NT 4.0 Domain Vs. AD Domain Trust relationship.

[bashman]

I have an Active directory domain under server 2000 in native mode. I also have NT 4.0 domain.

I would like to establish trust between these two domains.

I followed the instructions in Technet article Q306733 and Q180094.

I even created an LMHOSTS file on each server with the other server's info in it:

********* LMHOSTS on AD 2000 ********
192.168.1.251 NT40PDC #PRE #DOM:SHAQUILLE
192.168.1.251 "SHAQUILLE \0x1b" #PRE
*************************************

********* LMHOSTS on NT4.0 **********
192.168.1.253 W2K-AD #PRE #DOM:WIN
192.168.1.253 "WIN \0x1b" #PRE
*************************************

On the W2K server I can ping the NT40 server by IP and by NETBIOS name.

On the NT40 server I can ping the W2K server by IP and by NETBIOS name.

I run NBTSTAT -R on the W2K server then NBTSTAT -c, I get

***********
SHAQUILLE <1C> GROUP 192.168.1.251 -1
SHAQUILLE <1B> UNIQUE 192.168.1.251 -1
NT40PDC <03> UNIQUE 192.168.1.251 -1
NT40PDC <00> UNIQUE 192.168.1.251 -1
NT40PDC <20> UNIQUE 192.168.1.251 -1
***********

I run NBTSTAT -R on the NT40 server then NBTSTAT -c, I get
***********
W2K-AD <03> UNIQUE 192.168.1.253 -1
W2K-AD <00> UNIQUE 192.168.1.253 -1
W2K-AD <20> UNIQUE 192.168.1.253 -1
WIN <1C> GROUP 192.168.1.253 -1
WIN <1B> UNIQUE 192.168.1.253 -1
***********

When I try to establish the trust using the NT40 server, I get &quot;Could not find domain controller for this domain&quot;

When I try to establish the trust using the W2K server, I get &quot;Shaquille domain cannot be contacted.&quot;

When I try to search for one server on the other server using search for computers utility under Windows Explorer, I can't find the other server.

Any ideas? Am I missing something?

TIA,

Bash

 

[bashman]

I got it to work:

First check the following:

- The name resolution is often the root cause. Make sure that the 1B/1C are working (see my original post for LMHOSTS).

- On the W2K PDC check out the following reg keys:
HKLM\System\CurrentControlSet\Control\LSA

Make sure that both restrictanonymous and lmcompatbilitylevel are set to 0 and reboot the PDC. The trust can work with them turned up, but for the sake of troubleshooting this is a good step.

- Make sure that the local security policy of the W2K box under the security settings\local policies\security options that The Digitally sign communications client (always) and the Digitally sign communications server (always) are both
disabled.

- The fact that the W2K AD server is in Native mode is NOT an issue.

- Make sure that both the NT40 PDC and the W2K AD PDC are on the same IP network. Make sure that you are not binding a second IP to your NIC on the NT40 server to connect to the W2K AD server (That was the cause of my problem).

I hope this helped,

Bash

 

[svsawkar]

- The fact that the W2K AD server is in Native mode is NOT an issue.


Yes it is. Make sure you have ForeignSecurityPrincipals for (at least) the Everyone group in Users and Computers.

Was this DC installed with Pre-Windows 2000 Compatible access enabled or disabled?

All the other stuff is right on

/Siddharth

 

[bashman]

I posted this same question on the Microsoft Technet Community Newgroup. I had a Microsoft Engineer reply to it. This is a quote of what he said in regard to the Native Vs. Mix mode:

************ Eric Fleischman [MSFT] ********
Good good, glad it is going.
Mixed/native mode seems to be a FAQ, and I'm not sure where it came from. Mixed vs. native mode only affects operations within the domain. One can still establish trusts with external NT4 domains without a problem. The same holds true for domains and forests at 2003 functional level.

~Eric
********************************************

Read the rest of the post at:

http://support.microsoft.com/newsgr...ID=US&ICP=GSS3&sd=TECH&id=fh;EN-US;newsgwin2k

 

[svsawkar]

Fair enough.

/Siddharth

 

[mlajoie]

Check out bottom of article Q308195 for tips.