Hello, all;

I'm struggling with something and I can seem to find the problem, so I
seek advice and wisdom.

I have two W2K domains on the same physical network.They also share the
same IP network. Both have AD fully installed, along with DNS. Here's the
basic configuration:

olddom.joe.com: two AD DCs
newdom.joe.com: one AD DC.
These are not child domains of one another. The master controller for
olddom is dc1.olddom.joe.com.
The master for newdom is dc2.newdom.joe com.

These domains were configured in different places, and the goal was to
keep tham as separate domains in different forests, since olddom will
eventually go away. My assumption was that we should have no trouble setting
up a trust between them.

Here's the problem. When I use the AD trusts tool to establish the
exyernal trusts between the two domains, newdom seems to be okay connecting
to olddom, but the reverse doesn't work. No matter how I've tried to set up
the trust, newdom cannot contact the DC on newdom. The neddom DC adds the
trust of olddom to its configuration in the AD Trusts tool, but I can't get
the other side of the trust to establish. The most common error I see is
"Access to the domain newdom is denied. Check that the password is correct
and try again."


Here's what I've done to troubleshoot:
1. Checked all DNS. Each DC has DNS installed and running. I have
configured each DC's DNS to see the other DC's zones.
2. Each machine can ping the other machine.
3. Each machine resolves the other using nslookup.
4. I wrote an LMHosts file for newdom and installed in on the DC.
Nbtstat shows the DC, but olddom still can't see it.
5. I did some testing with nltest from the old NT4 Resource kit. When I
run queried on newdom from the DC of olddom, I get some confusing results.
NLtest can get the name and the DC list from newdom:
----------------------------------------------------
C:\nt-tool>nltest /dcname:newdom
PDC for Domain newdom is \\MIDDSFAC
The command completed successfully

C:\nt-tool>nltest /dclist:newdom
List of DCs in Domain newdom
\\MIDDSFAC (PDC)
The command completed successfully
-----------------------------------------------------

However, when I attempte to query or reset the sceure channel, I get the
following.
-----------------------------------------------------
C:\nt-tool>nltest /sc_query:newdom
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\nt-tool>nltest /sc_query:newdom.joe.com
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\nt-tool>nltest /sc_reset:newdom
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
----------------------------------------------------------------------------
---------

6. I also run the Domain Monitor from the W2K resource kit from the
olddom DC. It finds its own domain, and two others on the network. When I
try to add newdom manually, it errors syaing it can't find the PDC.

I'm really frustrated here and wondered if there's anyplace else I
should look to solve this issue. I need to be able to set the trust to share
access to an Exchange Server on olddom. There are some horrible workarounds
for that, but this should be something I can get working. I know this is a
long post, but I'd appreciate any insight anyone can provide.

Hi Joe-
It might be a good idea to look for security specific settings on either
domains PDC, and if you find them, relax the setting temporarily as you
establish the trust. Sometime culprit settings can be Restrictanonymous,
LMCompatibilitylevel, Requiresecuritysignature (SMB signing).

Here's some KB articles which may be relevant:

246261 How to Use the RestrictAnonymous Registry Value in Windows 2000
http://support.microsoft.com/?id=246261

257646 Windows 2000 Domain Controller Trusts May Not Work with
http://support.microsoft.com/?id=257646

(Somewhat less relevant, but good information)
816818 Error Message: Picker Cannot Open Because It Cannot Determine Whether
http://support.microsoft.com/?id=816818

Please repost and let us know if this makes any difference.
--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
"Joe Dougherty" <(E-Mail Removed)> wrote in message
news:%23SW$(E-Mail Removed)...
> Hello, all;
>
> I'm struggling with something and I can seem to find the problem, so I
> seek advice and wisdom.
>
> I have two W2K domains on the same physical network.They also share
the
> same IP network. Both have AD fully installed, along with DNS. Here's the
> basic configuration:
>
> olddom.joe.com: two AD DCs
> newdom.joe.com: one AD DC.
> These are not child domains of one another. The master controller for
> olddom is dc1.olddom.joe.com.
> The master for newdom is dc2.newdom.joe com.
>
> These domains were configured in different places, and the goal was to
> keep tham as separate domains in different forests, since olddom will
> eventually go away. My assumption was that we should have no trouble
setting
> up a trust between them.
>
> Here's the problem. When I use the AD trusts tool to establish the
> exyernal trusts between the two domains, newdom seems to be okay
connecting
> to olddom, but the reverse doesn't work. No matter how I've tried to set
up
> the trust, newdom cannot contact the DC on newdom. The neddom DC adds the
> trust of olddom to its configuration in the AD Trusts tool, but I can't
get
> the other side of the trust to establish. The most common error I see is
> "Access to the domain newdom is denied. Check that the password is correct
> and try again."
>
>
> Here's what I've done to troubleshoot:
> 1. Checked all DNS. Each DC has DNS installed and running. I have
> configured each DC's DNS to see the other DC's zones.
> 2. Each machine can ping the other machine.
> 3. Each machine resolves the other using nslookup.
> 4. I wrote an LMHosts file for newdom and installed in on the DC.
> Nbtstat shows the DC, but olddom still can't see it.
> 5. I did some testing with nltest from the old NT4 Resource kit. When
I
> run queried on newdom from the DC of olddom, I get some confusing results.
> NLtest can get the name and the DC list from newdom:
> ----------------------------------------------------
> C:\nt-tool>nltest /dcname:newdom
> PDC for Domain newdom is \\MIDDSFAC
> The command completed successfully
>
> C:\nt-tool>nltest /dclist:newdom
> List of DCs in Domain newdom
> \\MIDDSFAC (PDC)
> The command completed successfully
> -----------------------------------------------------
>
> However, when I attempte to query or reset the sceure channel, I get
the
> following.
> -----------------------------------------------------
> C:\nt-tool>nltest /sc_query:newdom
> I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
>
> C:\nt-tool>nltest /sc_query:newdom.joe.com
> I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
>
> C:\nt-tool>nltest /sc_reset:newdom
> I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
> --------------------------------------------------------------------------
--
> ---------
>
> 6. I also run the Domain Monitor from the W2K resource kit from the
> olddom DC. It finds its own domain, and two others on the network. When I
> try to add newdom manually, it errors syaing it can't find the PDC.
>
> I'm really frustrated here and wondered if there's anyplace else I
> should look to solve this issue. I need to be able to set the trust to
share
> access to an Exchange Server on olddom. There are some horrible
workarounds
> for that, but this should be something I can get working. I know this is a
> long post, but I'd appreciate any insight anyone can provide.
>

Tim,

> 246261 How to Use the RestrictAnonymous Registry Value in Windows 2000
> http://support.microsoft.com/?id=246261
> Please repost and let us know if this makes any difference.

This solved the problem completely. We set the restriction to 0, and the
trust set up after the next reboot.

Thanks again for the pointer.

Joe

[rrperez]

I'm having the same error. What restriction did you change?