Can't establish trust between W2K AD domains


Joe Dougherty

Hello, all;

I'm struggling with something and I can seem to find the problem, so I
seek advice and wisdom.

I have two W2K domains on the same physical network.They also share the
same IP network. Both have AD fully installed, along with DNS. Here's the
basic configuration: two AD DCs one AD DC.
These are not child domains of one another. The master controller for
olddom is
The master for newdom is dc2.newdom.joe com.

These domains were configured in different places, and the goal was to
keep tham as separate domains in different forests, since olddom will
eventually go away. My assumption was that we should have no trouble setting
up a trust between them.

Here's the problem. When I use the AD trusts tool to establish the
exyernal trusts between the two domains, newdom seems to be okay connecting
to olddom, but the reverse doesn't work. No matter how I've tried to set up
the trust, newdom cannot contact the DC on newdom. The neddom DC adds the
trust of olddom to its configuration in the AD Trusts tool, but I can't get
the other side of the trust to establish. The most common error I see is
"Access to the domain newdom is denied. Check that the password is correct
and try again."

Here's what I've done to troubleshoot:
1. Checked all DNS. Each DC has DNS installed and running. I have
configured each DC's DNS to see the other DC's zones.
2. Each machine can ping the other machine.
3. Each machine resolves the other using nslookup.
4. I wrote an LMHosts file for newdom and installed in on the DC.
Nbtstat shows the DC, but olddom still can't see it.
5. I did some testing with nltest from the old NT4 Resource kit. When I
run queried on newdom from the DC of olddom, I get some confusing results.
NLtest can get the name and the DC list from newdom:
C:\nt-tool>nltest /dcname:newdom
PDC for Domain newdom is \\MIDDSFAC
The command completed successfully

C:\nt-tool>nltest /dclist:newdom
List of DCs in Domain newdom
The command completed successfully

However, when I attempte to query or reset the sceure channel, I get the
C:\nt-tool>nltest /sc_query:newdom
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\nt-tool>nltest /
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\nt-tool>nltest /sc_reset:newdom
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

6. I also run the Domain Monitor from the W2K resource kit from the
olddom DC. It finds its own domain, and two others on the network. When I
try to add newdom manually, it errors syaing it can't find the PDC.

I'm really frustrated here and wondered if there's anyplace else I
should look to solve this issue. I need to be able to set the trust to share
access to an Exchange Server on olddom. There are some horrible workarounds
for that, but this should be something I can get working. I know this is a
long post, but I'd appreciate any insight anyone can provide.

Tim Springston \(MSFT\)

Hi Joe-
It might be a good idea to look for security specific settings on either
domains PDC, and if you find them, relax the setting temporarily as you
establish the trust. Sometime culprit settings can be Restrictanonymous,
LMCompatibilitylevel, Requiresecuritysignature (SMB signing).

Here's some KB articles which may be relevant:

246261 How to Use the RestrictAnonymous Registry Value in Windows 2000

257646 Windows 2000 Domain Controller Trusts May Not Work with

(Somewhat less relevant, but good information)
816818 Error Message: Picker Cannot Open Because It Cannot Determine Whether

Please repost and let us know if this makes any difference.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question