S
shawn
I'm unable to establish trust commnication (i.e. secure channel) between my
W2K3 AD domain and my NT 4.0SP1 domain (external trust).
Trust direction: Trusting: AD_DOMAIN, Trusted NT_DOMAIN domain
This trust had been working for 6 month as I was in progress of migrating
users/resources over to the AD domain. Then one day...several weeks ago, I
was attempting a user migration and determined that trust appeared to not be
in place anymore.
Since then I have removed the trust complete (both direction) and
reestablished the trust. The trust is created and it appears that the
AD_DOMAIN$ and NT_DOMAIN$ trust accounts are created. However, if I try to
verify trusts using W2K3 GUI it fails with error saying I need to remove and
readd trust (which I have done many many times during my dianostics).
To this point, it appears to be a secure channel issue, more than likely
with the LSA password possible corrupted or out-of-sync remaining in
registry on one side or the other.
I have been getting the 3210 and 5722 errors in event logs during this
attempts...indicating AccessDenied
A line from NETLOGON.LOG file using DBFlag = 0x2080FFFF was the following:
[CRITICAL] AD_DOMAIN: NT_DOMAIN: NlSessionSetup: new password is bad. Old
password is same as new password.
This possible pointing to the LSA trust password issue.
I have used NETDOM and NLTEST thoroughly with no luck. I can establish the
trust...and get a success with nltest /sc_query:NT_DOMAIN...as soon as I
attempt to verify for try to browse to resources, the secure channel begins
reflecting access denied symptons...very strange???
Does anybody have insight on what to try next?
I'll provide more detail as needed.
Thanks in advance.
Shawn
W2K3 AD domain and my NT 4.0SP1 domain (external trust).
Trust direction: Trusting: AD_DOMAIN, Trusted NT_DOMAIN domain
This trust had been working for 6 month as I was in progress of migrating
users/resources over to the AD domain. Then one day...several weeks ago, I
was attempting a user migration and determined that trust appeared to not be
in place anymore.
Since then I have removed the trust complete (both direction) and
reestablished the trust. The trust is created and it appears that the
AD_DOMAIN$ and NT_DOMAIN$ trust accounts are created. However, if I try to
verify trusts using W2K3 GUI it fails with error saying I need to remove and
readd trust (which I have done many many times during my dianostics).
To this point, it appears to be a secure channel issue, more than likely
with the LSA password possible corrupted or out-of-sync remaining in
registry on one side or the other.
I have been getting the 3210 and 5722 errors in event logs during this
attempts...indicating AccessDenied
A line from NETLOGON.LOG file using DBFlag = 0x2080FFFF was the following:
[CRITICAL] AD_DOMAIN: NT_DOMAIN: NlSessionSetup: new password is bad. Old
password is same as new password.
This possible pointing to the LSA trust password issue.
I have used NETDOM and NLTEST thoroughly with no luck. I can establish the
trust...and get a success with nltest /sc_query:NT_DOMAIN...as soon as I
attempt to verify for try to browse to resources, the secure channel begins
reflecting access denied symptons...very strange???
Does anybody have insight on what to try next?
I'll provide more detail as needed.
Thanks in advance.
Shawn