A
Andrew Hayes
I've read though most, if not all, posts concerning setting up a two-way
trust relationship between a Windows 2000 domain and an NT 4 domain
(LMHOSTS, NBTSTAT, NSLOOKUP, NETDOM, NLTEST, Domain Monitor, Windows NT 4
Resource Kit, Windows 2000 Resource Kit, LMCompatabilityLevel,
RestrictAnonymous, etc., etc., etc...), and so far they have certainly
helped me get further in achieving my goal, but not quite.
The Past -
The NT 4 PDC is for the master domain. The Win2K PDC is for the resource
domain... The HDD from the original Win2K Advanced Server was moved to a new
box due to a mobo failure. One reboot later (due to the original HDD being
SCSI and the new box needing a SCSI controller), that is now running as
before... Except...
None of the NT 4 domain users could access the Win2K resources.
So started the long process of fixing this... First, the trust relationship
between the 2 PDC's was removed, and then recreated as outlined in
Q306733... Or at least tried to be...
Added the resource domain to the Trusted Domains list of the Trust
Relationships dialog from User Manager for Domains on the NT PDC. All well
and good.
Proceeded to add the master domain to the Trusting Domains list of the
Trusts tab of the Win2K PDC listed in Active Directory Domains and Trusts...
Got a "The MASTER could not be contacted. If this is a Windows domain, the
trust cannot be setup until the domain is contacted. Click cancel and try
again later. If this is an interoperable non-Windows Kerberos realm and you
want to set up this side of the trust, click OK." message.
Well... I went through hoops at that time (the main thing was defining the
MASTER domain and MASTER PDC in the LMHOSTS file on the Win2K PDC)...
Tried again... This time I got the "Do you wish to verify this trust
relationship" question... Clicked Yes... Pops up a User/Password dialog for
the master domain administrator... Excellent! Typed in the info and clicked
OK...
Get 2 dialogs... One on the Win2K PDC saying it couldn't verify... And a
Messenger Service popup on the NT PDC saying it "Failed to authenticate with
<Unknown>, a Windows NT Domain Controller for domain RESOURCE"...
In the System event log of the NT PDC is a NetLogon Error Event ID 5721...
"The session setup to the Windows NT Domain Controller <Unknown> for the
domain RESOURCE failed because the Windows NT Domain Controller does not
have an account for the computer MASTERPDC."
Fine! Go to Active Directory Users and Computers, add the MASTERPDC to the
list of Computers... No change.
The Present -
Certainly seems like the secure channel between the Win2K Resource PDC and
the NT 4 Master PDC is not working.
Looked at Q288167, Q175024, Q158148, Q150518, Q160324, Q329860, the list is
long and mainly comprises client to server secure channel, not PDC to PDC...
The Future -
Hopefully, I can get this sorted... As you can see, I've done the best I can
but now I see that I need to seek assistance further afield, hence my rather
long post. So... Any comments, ideas, suggestions, solutions are welcome.
Thank you.
trust relationship between a Windows 2000 domain and an NT 4 domain
(LMHOSTS, NBTSTAT, NSLOOKUP, NETDOM, NLTEST, Domain Monitor, Windows NT 4
Resource Kit, Windows 2000 Resource Kit, LMCompatabilityLevel,
RestrictAnonymous, etc., etc., etc...), and so far they have certainly
helped me get further in achieving my goal, but not quite.
The Past -
The NT 4 PDC is for the master domain. The Win2K PDC is for the resource
domain... The HDD from the original Win2K Advanced Server was moved to a new
box due to a mobo failure. One reboot later (due to the original HDD being
SCSI and the new box needing a SCSI controller), that is now running as
before... Except...
None of the NT 4 domain users could access the Win2K resources.
So started the long process of fixing this... First, the trust relationship
between the 2 PDC's was removed, and then recreated as outlined in
Q306733... Or at least tried to be...
Added the resource domain to the Trusted Domains list of the Trust
Relationships dialog from User Manager for Domains on the NT PDC. All well
and good.
Proceeded to add the master domain to the Trusting Domains list of the
Trusts tab of the Win2K PDC listed in Active Directory Domains and Trusts...
Got a "The MASTER could not be contacted. If this is a Windows domain, the
trust cannot be setup until the domain is contacted. Click cancel and try
again later. If this is an interoperable non-Windows Kerberos realm and you
want to set up this side of the trust, click OK." message.
Well... I went through hoops at that time (the main thing was defining the
MASTER domain and MASTER PDC in the LMHOSTS file on the Win2K PDC)...
Tried again... This time I got the "Do you wish to verify this trust
relationship" question... Clicked Yes... Pops up a User/Password dialog for
the master domain administrator... Excellent! Typed in the info and clicked
OK...
Get 2 dialogs... One on the Win2K PDC saying it couldn't verify... And a
Messenger Service popup on the NT PDC saying it "Failed to authenticate with
<Unknown>, a Windows NT Domain Controller for domain RESOURCE"...
In the System event log of the NT PDC is a NetLogon Error Event ID 5721...
"The session setup to the Windows NT Domain Controller <Unknown> for the
domain RESOURCE failed because the Windows NT Domain Controller does not
have an account for the computer MASTERPDC."
Fine! Go to Active Directory Users and Computers, add the MASTERPDC to the
list of Computers... No change.
The Present -
Certainly seems like the secure channel between the Win2K Resource PDC and
the NT 4 Master PDC is not working.
Looked at Q288167, Q175024, Q158148, Q150518, Q160324, Q329860, the list is
long and mainly comprises client to server secure channel, not PDC to PDC...
The Future -
Hopefully, I can get this sorted... As you can see, I've done the best I can
but now I see that I need to seek assistance further afield, hence my rather
long post. So... Any comments, ideas, suggestions, solutions are welcome.
Thank you.