Troubleshooting Trust issues

[Carl Hilton]

PROBLEM: I have a W2K Server (on an NT4 Network) that says it has trust
issues when trying to pull in info from an AD domain.

No, I have a different W2K server in the same NT4 domain that CAN pull in
the info from the same AD Domain?

running "NETDOM QUERY /DOMAIN:ad_domain TRUST" on this server shows the
trust failed. Running this on other servers in the NT4 domain shows the
trust working.

running nbtstat -c shows that this machine has pointers to all DCs/PDCs for
affected domains.

How can I fix this one machine?

 

[Herb Martin]

Probably need WINS server(s) with all of the machines, including
DCs client IP settings referencing the same WINS database, i.e.,
a set of one or more replicated WINS servers. If you have more
than one subnet this is almost always the issue.

 

[Carl Hilton]

I have a WINS server on each subnet affected and the networking
configurations of all machines do point to those WINS servers.

 

[Shane Brasher]

Hello All,


Make sure that you follow these guidlines:

179442 How to Configure a Firewall for Domains and Trusts
http://support.microsoft.com/?id=179442

306733 HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows NT
http://support.microsoft.com/?id=306733

Shane Brasher
MCSE (2003,2000,NT),MCSA Security, Network+, A+
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Herb Martin]

I have a WINS server on each subnet affected and the networking
configurations of all machines do point to those WINS servers.

Do the WINS servers all replicated. I indicated the SAME WINS
Database but you didn't confirm that, only that you had WINS
servers.

--
Herb Martin

 

[Carl Hilton]

Those were followed and according to the NT4 PDC and the AD DC the trusts
are valid. Also running NETDOM from other servers in the NT4 domain say the
trusts are GREAT. It is just two of 25 servers reporting bad trusts.

 

[Carl Hilton]

The two wins servers are both set to PUSH and PULL with the other.. No
errors reported in the WINS server event logs.

I have a WINS server on each subnet affected and the networking
configurations of all machines do point to those WINS servers.

Do the WINS servers all replicated. I indicated the SAME WINS
Database but you didn't confirm that, only that you had WINS
servers.

 

[Herb Martin]

So are the DCs from each domain all registered with WINS
in the database as it shows in each server?

 

[Carl Hilton]

My two WINS servers are on an NT4 domain and both the NT4 PDC and BDC are
registered, so is the NT4DOMAIN with active 1Ch, 1Eh and 00h entries.
However looking at the WINS entry for the ADDOMAIN, I see an active 1Ch
entry and tombstoned 1Eh and 00h entries.

And there is what appears to be a valid entry for a local AD DC in the NT4
WINS database.

 

[Shane Brasher]

Hello,

Is all of the time synchronized?

Shane Brasher
MCSE (2003,2000,NT),MCSA Security, Network+, A+
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Shane Brasher]

Hello All,

The PDC should also have the 1bh entry.

300598 How to Verify the Domain Records in Windows 2000 Windows Internet
Name
http://support.microsoft.com/?id=300598

"A record with the "1Ch" suffix represents a group entry that contains a
list of domain controllers for logging on to a domain, or for maintaining a
domain trust secure channel. A record with the "1B" suffix contains the
address of the primary domain controller (PDC). In Windows 2000, a record
with the "1B" suffix contains the address of the PDC Emulator, which can
be used for domain administration, browsing, and client password changes.
The loss of either of these types of records in a WINS server can cause
significant loss of service. Therefore, these records must be monitored
regularly. "


245172 Err Msg: Could Not Find Domain Controller for This Domain
http://support.microsoft.com/?id=245172

"This behavior can occur if the 1b (domain master browser) and 1c (domain
controller) NetBIOS names for the PDC in the trusted domain are not
registered in the Windows Internet Naming Service (WINS). This can occur
when the WINS servers in the two domains do not replicate to each other."

Try this as a test. Place a lmhosts file on the DC's and test the trust
relationhship then. This should bypass any WINS queries and totally rely on
the local cache. Use article 245172 above as a reference.


Shane Brasher
MCSE (2003,2000,NT),MCSA Security, Network+, A+
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.