Trust relationship keeps breaking

B

Ben

I have a NT4.0 domain that I have trusted to a Windows 2000 Server running AD. I mainly use the 2000 machine for RRAS and have users authenticate to the NT domain. All of a sudden this stopped working and users could not auth to the NT domain but I was able to Auth to the 2000 domain. I redid the trust and all seemed to be OK but it again broke. The fix only seems to stay for a short time.

I am not aware of any changes (especially on the NT domain) that should cause this issue.

Any ideas as to where I sould look to fix this would be appreciated.

-Ben


--------------= Posted using GrabIt =----------------
------= Binary Usenet downloading made easy =---------
-= Get GrabIt for free from http://www.shemes.com/ =-
 
H

Herb Martin

Ben said:
I have a NT4.0 domain that I have trusted to a Windows 2000 Server running
Click to expand...
AD. I mainly use the 2000 machine for RRAS and have users authenticate to
the NT domain. All of a sudden this stopped working and users could not
auth to the NT domain but I was able to Auth to the 2000 domain. I redid
the trust and all seemed to be OK but it again broke. The fix only seems to
stay for a short time.
I am not aware of any changes (especially on the NT domain) that should cause this issue.

Any ideas as to where I sould look to fix this would be appreciated.
Click to expand...

Did you turn off NetBIOS on any DCs?
(external trusts depend on NetBIOS)

Do you have more than one subnet?

If so the answers is likely do to (lack of) WINS
server - or to the WINS clients not being set correctly.

With WINS server you need EVERY internal machine
to be set as a WINS client (even 'servers' or especially
'servers'.)

(The same is true for DNS but likely irrelevant to
the External trust issue.)
 
B

Ben Bazian

Again,

This was working until Last Thursday. It has been configured like this for
the past 2+ years.
 
H

Herb Martin

Ben Bazian said:
Again,

This was working until Last Thursday. It has been configured like this for
the past 2+ years.
Click to expand...

That doesn't mean it was (ever) correct.

Why didn't you mention your subnet architecture
or describe if you have WINS servers and how
they are setup?
 
B

Ben Bazian

Sorry about that. We have one subnet in the main office and are connected
via VPN to another. Each office is on one subnet. I have 3 WINS servers
setup as replication partners.

Home office (NT), Remote Office(NT) and a WINS server running on the Windows
2000 server in the home office (this is the RRAS server). The NT's are set
up as push/pull replication partners. I just have the 2000 set up as a pull
partner. Don't rightly remember why I did that. In the home office we all
use the NT WINS as the WINS server. On the 2000 machine it is there for the
needed setup

Looking through the logs I do see a Wins error on the Domain controller (NT)
that we cannot get to. It was a single error on Thursday. I went to that
DC and evoked a manual replication and there were no errors reported.

Thanks for all your help. Did I miss something?
 
B

Ben Bazian

BTW, The log on the RRAS server reports "No such Domain." You are probably
correct in your assessment of WINS as the issue. The question is how to
fix?? Maybe I should delete the WINS database on the 2000 (RRAS) computer?
 
H

Herb Martin

Ben Bazian said:
Sorry about that. We have one subnet in the main office and are connected
via VPN to another. Each office is on one subnet. I have 3 WINS servers
setup as replication partners.

Home office (NT), Remote Office(NT) and a WINS server running on the Windows
2000 server in the home office (this is the RRAS server). The NT's are set
up as push/pull replication partners. I just have the 2000 set up as a pull
partner. Don't rightly remember why I did that.
Click to expand...

That (last) is normal for WANS partners (pull
only on each side) to control the TIME of
replication.

Presumable you are replicating to AND from
each WINS servers to the others -- i.e., have
a single WINS database. (Double check that
if you haven't.)
In the home office we all
use the NT WINS as the WINS server. On the 2000 machine it is there for the
needed setup

Looking through the logs I do see a Wins error on the Domain controller (NT)
that we cannot get to. It was a single error on Thursday. I went to that
DC and evoked a manual replication and there were no errors reported.

Thanks for all your help. Did I miss something?
Click to expand...

No, it every machine is a WINS client of the SAME
"WINS database" then you are fixed for WINS.

Also double check that no Win2000+ DCs have disable
NetBIOS.

Then we get to routing and things that can go wrong
with the VPN.

Confirm that you can route fully (I presume you would
have reported that if it weren't true.)

What sort of VPN? (Router to Router? i.e., no clients
directly involved in the routing?)

Also there are (or have been) issues with MULTIHOMED
DCs who are also WINS servers so if you are using a DC
for one of the routers the problem might lie among those
problems.
 
H

Herb Martin

Ben Bazian said:
BTW, The log on the RRAS server reports "No such Domain." You are probably
correct in your assessment of WINS as the issue. The question is how to
fix??
Click to expand...

"No such domain" isn't must for context to
chase such a problem.

Exact error IDs and fully text would be easier
for me to search -- you can search yourself using
http://www.eventid.net/

Or MS web site with such Google searches as:
(substitute actual EventID for EVENTID)

[ EVENTID WINS site:microsoft.com "external trust" ]

....or...

[ EVENTID WINS microsoft: "external trust" ]
Maybe I should delete the WINS database on the 2000 (RRAS) computer?
Click to expand...

Then you would need to NBTSTAT -RR (or reboot)
every client of that WINS server.

And replicate.
 
B

Ben Bazian

I believe your 1st thought was correct. We do maintain a single WINS
database. The VPN is a hardware based solution to tie the 2 offices
togehter. The RRAS is used for users to VPN in.

If I go to the Windows 2000 rras server and try to do a net use to the
trusted domain controller I get:

System Error 51 has occurred The remote computer is unavailable.

I know it is being that I can ping it and it is on the same subnet. I can
ping using WINS resolution using the machine name. I assume if I can use
the machine name NetBios is enabled? I looked in device manager and it
would appear that NetBios over TCPIP is enabled.

I also tried deleting the replication partners from both machines, removed
the servers files and reestablished replication. Still no joy.
 
H

Herb Martin

Ben Bazian said:
I believe your 1st thought was correct. We do maintain a single WINS
database. The VPN is a hardware based solution to tie the 2 offices
togehter. The RRAS is used for users to VPN in.

If I go to the Windows 2000 rras server and try to do a net use to the
trusted domain controller I get:

System Error 51 has occurred The remote computer is unavailable.

I know it is being that I can ping it and it is on the same subnet. I can
ping using WINS resolution using the machine name.
Click to expand...

No, that is a misunderstanding -- ping always
tries DNS methods first (in fact ping is always
DNS resolution which maybe supplemented
with NetBIOS methods.)

So you really don't know by this method.
I assume if I can use
the machine name NetBios is enabled?
Click to expand...

No. If you look in IPCONFIG /all or in the NIC
IP properties (WINS/NetBIOS tab) you can see
it.
I looked in device manager and it
would appear that NetBios over TCPIP is enabled.
Click to expand...

In device manager? (I guess you got to the
NIC that way.)
I also tried deleting the replication partners from both machines, removed
the servers files and reestablished replication. Still no joy.
Click to expand...

All DCs/BDCs are WINS clients?
 
H

Herb Martin

Ben Bazian said:
I am thinking of reinitializing WINS on both servers. How do I wipe the
database?
Click to expand...

I am not a big believer in wiping the database
but if you search MS there is a procedure.
 
B

Ben Bazian

Here is where we are at. After I redid the WINS replication it still did
not authenticate to the trusted domain. I rebooted the Windows 2000 server
this AM and then was able to authenticate RRAS to the trusted domain. Not
sure how long this will work. I can always authenticate to the AD on the
2000 server itself. I fully believe that this will break again. Does this
prompt any thoughts? I would assume the fact that it worked after a reboot
should answer some of the previous configuration questions?
 
H

Herb Martin

Ben Bazian said:
Here is where we are at. After I redid the WINS replication it still did
not authenticate to the trusted domain. I rebooted the Windows 2000 server
this AM and then was able to authenticate RRAS to the trusted domain.
Click to expand...

Are the xDCs all listed in (all of) the WINS servers?

Do you see the (0x1c, 0x1d, -0x1e, etc.) records for
the domain group and unique?
Not
sure how long this will work. I can always authenticate to the AD on the
2000 server itself. I fully believe that this will break again. Does this
prompt any thoughts? I would assume the fact that it worked after a reboot
should answer some of the previous configuration questions?
Click to expand...

No, not really.

WINS refreshes periodically and so if it works
initially on boot it should continue to work.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Win2k and WinNT domain trust issue 1
Trust Relationship between NT domain and a windows 2000 native mod 3
Trust relationships 3
Windows 2003 Server in Windows 2000 Domain Lose Trust Relationship 1
Trust relationship trouble 4
Create Trust 4
Failed trusts between NT & W2K domains 1
Trust relationship failed 2

Top