Create Trust

[Guest]

I ‘m tiring to set up and external trust from a windows 2000 Domain with
Active directory installed to a Windows NT Domain. We have setup users at on
both sides.
the Window NT domain can create a trust to the Active Directory domain with
out any problems. When we try to create the trust from the AD Domain I get
the error

“The account is not authorized to login from this workstationâ€

I can ping the WinNt domain controller by name and ip number. When I search
for the domain controller in network neighborhood it will find it but the
location is unknown.
When I do the same search from a workstation with windows 2000 server
installed but not AD it will return the pc name and domain name and allow me
to access the shared folders.

I don’t see anything in the event logs that will give me a clue. I have use
dcdiag to see if the AD is having problems but no error is returned. DNS
seems to be working I tested it with ping and nslookup.

Does anyone have any Ideas on what else I can look in to to resolve this
problem.

Thank you,

John Hultgren
Network Administrator

 

[Herb Martin]

I 'm tiring to set up and external trust from a windows 2000 Domain with
Active directory installed to a Windows NT Domain. We have setup users at on
both sides.

(FYI: There is no "AD on NT" so the above it likely
a typographical error or language issue.)

NT and all external trusts require NetBIOS name
resolution.

In practice this means the xDCs must all have NetBIOS
enabled (e.g., not disabled on the WINS tab of the IP
properites) AND in a routed environment WINS servers
are a practical requirement.

the Window NT domain can create a trust to the Active Directory domain with
out any problems. When we try to create the trust from the AD Domain I get
the error

"The account is not authorized to login from this workstation"

Perhaps the NetBIOS resolution is only working
in one direction OR maybe you have another problem.

I can ping the WinNt domain controller by name and ip number. When I search
for the domain controller in network neighborhood it will find it but the
location is unknown.

"Location is unknown"? If you mean you
"see it" in Network Neighbood but when
you click on it you get some type of 'not
found error', then nothing has been "found"
yet -- except the Master Browser.

Name resolution only occurs after the user
clicks a particular server to see the list of
shares.

And such name resolution MAY use DNS
methods (either primarily or as a supplement
to NetBIOS.)

When I do the same search from a workstation with windows 2000 server
installed but not AD it will return the pc name and domain name and allow me
to access the shared folders.

NetBIOS name resolution is likely working
in this direction.

One reason for this might be that SOME of
your servers are NOT "WINS clients". While
others are (likely the NT xDCs are since people
think NetBIOS is unnecessary for Win2000/2003.)

That is incorrect -- practically all Windows domains
require NetBIOS to work. If you have multiple
subnets (i.e., routers) then this means WINS server.

And ALL internal machines need to be WINS clients.

[It is also possible that you have replicated the
WINS database in one direction only -- but this
is a less common problem.]

I don't see anything in the event logs that will give me a clue. I have use
dcdiag to see if the AD is having problems but no error is returned. DNS
seems to be working I tested it with ping and nslookup.

Does anyone have any Ideas on what else I can look in to to resolve this
problem.

Check the NetBIOS -- and the WINS server as well as
the client SETTINGS for the WINS server.

(Even the WINS server should be a WINS client.)

 

[Glenn L]

"The account is not authorized to login from this workstation"

Usually is an SMB signing incompatibility issue.
Workstation service (client) talks to the server service (server).
If workstation service requries SMB signing, then the server service on the
other side must have it enabled.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000

e.g. If the lanmanworkstation config on the AD side has
'requiresecuritysignature'=1, then the lanmanserver config on the NT4 side
must have 'enablesecuritysignature'=1

workstation service config on NT4 is
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\parameters]
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000

--
Glenn L
CCNA, MCSE 2000/2003 + Security

I 'm tiring to set up and external trust from a windows 2000 Domain with
Active directory installed to a Windows NT Domain. We have setup users
at on
both sides.

(FYI: There is no "AD on NT" so the above it likely
a typographical error or language issue.)

NT and all external trusts require NetBIOS name
resolution.

In practice this means the xDCs must all have NetBIOS
enabled (e.g., not disabled on the WINS tab of the IP
properites) AND in a routed environment WINS servers
are a practical requirement.

the Window NT domain can create a trust to the Active Directory domain with
out any problems. When we try to create the trust from the AD Domain I
get
the error

"The account is not authorized to login from this workstation"

Perhaps the NetBIOS resolution is only working
in one direction OR maybe you have another problem.

I can ping the WinNt domain controller by name and ip number. When I search
for the domain controller in network neighborhood it will find it but the
location is unknown.

"Location is unknown"? If you mean you
"see it" in Network Neighbood but when
you click on it you get some type of 'not
found error', then nothing has been "found"
yet -- except the Master Browser.

Name resolution only occurs after the user
clicks a particular server to see the list of
shares.

And such name resolution MAY use DNS
methods (either primarily or as a supplement
to NetBIOS.)

When I do the same search from a workstation with windows 2000 server
installed but not AD it will return the pc name and domain name and allow me
to access the shared folders.

NetBIOS name resolution is likely working
in this direction.

One reason for this might be that SOME of
your servers are NOT "WINS clients". While
others are (likely the NT xDCs are since people
think NetBIOS is unnecessary for Win2000/2003.)

That is incorrect -- practically all Windows domains
require NetBIOS to work. If you have multiple
subnets (i.e., routers) then this means WINS server.

And ALL internal machines need to be WINS clients.

[It is also possible that you have replicated the
WINS database in one direction only -- but this
is a less common problem.]

I don't see anything in the event logs that will give me a clue. I have use
dcdiag to see if the AD is having problems but no error is returned. DNS
seems to be working I tested it with ping and nslookup.

Does anyone have any Ideas on what else I can look in to to resolve this
problem.

Check the NetBIOS -- and the WINS server as well as
the client SETTINGS for the WINS server.

(Even the WINS server should be a WINS client.)

Thank you,

John Hultgren
Network Administrator

 

[Herb Martin]

Usually is an SMB signing incompatibility issue.

Workstation service (client) talks to the server service (server).
If workstation service requries SMB signing, then the server service on the
other side must have it enabled.

That makes sense.

NT machines and 9x should all have the
DSClient upgrade and latest service packs
which should allow them to participate in
SMB signing (rather than disabling it.)

 

[Guest]

Thanks for the information. I'll check in to what you have subjected.


Just for clarification on my part, I have two domains at different sites.
The first domain is a Windows 2000 with active directory local to me and the
second domain is Windows NT at a remote location. The Windows NT domain can
create a trust with the Windows 2000 domain, but I get the error
“The account is not authorized to login from this workstation†when I try to
create the trust from Windows 2000 domain to the Windows NT domain. The user
and password have been created on both sides.