NT 4 & 2003 Domain Trust Error 1

[ghosking]

Hi,

We want to set up a trust between an NT4 domain and a new 2003 AD domain to allow us to install Exchange 2003 and connect back to our 5.5 Exchange server in the NT4 domain.

However although we have created & verified a 2 way external, non transitive trust, we cannot: -

Add any NT accounts into the 2003 domain admin group (the NT domain in not visible on the locations tab). We can login as NT administrator into the 2003 DC, but do not get any admin rights on the 2003 domain.

Anyone any ideas what we are doing wrong?

thanks

G Hosking

 

[M3John]

We just completed this and you HAVE to add DOMAIN ADMINS on your LOCAL DOMAIN group. For example...

2K3\domain admins to NT\Administrators GROUP

NT\domain admins to 2K3\Administrators GROUP

This will allow you full control to either domain. Make sure your DNS is setup correctly. Update the DNS entries on your NT side. There are tons of docs on technet. Hope this helps.

 

[ghosking]

Hi,

Thanks for the reply, how did you add the Win2003K domain admin to NT domain admins group, and vica versa. We cannot see how to browse to add these accounts?

ie User manager does not browse outside of its domain and win2003k does not see the NT domain in locations within domain admins, members and locations.

regards

G Hosking

 

[M3John]

if you TRUST has been setup correctly, verify on the 2K3 side, you have entered the WINS address from your NT. In addition, are you running any STIGS or policy that requires DOD accredidation? If so, you will have to "tweak" or modify those settings as well. There are 3 or 4 settings, I forget which...that you have to DISABLE rather than leave at NOT configured. email me if you need more assistence.

 

[M3John]

if you TRUST has been setup correctly, verify on the 2K3 side, you have entered the WINS address from your NT. In addition, are you running any STIGS or policy that requires DOD accredidation? If so, you will have to "tweak" or modify those settings as well. There are 3 or 4 settings, I forget which...that you have to DISABLE rather than leave at NOT configured. email me if you need more assistence.

 

[sqoil]

I had this exact problem. I wasn't reading M3John correctly: add the other Domain Admins group to the Administrators group NOT the DOMAIN ADMINS.

Worked for me!

Thks M3John!

 

[M3John]

sqoil, you're correct...DOMAIN ADMINS in the Administrators group for domain A + B.

 

[itchyfish]

I'm having the same problem. I've created and removed the trust 4 or 5 times knowing that the passwords were correct. And I'm still getting access denied when trying to run the ADMT tool.

I've changed the Admin password to be the same on both domains.

1 of the problems I have is, I cannot add the Domain Admins from NT to my Administrators group on W2K3. The W2K3 domain, simply just does not see the user accounts/groups on NT. The only thing it does see is it's own A/D - nothing else.

What have I missed. I'm quite frustrated and need to get beyond this .. Please any help would be great.

Thank you!

Mike

 

[lovetta]

I too have exactly the same problem as Itchyfish described. I had already managed to create a trust between a test 2003 AD and the an NT4 domain, and could happily browse NT objects from the 2003 end.
However, on creating a new AD and attempting to trust that with the same NT domain, we are having this problem. The trust was verified at both ends but only works one way - we can list AD domain objects from the NT4 side but not the other way - no error, just no list displayed.
Deleting and re-creating the trusts, even with different passwords, has made no difference.

There were errors initially reported on both DCs when I first set up the trust -

NT4 - event id 5723

"The session setup from the computer (2003DC) failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is (2003DOMAINNAME$)"

2003 - event id 5721

"The session setup to the Windows NT or Windows 2000 Domain Controller (\\NT4DC) for the domain (NT4DOMAINNAME) failed because the Domain Controller did not have an account (2003DOMAINNAME$) needed to set up the session by this computer (COMPUTERNAME)"

These events have not appeared since and I cannot find much info on them.

Any ideas would be most welcome!

 

[M3John]

I'm just curious...do you guys have STIGS or have imported those MS high-security INF's?

 

[lovetta]

not me, normal domain setup...

 

[lovetta]

So after spending a whole day trying to get this thing to work I suddenly remember one vital point that was missed, but I had happily remembered before today -

I had not added the Domain Admins group of my new 2003 AD to the Local Administrators group on the NT4 domain, hence it would not allow me to view objects. So there you have it - add the AD group to the NT group first and then do the opposite (as I think Itchyfish was trying to do)

We all have bad days, I suppose this will teach me to come to work with a stinking cold!

 

[M3John]

oh cool...glad things worked out.