Domain was in the wrong state to perform the security operation

[llian]

I have NT2003 AD server and NT4(PDC) server, I need to
created trust in between, when I following step by step
from the article from the microsoft.
NT2003 server, is "glc.training.gov".
NT4 server, the domain name is "infoservices".
http://support.microsoft.com/default.aspx?scid=kb;en-
us;325874
1). From NT4 I created Trusted domains(Training)
2). From NT2003 I created incoming trust (infoservices).
3). did the verify, successful.
4). From the NT2003 server, I created outgoing trust
(infoservices), then cannot continue, it say" The trust
relationship cannot be created beduase the following
error occurred. The operation failed, the error is: the
domain was in the wrong state to perform the security
opertion", I have no idea what is that mean. need help.

Thanks.

Lillian

 

[Steven L Umbach]

I experienced that once in setting up external forest trusts between two
W2003 domains. The problem was I was trying to set up a trust using
"selective authentication" and the forest was not at the proper forest
funtional level which needed to be W2003 level I believe. So you may want to
try not using selective authentication option in creating the trust which is
probably only possible for a trust incoming into W2003. Selective
authentication allows a W2003 domain to only allow trusted domain access to
servers that have the "allowed to authenticate" permission assigned in AD on
the server object to domain users in the trusted domain. --- Steve

 

[Lillian]

Steve:

I try it select "domain-wide authentication" instead
of "selective authentication", and it work, but I try to
validate on NT2003 server, it say" verification of trust
between domain traing.gov and domain infoservices was
unsuccessful because there are current no logon servers
available to service the logon request, to repair a trust
a pre-windows 2000 domian you must remove and re-add the
trust on both sides.

I created same user name: trust on NT2003 server and
NT4 server, on NT2003 has administrators, domain admins,
domain users previlege, on the NT4 server has
administrators, domain admins, domain users privilege,
same thing, but before I click validate, it say" need
have admin privelege on infoservice", which trust has, so
what is going on with this?

Thanks for all the help.

Lillian

 

[Steven L Umbach]

Hmm. I have never set up a trust between NT4.0 and W2003. I do know that W2003 has
security options that can cause problems with NT domains but first you need to make
sure that netbios name resolution is working correctly between the domains and you
can try having the wins servers in each domain be replication partners with each
other being sure that the W2003 domain controllers are also wins clients so that they
register the domain controller records. Alternatively you could try to use lmhosts on
the domain controllers in each domain with entries for the domain controllers in the
other domain as described in the KB link below.

http://support.microsoft.com/default.aspx?scid=kb;en-us;180094
http://support.microsoft.com/default.aspx?scid=kb;en-us;262655 lmhosts entries are
case sensitive

If that does not help then you may need to back down some of the security options in
the Domain Controller Security Policy. See the link below to the W2003/XP threats and
Countermeasures guide and read the comments on "potential impact". In particular read
the security options on "anonymous enumeration". I would suggest disabling both of
those settings. You may also need to change "let everyone permissions apply to
anonymous users" to disabled. In addition I would disable "network server: digitally
sign communications always until you resolve trust issue.

http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch05.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- more info on
incompatible settings.

If none of that helps. I suggest you may also want to post in one of the
Active_directory newsgroups including the win2000. one as there are a lot of
experienced Active Directory people over there that know a lot about trust issues.
Good luck. --- Steve

 

[Steven L Umbach]

I should add that changes to security policy will not take effect right away. At
minimum run " gpupdate /target:computer /force " on the W2003 server where you
configured changes and if possible also reboot it. -- Steve

 

[Steven L Umbach]

Sorry. After rereading I noticed I made an error. You may need to change the security
option for "let everyone permissions apply to anonymous users" to ENABLED. --- Steve

 

[Guest]

Steve:

Hi, How are you ? I still have that "verification of
trust between domain traing.gov and domain infoservices
was unsuccessful because there are current no logon
servers available to service the logon request, to repair
a trust a pre-windows 2000 domian you must remove and re-
add the trust on both sides."
Any idea?

thanks for all the help.

Lillian

-----Original Message-----
I should add that changes to security policy will not take effect right away. At
minimum run " gpupdate /target:computer /force " on the W2003 server where you
configured changes and if possible also reboot it. -- Steve

also wins clients so that
they you could try to use lmhosts
on the domain controllers in
the some of the security options
in below to the W2003/XP threats
and

on "potential impact". In particular