Trust relationship between nt and w2k


Z

zia

Hello,

I am trying to establish a trust relationship
between a NT domain which is in remote place. while
establishing trsut i get this error: The "xxx" domain can
not be contacted, if the domain is windows domain the
trust can not be set up until the domain is contacted. so
this is the error i get. here is my setep..

my domain:
PDC - windows2000
DHCP
DNS
Remote domain

PDC- WINT NT
WINS

So where is the problem? do i need to have WINS at my
domain? please let me know the solution

Note:- my domain is in mixed mode.


Thanks
zia
 
C

Cary Shultz [A.D. MVP]

Zia,

First off, I think that you might want to included an LMHOSTS file on the
WIN2000 DC that holds the role of PDC Emulator and on the WINNT 4.0 Primary
Domain Controller. The LMHOSTS file that you put on the PDC Emulator (
WIN2000 ) would point to the WINNT 4.0 PAD and the LMHOSTS file that you put
on the WINNT 4.0 PDC points to the WIN2000 DC. If you need help creating
one I will gladly help you.

Secondly, I think that I might suggest using NETDOM to create the trust as
opposed to using the Active Directory Domains and Trusts MMC. NETDOM is a
part of the Support Tools, which can be found on both the WIN2000 Server CD
as well as on the WIN2000 Service Pack CD ( in both cases in the Support |
Tools folder ). In fact, I would strongly suggest that you install the
Support Tools on all of your WIN2000 Servers as well as any WIN2000
Professional "Admin" stations. I would also opt for the Service Pack CD.
If you need help with the syntax then I will gladly help you.

Sometimes you can do everything absolutely by the book and use the ADDT MMC
and it will fail. It just happens that way sometimes. With NETDOM it will
not ( assuming that everything is in place ).

What about the physical connection between the two offices?

Cary
 
G

Guest

Hello Cary Shultz,

Thank you very much for your response. well yes i need
your help to establish the trust and i need help on the
syntax of netdom also. i would greatly appreciate your
help on this task.

Thank You
zia
 
C

Cary Shultz [A.D. MVP]

Zia,

Here are the two LMHOSTS that you will need as well as the syntax for netdom
when creating the trusts:

=======================================================================
LMHOSTS file on the WINNT PDC: 192.168.1.30 "MY2KDOM \0x1B"
#PRE
LMHOSTS file on the WIN2K DC: 172.16.15.30 "MYNT4DOM \0x1B"
#PRE

NETDOM syntax:
netdom trust mynt4dom /D:my2kdomaim.com /User0:NTAdministrator
/Password0:passwordNT /UserD:2KAdministrator /PasswordD:password2K /add
/twoway
============================================================================
==

Below is a rather long-winded explanation of everything! ;-)


Okay, let's start with the LMHOSTS file that you are going to write. It is
very important that have the spacing correct.

To move ahead with the example, let's establish a couple of things first.

1) your WINNT 4.0 domain has a NetBIOS name of mynt4dom and a DNS name of
mynt4domain.com
2) your WIN2000 AD domain has a NetBIOS name of my2kdom and a DNS name of
my2kdomain.com
3) you are using NTAdministrator \ PasswordNT as the user name\password for
the NT Domain Administrator account
4) you are using 2KAdministrator \ Password2K as the user name\password for
the 2K Domain Administrator account
5) The name and IP Address of the NT 4.0 Primary Domain Controller is NT4PDC
and 172.16.15.30
6) The name and IP Address of the WIN2K DC ( holding the PDC Emulator role )
is W2KDC and 192.168.1.30

If you want a MSKB Article to show you how to create the LMHOSTS files then
take a look at the first Article that Andrew gave you. Look at the bottom
and you will see a link to another MSKB article that will explain this.

So, sit down at the WINNT 4.0 PDC and open up NotePad ( not WordPad or MS
Word!!!! ) and enter the following:

192.168.1.30 "MY2KDOM \0x1B" #PRE

When you save this file in NotePad make sure that you do not save it as
LMHOSTS.txt......it is just LMHOSTS. There is no extension. Also, and this
is important, make sure that there are 15 'spaces' between the first " and
the \. What does this mean? After the IP Address ( I leave four spaces but
I do not think that this really matters ) you enter the NetBIOS domain name
of the WIN2000 AD Domain. You must begin - or open - this with the
quotation mark ( " ) as well as end - or close - it with the quotation mark.
You will note that 'my2kdom' has seven characters. So, you need to hit the
space bar eight times and then add the \0x1B". And it is also important
that the NetBIOS name be in all caps! So, save this on the WINNT 4.0 PDC in
c:\winnt\system32\drivers\etc ( the default location ). Step 1 is now
completed.

Now, sit down at the WIN2000 Domain Controller ( the one that holds the FSMO
Role of PDC Emulator ) in the W2K domain and create the following LMHOSTS
file:

172.16.15.30 "MYNT4DOM \0x1B" #PRE

Save this in the same location ( c:\winnt\system32\drivers\etc ). Note that
in this LMHOSTS file you would hit the space bar only seven times as the
NetBIOS name has eight characters! Step 2 is now completed.

BTW - how do you determine which DC holds the FSMO Role of PDC Emulator? If
you have only one WIN2000 DC in that domain / environment then it would be
that DC. However, if you have multiple DCs then you can look in the Active
Directory Users and Computers MMC, you can use replmon ( part of the Support
Tools ) or you can even use netdom. Let's take a look at that. Simply open
up a command prompt and enter the following: netdom query fsmo. You will be
give a response with ( hopefully ) five entries, one of which will be the
PDC Emulator. Go to the machine indicated there.

Open up a command prompt and simply enter the following: netdom trust
mynt4dom /D:my2kdomaim.com /User0:NTAdministrator /Password0:passwordNT
/UserD:2KAdministrator /PasswordD:password2K /add /twoway

Watch how this might be chopped up in my posting of this. When you enter it
this would all be one continuous line.

Also, note the following: A) in the LMHOSTS file with the \0x1B that the 0
is the number zero and not the letter!
B) in the netdom syntax we have
/User0: and /Password0: - again, this is the number zero

HTH,

Cary
 
C

Cary Shultz [A.D. MVP]

Andrew,

In a Down-Level Trust ( such as a WINNT 4.0 / WIN2000 ) NetBIOS is used for
name resolution, not DNS. DNS would be the case in a WIN2000/WIN2000 or
WIN2000/WIN2003 Trust situation. BTW - I do not see any mention of DNS in
either of the two links that you provided.

Cary

Andrew Hayes said:
I saw this problem myself and found it was caused by a DNS issue. The NT 4
PDC should be pointing to the W2K DC/DNS.
 
G

Guest

I know there is no mention of DNS in those links. I included those as possible sources of help, not as specific articles referring to DNS

As it is, I had to do a dozen different things to eventually get the trust relationship working, and the main one was that the NT PDC could never find the AD DC until I added the AD DC IP address to the DNS server list for the NT PDC

Actually, could you clarify Down-Level Trust for me? As I see the trust type as an external, non-transitive, type

Also, do you think that the SID filtering could be the reason that my NT Domain Admin account cannot be granted Enterprise Admin rights on the AD domain?
 
C

Cary Shultz [A.D. MVP]

Andrew,

Understood! Please do not misunderstand my reply. I was just trying to
clarify things. I worded my question ( starting with "BTW -" ) poorly.

I will gladly explain what a downlevel trust is and provide you with a
couple of links to better explain this.

Simply put, a 'downlevel' trust is a trust created between WINNT and
WIN2000. Take a look at the following links for a more in-depth
explanation:

Definition: http://www.win2000mag.com/Article/ArticleID/7427/7427.html
http://support.microsoft.com/?id=228477 ( look at the bottom specifically )
http://support.microsoft.com/?kbid=256250 ( look at the bottom
specifically )

Remember that NT-style trusts are one-way and intransitive. Furthermore,
remember that these trusts use NetBIOS name resolution ( whereas WIN2000
trusts are typically two-way, transitive and use DNS ).

To answer your second question: did you create the trust using NETDOM or did
you create the trust using the GUIs? naturally your WIN2000 domain is in
Native Mode.

Take a look at the following:
http://support.microsoft.com/?id=289243

I think this might just answer your question.

HTH,

Cary









Andrew Hayes said:
I know there is no mention of DNS in those links. I included those as
possible sources of help, not as specific articles referring to DNS.
As it is, I had to do a dozen different things to eventually get the trust
relationship working, and the main one was that the NT PDC could never find
the AD DC until I added the AD DC IP address to the DNS server list for the
NT PDC.
Actually, could you clarify Down-Level Trust for me? As I see the trust
type as an external, non-transitive, type.
Also, do you think that the SID filtering could be the reason that my NT
Domain Admin account cannot be granted Enterprise Admin rights on the AD
domain?
 
G

Guest

I tried to use the GUI to start with but was having no end of problems... I spent quite some time trawling the newsgroups doing various things... And your comment about LMHOSTS sounds very familiar..

Yes. Here is what I added to LMHOSTS on the NT box

192.168.0.163 W2KDC #PRE #DOM:W2KDOMAI
192.168.0.163 "W2KDOMAIN \0x1b" #PR

This is what I added to LMHOSTS on the W2K box

192.168.0.2 NTPDC #PRE #DOM:NTDOMAI
192.168.0.2 "NTDOMAIN \0x1b" #PR

I may have confused this with DNS as I knew the problem was caused by name resolution. In the end I think the various steps I did with NETDOM got it to work finally in mixed mode

Additionally, I can add my NT4 account to any Domain Local security group of the Active Directory DC, but not to any of the Global groups. Looks like AD wants to be the boss.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top