secure channel error when verifying trust

[Karl]

when I set up a trust from an NT domain to my w2k domain,
I was not able to verify the trust from ad domain trust
mmc. the symptoms:

1. when I verify the trust I got the message: "The secure
channel (SC) query on domain controller \\xxx of domain
yyy failed with error: the specified domain either does
not exist or could not be contacted. an sc reset will be
attempted." The reset attempt fails then.

2. using nltest in either NT PDC or w2k DC with /sc_query
failed with "I_netLogonControl failed: status = 1355 0x54b
error_no_such_domain". nltest /sc_reset turns up same
error.

3. from DOMMON on NT: w2k domain is found with all DCs and
access denied; interestingly the NT domain itself does not
find a DC of any kind.

4. from DOMMON on W2K: w2k domain is found with all DCs
and success; The NT domain no DC found.

the DCs in all domains in question are on the same subnet.
nbtstat can query each dc with satisfactory result. I did
have GPO applied to OU = Domain Controller, but I used
defltdc.inf template to reverse it and on effect is found.

Please help.

 

[Cary Shultz]

-----Original Message-----
when I set up a trust from an NT domain to my w2k domain,
I was not able to verify the trust from ad domain trust
mmc. the symptoms:

1. when I verify the trust I got the message: "The secure
channel (SC) query on domain controller \\xxx of domain
yyy failed with error: the specified domain either does
not exist or could not be contacted. an sc reset will be
attempted." The reset attempt fails then.

2. using nltest in either NT PDC or w2k DC with /sc_query
failed with "I_netLogonControl failed: status = 1355 0x54b
error_no_such_domain". nltest /sc_reset turns up same
error.

3. from DOMMON on NT: w2k domain is found with all DCs and
access denied; interestingly the NT domain itself does not
find a DC of any kind.

4. from DOMMON on W2K: w2k domain is found with all DCs
and success; The NT domain no DC found.

the DCs in all domains in question are on the same subnet.
nbtstat can query each dc with satisfactory result. I did
have GPO applied to OU = Domain Controller, but I used
defltdc.inf template to reverse it and on effect is found.

Please help.


.

karl,

In order to use NETDOM to establish the trusts please use
the following format:

netdom trust
WINNT4 /D:win2000.com /User0:Administrator /Password0:winnt
/UserD:Administrator /PasswordD:win2000 /Add /Twoway

WINNT4 would be the NetBIOS name of the WINNT 4.0 Domain
WIN2000.com would be the DNS name of the WIN2000 Domain
/User0: would be the Administrator of the WINNT Domain
/Pasword0: would be the admin password of the Admin account
/UserD: would be the Administrator of the WIN2000 Domain
/PasswordD: would be the admin password of the Admin
account
/Add is telling NETDOM to create this truse
/Twoway is telling NETDOM to make this in both directions

HTH,

Cary

 

[Cary Shultz]

-----Original Message-----


Thank you, Cary.

I used Microsoft support for this and after 3 hours of
shotting around we finally hit the target. it is the
restrictannonymous value in HKLM/system/ccs/control/lsa. I
set it to 2 and it should be 0 if I have NT domains to
take care of.

I posted this in four different places and you are the
only one commented. thanks.

Karl
.

You are welcome. I am glad that you were able to resolve
this issue...

Cary