Hello, I am having a really hard time getting a trust relationship to work from an NT4 domain (across a site-to-site VPN) to a Win2k3 Active Directory domain. I've searched thoroughly on the Internet through forums, KB, etc... I've tried everything from registry hacks to LMHOSTS to WINS and modifying the default domain controller policy. I still can't get the thing to work. I was wondering if anyone out there has had success in this endeavor and if they can PLEASE assist me. I have run some packet captures as well to anyone who wants to analyze the traffic. I can post here as well. Thanks and I look forward to hearing from someone.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
HUGE issue with NT4 to Win2k3 Active Directory trust!
- Thread starter Deskey123
- Start date
- Thread starter
- #3
Several threads on this forum show migration from NT4 to Active Directory. The SSVPN tunnel is just the connection to the remote end AD. It just passes traffic like bridge on a DSL line and ignores all ACL's and NAT. I know many users have set it up but unfortunately, i'm not one of those lucky users.
What type of trust are you trying to create?? What error messages do you receive?? You should be using an external trust for a 2003 to NT4 trust.
Paul
MCSE
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein
Paul
MCSE
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein
As Paul says the error messages from the event logs on either side would help.
Failure to create an NT4 - AD trust is often down to name resolution issues so you are probably on the right track with LMHOSTS.
Can you resolve the NetBios name of the NT4 PDC and the W2003 PDC Emulator from each other?
I had this error a while ago when trying to create one "local security authority unable to obtain rpc connection". If I remember correctly I had to make a Domain Controller Security Policy change to get it to work.
Also check that all ports such as 389, 135 etc. are available across the VPN link.
Neill
Failure to create an NT4 - AD trust is often down to name resolution issues so you are probably on the right track with LMHOSTS.
Can you resolve the NetBios name of the NT4 PDC and the W2003 PDC Emulator from each other?
I had this error a while ago when trying to create one "local security authority unable to obtain rpc connection". If I remember correctly I had to make a Domain Controller Security Policy change to get it to work.
Also check that all ports such as 389, 135 etc. are available across the VPN link.
Neill
- Thread starter
- #6
Thanks for all the responses. As far as the VPN tunnel, it's wide open and doesn't abide by any ACL's or block any ports.
From the NT4 PDC, I have the LMHOSTS file configured as follows:
IP address of PDCe name of PDCe #PRE #DOM
HBSG
IP address of PDCe "PDCe domain \0x1b" #PRE
I am able to ping the PDCe via NETBIOS name and IP.
From the PDCe, I have the LMHOSTS file configured as follows:
IP address of PDC name of PDC #PRE #DOMHBSG
172.16.8.3 "PDCe domain \0x1b" #PRE
I am able to ping the PDC via NETBIOS name and IP.
From the PDCe and PDC, I cannot ping the domain names. I have done a packet capture and was getting the following:
SMB_NE Query for PDC from PDCe
*In the packet, under the NETBIOS datagram service, it shows source name: PDCe <00> (Workstation/Redirector)
destination name: NT4 domain <1c> (Domain Controllers)
I don't know if that's anything to look at specifically. I'm not too familiar with reading deep into the packets but just know what to look for. I can provide snippets of the packets are email if someone would like to look at it.
As mentioned above, I have LMHOSTS configured on both ends but when I couldn't get the trust up, I went ahead and installed WINS on the PDCe and it still didn't work. Any help would be appreciated.
From the NT4 PDC, I have the LMHOSTS file configured as follows:
IP address of PDCe name of PDCe #PRE #DOM
HBSGIP address of PDCe "PDCe domain \0x1b" #PRE
I am able to ping the PDCe via NETBIOS name and IP.
From the PDCe, I have the LMHOSTS file configured as follows:
IP address of PDC name of PDC #PRE #DOM
HBSG172.16.8.3 "PDCe domain \0x1b" #PRE
I am able to ping the PDC via NETBIOS name and IP.
From the PDCe and PDC, I cannot ping the domain names. I have done a packet capture and was getting the following:
SMB_NE Query for PDC from PDCe
*In the packet, under the NETBIOS datagram service, it shows source name: PDCe <00> (Workstation/Redirector)
destination name: NT4 domain <1c> (Domain Controllers)
I don't know if that's anything to look at specifically. I'm not too familiar with reading deep into the packets but just know what to look for. I can provide snippets of the packets are email if someone would like to look at it.
As mentioned above, I have LMHOSTS configured on both ends but when I couldn't get the trust up, I went ahead and installed WINS on the PDCe and it still didn't work. Any help would be appreciated.
- Status
Similar threads
- Locked
- Question