.0.3 -1
FOURTOUCH <1B> UNIQUE 10.192.0.3 -1


I have been using the MMC and NETDOM. When using NETDOM it completes with no
error, however I cannot verify from W2K successfully!

Just now I went ahead and killed the trust. On the DC that is the PDC
emulator I changed the restrictanonymous key from 1 to 0. The
LMCompatibilitylevel is at 1. I'm not sure if that is supposed to be
something else or not. I then rebooted the W2K DC and NT DC. I made sure
there was not a setting in the W2K policy restricting accessing the computer
from the network. It was set to everyone on the NT server and was no set on
the W2K side. But I recreated the trust after the reboots with netdom from
the command line and it is not verifying or letting me login to the NT
domain from a w2k pro client in the W2K Domain.

I have successfully made trusts between other W2K and W2K3 domains but never
an NT4 domain and this where I am. Any suggestions? What have I missed?
Thanks for your help!

 

[Nafiz Ahmed [MSFT]]

Please make sure that your LMHOST file is correct. You can post it here as
well. The lmhost file you have in your posting is not correct in the second
line. You need to make sure that everything in quoation is 20 characters
long and the \ should start from the 16th character. Also as you have
mentioned in your post a higher value of restrict anonymous will cause trust
related error with NT 4.0 domain. You can look at the following artciles as
well:

HOW TO: Establish Trusts with a Windows NT-Based Domain in Windows 2000
WGID:325 ID: 308195
HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows NT
WGID:191 ID: 306733.

The RestrictAnonymous Value Breaks the Trust in a Mixed-Domain WGID:358
ID: 296403.
The "RestrictAnonymous" Registry Value May Break the Trust to a Windows
WGID:191 ID: 296405

Could Not Find Domain Controller When Establishing a Trust WGID:191
ID: 178640.

Nafiz Ahmed
Microsoft Enterprise Platform Support

I am trying to set up a trust between my W2K domain with 2 DC's and an NT
domain with one PDC in it. They are on the same network/subnet.

On the NT4 PDC I set up an LMHOSTS file like so:

10.192.0.3 W2KDC #PRE #DOM:FOURTOUCH
10.192.0.3 "FOURTOUCH \0x1b" #PRE

W2KDC being the DC that is also the PDC emulator and FOURTOUCH being the w2k
domain.

I have tried to follow Q306733, "HOW TO: Create a Trust Between a Windows
2000 Domain and a Windows NT 4.0 Domain", Q180094 "How to Write an LMHOSTS
File for Domain Validation and Other Name Resolution Issues", and Q163409m
NetBIOS Suffixes (16th Character of the NetBIOS Name).

On the W2k DC when I put the name of the NT domain into the "Domains that
trust this domain" section it asks me if I want to Verify new trust?

If I have it verify the trust it tells me the secure channel query on the DC
in the NTDOMAIN failed with error "The specified domain either does not
exist or cannot be contacted" and an SC reset will be attempted. The reset
then fails with the same error about it not existing or cannot be contacted.

I even setup an LMHOSTS file for the W2K DC. If I did not do this I would
get an RPC server unavailable error before. I have the following setup on
the W2K DC LMHOSTS file, this is the NT4 PDC and its domain:

10.192.0.7 CASSIOPEIA #PRE #DOM:CONSTELLATION
10.192.0.7 "CONSTELLATION \0x1b" #PRE

When I do an NBTSTAT -R and an NBTSTAT -c on the W2K DC I get the following:

C:\>nbtstat -c

Local Area Connection:
Node IpAddress: [10.192.0.3] Scope Id: []
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
CASSIOPEIA <03> UNIQUE 10.192.0.7 -1
CASSIOPEIA <00> UNIQUE 10.192.0.7 -1
CASSIOPEIA <20> UNIQUE 10.192.0.7 -1
CONSTELLATION <1C> GROUP 10.192.0.7 -1
CONSTELLATION <1B> UNIQUE 10.192.0.7 -1


..and I get this on the NT4 PDC:

C:\>nbtstat -c

NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
W2KDC <03> UNIQUE 10.192.0.3 -1
W2KDC <00> UNIQUE 10.192.0.3 -1
W2KDC <20> UNIQUE 10.192.0.3 -1
FOURTOUCH <1C> GROUP 10.192.0.3 -1
FOURTOUCH <1B> UNIQUE 10.192.0.3 -1


I have been using the MMC and NETDOM. When using NETDOM it completes with no
error, however I cannot verify from W2K successfully!

Just now I went ahead and killed the trust. On the DC that is the PDC
emulator I changed the restrictanonymous key from 1 to 0. The
LMCompatibilitylevel is at 1. I'm not sure if that is supposed to be
something else or not. I then rebooted the W2K DC and NT DC. I made sure
there was not a setting in the W2K policy restricting accessing the computer
from the network. It was set to everyone on the NT server and was no set on
the W2K side. But I recreated the trust after the reboots with netdom from
the command line and it is not verifying or letting me login to the NT
domain from a w2k pro client in the W2K Domain.

I have successfully made trusts between other W2K and W2K3 domains but never
an NT4 domain and this where I am. Any suggestions? What have I missed?
Thanks for your help!

 

[GPL]

Nafiz, thanks for the reply. Let me try posting my LMHOSTS file again
using a different newsgroup reader. I used outlook express before and
it seemed to have affected the format of the copy/paste. But yes the
LMHOSTS file does have 15 characters up to the \ (16th character) and
then 4 after the \ for a total of 20 characters.


Now, here is the LMHOSTS file for my NT PDC.

10.192.0.3 W2KDC #PRE #DOM:FOURTOUCH
10.192.0.3 "FOURTOUCH \0x1b" #PRE

on BOTH W2K domain controllers I have an LMHOSTS file like this:

10.192.0.7 CASSIOPEIA #PRE #DOM:CONSTELLATION
10.192.0.7 "CONSTELLATION \0x1b" #PRE


As stated I have been doing netdom via command line on the PDC
emulator.

I am now going to try and set restrict anonymous to 0 on both DC's to
see if that helps at all! There is no restrictanonymous settings on
the NT PDC.

Is there anything specific I should know about DNS on the W2K DC's?
Or the WINS on the W2K PDC's?

It really seems like I have just about all of it covered.

I'll post my update on what I have found.

Thanks!

Please make sure that your LMHOST file is correct. You can post it here as
well. The lmhost file you have in your posting is not correct in the second
line. You need to make sure that everything in quoation is 20 characters
long and the \ should start from the 16th character. Also as you have
mentioned in your post a higher value of restrict anonymous will cause trust
related error with NT 4.0 domain. You can look at the following artciles as
well:

HOW TO: Establish Trusts with a Windows NT-Based Domain in Windows 2000
WGID:325 ID: 308195
HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows NT
WGID:191 ID: 306733.

The RestrictAnonymous Value Breaks the Trust in a Mixed-Domain WGID:358
ID: 296403.
The "RestrictAnonymous" Registry Value May Break the Trust to a Windows
WGID:191 ID: 296405

Could Not Find Domain Controller When Establishing a Trust WGID:191
ID: 178640.

Nafiz Ahmed
Microsoft Enterprise Platform Support

I am trying to set up a trust between my W2K domain with 2 DC's and an NT
domain with one PDC in it. They are on the same network/subnet.

On the NT4 PDC I set up an LMHOSTS file like so:

10.192.0.3 W2KDC #PRE #DOM:FOURTOUCH
10.192.0.3 "FOURTOUCH \0x1b" #PRE

W2KDC being the DC that is also the PDC emulator and FOURTOUCH being the w2k
domain.

I have tried to follow Q306733, "HOW TO: Create a Trust Between a Windows
2000 Domain and a Windows NT 4.0 Domain", Q180094 "How to Write an LMHOSTS
File for Domain Validation and Other Name Resolution Issues", and Q163409m
NetBIOS Suffixes (16th Character of the NetBIOS Name).

On the W2k DC when I put the name of the NT domain into the "Domains that
trust this domain" section it asks me if I want to Verify new trust?

If I have it verify the trust it tells me the secure channel query on the DC
in the NTDOMAIN failed with error "The specified domain either does not
exist or cannot be contacted" and an SC reset will be attempted. The reset
then fails with the same error about it not existing or cannot be contacted.

I even setup an LMHOSTS file for the W2K DC. If I did not do this I would
get an RPC server unavailable error before. I have the following setup on
the W2K DC LMHOSTS file, this is the NT4 PDC and its domain:

10.192.0.7 CASSIOPEIA #PRE #DOM:CONSTELLATION
10.192.0.7 "CONSTELLATION \0x1b" #PRE

When I do an NBTSTAT -R and an NBTSTAT -c on the W2K DC I get the following:

C:\>nbtstat -c

Local Area Connection:
Node IpAddress: [10.192.0.3] Scope Id: []
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
CASSIOPEIA <03> UNIQUE 10.192.0.7 -1
CASSIOPEIA <00> UNIQUE 10.192.0.7 -1
CASSIOPEIA <20> UNIQUE 10.192.0.7 -1
CONSTELLATION <1C> GROUP 10.192.0.7 -1
CONSTELLATION <1B> UNIQUE 10.192.0.7 -1


..and I get this on the NT4 PDC:

C:\>nbtstat -c

NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
W2KDC <03> UNIQUE 10.192.0.3 -1
W2KDC <00> UNIQUE 10.192.0.3 -1
W2KDC <20> UNIQUE 10.192.0.3 -1
FOURTOUCH <1C> GROUP 10.192.0.3 -1
FOURTOUCH <1B> UNIQUE 10.192.0.3 -1


I have been using the MMC and NETDOM. When using NETDOM it completes with no
error, however I cannot verify from W2K successfully!

Just now I went ahead and killed the trust. On the DC that is the PDC
emulator I changed the restrictanonymous key from 1 to 0. The
LMCompatibilitylevel is at 1. I'm not sure if that is supposed to be
something else or not. I then rebooted the W2K DC and NT DC. I made sure
there was not a setting in the W2K policy restricting accessing the computer
from the network. It was set to everyone on the NT server and was no set on
the W2K side. But I recreated the trust after the reboots with netdom from
the command line and it is not verifying or letting me login to the NT
domain from a w2k pro client in the W2K Domain.

I have successfully made trusts between other W2K and W2K3 domains but never
an NT4 domain and this where I am. Any suggestions? What have I missed?
Thanks for your help!

 

[Nafiz Ahmed [MSFT]]

Please amke sure you reboot the dc after changing the restrictanonymous to 0
and check it again after the reboot to make sure it is 0.

Thanks,

Nafiz Ahmed

Nafiz, thanks for the reply. Let me try posting my LMHOSTS file again
using a different newsgroup reader. I used outlook express before and
it seemed to have affected the format of the copy/paste. But yes the
LMHOSTS file does have 15 characters up to the \ (16th character) and
then 4 after the \ for a total of 20 characters.


Now, here is the LMHOSTS file for my NT PDC.

10.192.0.3 W2KDC #PRE #DOM:FOURTOUCH
10.192.0.3 "FOURTOUCH \0x1b" #PRE

on BOTH W2K domain controllers I have an LMHOSTS file like this:

10.192.0.7 CASSIOPEIA #PRE #DOM:CONSTELLATION
10.192.0.7 "CONSTELLATION \0x1b" #PRE


As stated I have been doing netdom via command line on the PDC
emulator.

I am now going to try and set restrict anonymous to 0 on both DC's to
see if that helps at all! There is no restrictanonymous settings on
the NT PDC.

Is there anything specific I should know about DNS on the W2K DC's?
Or the WINS on the W2K PDC's?

It really seems like I have just about all of it covered.

I'll post my update on what I have found.

Thanks!

Please make sure that your LMHOST file is correct. You can post it here as
well. The lmhost file you have in your posting is not correct in the second
line. You need to make sure that everything in quoation is 20 characters
long and the \ should start from the 16th character. Also as you have
mentioned in your post a higher value of restrict anonymous will cause trust
related error with NT 4.0 domain. You can look at the following artciles as
well:

HOW TO: Establish Trusts with a Windows NT-Based Domain in Windows 2000
WGID:325 ID: 308195
HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows NT
WGID:191 ID: 306733.

The RestrictAnonymous Value Breaks the Trust in a Mixed-Domain WGID:358
ID: 296403.
The "RestrictAnonymous" Registry Value May Break the Trust to a Windows
WGID:191 ID: 296405

Could Not Find Domain Controller When Establishing a Trust WGID:191
ID: 178640.

Nafiz Ahmed
Microsoft Enterprise Platform Support

I am trying to set up a trust between my W2K domain with 2 DC's and an NT
domain with one PDC in it. They are on the same network/subnet.

On the NT4 PDC I set up an LMHOSTS file like so:

10.192.0.3 W2KDC #PRE #DOM:FOURTOUCH
10.192.0.3 "FOURTOUCH \0x1b" #PRE

W2KDC being the DC that is also the PDC emulator and FOURTOUCH being

the
w2k

domain.

I have tried to follow Q306733, "HOW TO: Create a Trust Between a Windows
2000 Domain and a Windows NT 4.0 Domain", Q180094 "How to Write an LMHOSTS
File for Domain Validation and Other Name Resolution Issues", and Q163409m
NetBIOS Suffixes (16th Character of the NetBIOS Name).

On the W2k DC when I put the name of the NT domain into the "Domains that
trust this domain" section it asks me if I want to Verify new trust?

If I have it verify the trust it tells me the secure channel query on

the
DC

in the NTDOMAIN failed with error "The specified domain either does not
exist or cannot be contacted" and an SC reset will be attempted. The reset
then fails with the same error about it not existing or cannot be contacted.

I even setup an LMHOSTS file for the W2K DC. If I did not do this I would
get an RPC server unavailable error before. I have the following setup on
the W2K DC LMHOSTS file, this is the NT4 PDC and its domain:

10.192.0.7 CASSIOPEIA #PRE #DOM:CONSTELLATION
10.192.0.7 "CONSTELLATION \0x1b" #PRE

When I do an NBTSTAT -R and an NBTSTAT -c on the W2K DC I get the following:

C:\>nbtstat -c

Local Area Connection:
Node IpAddress: [10.192.0.3] Scope Id: []
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
CASSIOPEIA <03> UNIQUE 10.192.0.7 -1
CASSIOPEIA <00> UNIQUE 10.192.0.7 -1
CASSIOPEIA <20> UNIQUE 10.192.0.7 -1
CONSTELLATION <1C> GROUP 10.192.0.7 -1
CONSTELLATION <1B> UNIQUE 10.192.0.7 -1


..and I get this on the NT4 PDC:

C:\>nbtstat -c

NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
W2KDC <03> UNIQUE 10.192.0.3 -1
W2KDC <00> UNIQUE 10.192.0.3 -1
W2KDC <20> UNIQUE 10.192.0.3 -1
FOURTOUCH <1C> GROUP 10.192.0.3 -1
FOURTOUCH <1B> UNIQUE 10.192.0.3 -1


I have been using the MMC and NETDOM. When using NETDOM it completes

with
no

error, however I cannot verify from W2K successfully!

Just now I went ahead and killed the trust. On the DC that is the PDC
emulator I changed the restrictanonymous key from 1 to 0. The
LMCompatibilitylevel is at 1. I'm not sure if that is supposed to be
something else or not. I then rebooted the W2K DC and NT DC. I made sure
there was not a setting in the W2K policy restricting accessing the computer
from the network. It was set to everyone on the NT server and was no

set
on

the W2K side. But I recreated the trust after the reboots with netdom from
the command line and it is not verifying or letting me login to the NT
domain from a w2k pro client in the W2K Domain.

I have successfully made trusts between other W2K and W2K3 domains but never
an NT4 domain and this where I am. Any suggestions? What have I missed?
Thanks for your help!