Trust to nt 4 domain from w2k3 forest

[Craig Hackl]

Hi i'm having a weird problem, i'm setting up a test network so i can try
out a trust between a nt 4 domain, and a w2k3 forest.
i have 4 machines
1 - nt 4 pdc for domain a (which was a bdc from my production network that i
promoted)
2 - nt 4 server w/ exchange 5.5 (in domain a)

3 - w2k3 dc for domain b running dns server, wins server
4 - w2k3 w/ exchange 2003 in domain b

i can assign permissions in domain a to users in domain b
but when i try to assign permissions in domain b to users in domain a it
will not let me see the list of users in domain a

if i give everyone permissions and create a folder on machine 3 with a users
from domain a (logged in on machine 1 or 2) then look at the permisions they
show up correctly (i.e. domaina\username )
so it looks like the only issue i'm having is that domain B can not search
domain a's user list...

dns/wins all point to machine 3
when i test the trust it says everythings fine...
i can log in on any of the machines with an account from any domain.

if i log into machine 4 using an account from domain a, i still can not look
at the user list on domain a, but any files i create (in folders where i
have permisions) show up as created from domaina\username

the dns is the auto created one, i've created a reverse lookup zone.
in wins i've set the domain entries for domain a and domain b
i'm guessing this is something simple but i can't find anything...

 

[Derek Melber [MVP]]

I assume you have two trusts created?

 

[Craig Hackl]

correct, it's a two way trust on both sides....

everything works perfect going from nt 4 to 2003 (so if i was trying to
migrate my 2003 network to nt 4 i'd be happy

 

[Derek Melber [MVP]]

Craig,

What SP level are you running in NT?

 

[Craig Hackl]

service pack 6a

Craig,

What SP level are you running in NT?

--
Derek Melber
BrainCore.Net
(e-mail address removed)
a where

 

[Cary Shultz [A.D. MVP]]

Derek,

I hope that you do not mind that I am jumping in...

Craig, did you use the ADDT MMC or did you use NETDOM to create the Trusts?
I am assuming that the lmhosts files that you have are correct?

HTH,

Cary

 

[Craig Hackl]

i used the ADDT MMC to create the trusts...
i don't have a lmhosts file at all... do i need one? all the machines are
using wins, and wins has the domain entries in it...

 

[Cary Shultz [A.D. MVP]]

WINS will work.....

Cary

i used the ADDT MMC to create the trusts...
i don't have a lmhosts file at all... do i need one? all the machines are
using wins, and wins has the domain entries in it...

so

 

[Derek Melber [MVP]]

No worries Cary... thanks for helping out. The more the merrier, especially
with something like this, which seems to be setup correctly, but is not
working!

Craig,

have you attempted to delete the trust that is not working and recreate it?

 

[Craig Hackl]

and all i should need is the domain entry for each domain pointing to the
pdc in nt 4 and my only dc in 2003?

 

[Craig Hackl]

yep i've tried deleting and recreating a few times.

 

[Cary Shultz [A.D. MVP]]

This is some thing that I was going to suggest. Only upon recreating it I
was going to suggest using NETDOM instead of the ADDT MMC. I personally
have set up several WINNT / WIN2000 Trusts that just did not work - but
should have. I used the ADDT MMC. Get rid of the trusts that were set up
with the MMC and use NETDOM and all is happy! It just does not work
sometimes when using the ADDT MMC. It always works using NETDOM ( assuming
that everything else is in order ).

Derek, did you contribute to the WIN2003: Group Policy, Profiles and
Intellimirror book from Sybex? Have not yet purchased it...

Cary

 

[Craig Hackl]

i'll try it with netdom and let you know. Thanks!

 

[Craig Hackl]

well i tried netdom, and i get the same thing, it works perfect on the nt 4
side, on the w2k3 side i still can not view the nt4 user lists...
when i go to add permissions, i get a plus sign by doman B, but domain A is
just shown with no plus sign beside it, i try going to advanced to search
and nothing....

 

[Derek Melber [MVP]]

Cary,

My old stuff will be in there, so, yes, in a round about way I did. I am
trying to get my own GPO book out. I am writing a Troubleshooting GPO Ebook
for MCPMAG... it will be done in June.

 

[Cary Shultz [A.D. MVP]]

Great!

Looking forward to June ( your ebook and my wife and I expecting first
baby! - well, actually 07/07 but I think that little guy will announce his
existence to the rest of the world a week or two earlier! )

Cary

 

[Derek Melber [MVP]]

Congrats!

 

[Ace Fekay [MVP]]

In Craig Hackl <[email protected]> posted their thoughts,
then I offered mine
<snip>

If I may jump in here...

I'm thinking that the default GPO setting for your W2k3 DCs may not be
allowing connectivity from the NT4 domain. The default setting is to
digitally sign all communication. Trusts will still work, but have found
when attempting to communicate, this setting will stop the communication
cold with legacy operating systems, including DOS, WIn9x, WInME and NT4.

Now, I'm not saying that this is the problem, but just suggesting to disable
that setting on the Default Domain Controllers GPO and see if it helps.

The setting can be found here.....
Open ADUC, goto Domain Controller OU, rt-click, properties, GPO tab and
double click onyour Default Domain Controllers GPO. If you have the GPMC
installed, then just click on the button to manage your GPOs and rt-click on
and choose edit on the Default Domain Controllers GPO.

Then drill down into:
Computer Configuration
Windows Settings
Local Policies
Security Options
Then double click on "Microsoft Network Server: Digitally Sign
Communications (Always)".
Ensure that "Define This Policy" is checked
Then click Disabled and hit Ok.
Goto a CMD prompt on all your DCs and type in gpupdate to kick it in gear.

Then go ahead and try what you're doing and see if it helps.

Hope this helps....


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Cary Shultz [A.D. MVP]]

Ace,

Great thought. I thought of that as well. Please correct me if I am
incorrect but that would affect WINNT 4 SP3 and lower? I think that Craig
stated that he has WINNT 4.0 SP6a. Does this still apply? Or am I
completely off-base here? Have not dome much of anything with WIN2003 yet.

Cary

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Ace,

Great thought. I thought of that as well. Please correct me if I am
incorrect but that would affect WINNT 4 SP3 and lower? I think that
Craig stated that he has WINNT 4.0 SP6a. Does this still apply? Or
am I completely off-base here? Have not dome much of anything with
WIN2003 yet.

Cary

Cary, I honestly don't remember if the NT4 SP level affects this or not.
I've seen this issue, especially with MACs and DOS. DOS since I use a DOS
setup method for my classrooms and they won't connect to the DC at the DOS
level unless I disable that setting. When I saw this post and read thru it,
I thought, hmm... just maybe this may work! But can't remember about the NT4
SP level... sorry!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory