Trust relationship between nt and w2k

Discussion in 'Microsoft Windows 2000 Active Directory' started by zia, Mar 3, 2004.

  1. zia

    zia Guest

    Hello,

    I am trying to establish a trust relationship
    between a NT domain which is in remote place. while
    establishing trsut i get this error: The "xxx" domain can
    not be contacted, if the domain is windows domain the
    trust can not be set up until the domain is contacted. so
    this is the error i get. here is my setep..

    my domain:
    PDC - windows2000
    DHCP
    DNS
    Remote domain

    PDC- WINT NT
    WINS

    So where is the problem? do i need to have WINS at my
    domain? please let me know the solution

    Note:- my domain is in mixed mode.


    Thanks
    zia
     
    zia, Mar 3, 2004
    #1
    1. Advertisements

  2. Zia,

    First off, I think that you might want to included an LMHOSTS file on the
    WIN2000 DC that holds the role of PDC Emulator and on the WINNT 4.0 Primary
    Domain Controller. The LMHOSTS file that you put on the PDC Emulator (
    WIN2000 ) would point to the WINNT 4.0 PAD and the LMHOSTS file that you put
    on the WINNT 4.0 PDC points to the WIN2000 DC. If you need help creating
    one I will gladly help you.

    Secondly, I think that I might suggest using NETDOM to create the trust as
    opposed to using the Active Directory Domains and Trusts MMC. NETDOM is a
    part of the Support Tools, which can be found on both the WIN2000 Server CD
    as well as on the WIN2000 Service Pack CD ( in both cases in the Support |
    Tools folder ). In fact, I would strongly suggest that you install the
    Support Tools on all of your WIN2000 Servers as well as any WIN2000
    Professional "Admin" stations. I would also opt for the Service Pack CD.
    If you need help with the syntax then I will gladly help you.

    Sometimes you can do everything absolutely by the book and use the ADDT MMC
    and it will fail. It just happens that way sometimes. With NETDOM it will
    not ( assuming that everything is in place ).

    What about the physical connection between the two offices?

    Cary
     
    Cary Shultz [A.D. MVP], Mar 3, 2004
    #2
    1. Advertisements

  3. zia

    Guest Guest

    Guest, Mar 4, 2004
    #3
  4. zia

    Guest Guest

    Hello Cary Shultz,

    Thank you very much for your response. well yes i need
    your help to establish the trust and i need help on the
    syntax of netdom also. i would greatly appreciate your
    help on this task.

    Thank You
    zia
     
    Guest, Mar 4, 2004
    #4
  5. Zia,

    Here are the two LMHOSTS that you will need as well as the syntax for netdom
    when creating the trusts:

    =======================================================================
    LMHOSTS file on the WINNT PDC: 192.168.1.30 "MY2KDOM \0x1B"
    #PRE
    LMHOSTS file on the WIN2K DC: 172.16.15.30 "MYNT4DOM \0x1B"
    #PRE

    NETDOM syntax:
    netdom trust mynt4dom /D:my2kdomaim.com /User0:NTAdministrator
    /Password0:passwordNT /UserD:2KAdministrator /PasswordD:password2K /add
    /twoway
    ============================================================================
    ==

    Below is a rather long-winded explanation of everything! ;-)


    Okay, let's start with the LMHOSTS file that you are going to write. It is
    very important that have the spacing correct.

    To move ahead with the example, let's establish a couple of things first.

    1) your WINNT 4.0 domain has a NetBIOS name of mynt4dom and a DNS name of
    mynt4domain.com
    2) your WIN2000 AD domain has a NetBIOS name of my2kdom and a DNS name of
    my2kdomain.com
    3) you are using NTAdministrator \ PasswordNT as the user name\password for
    the NT Domain Administrator account
    4) you are using 2KAdministrator \ Password2K as the user name\password for
    the 2K Domain Administrator account
    5) The name and IP Address of the NT 4.0 Primary Domain Controller is NT4PDC
    and 172.16.15.30
    6) The name and IP Address of the WIN2K DC ( holding the PDC Emulator role )
    is W2KDC and 192.168.1.30

    If you want a MSKB Article to show you how to create the LMHOSTS files then
    take a look at the first Article that Andrew gave you. Look at the bottom
    and you will see a link to another MSKB article that will explain this.

    So, sit down at the WINNT 4.0 PDC and open up NotePad ( not WordPad or MS
    Word!!!! ) and enter the following:

    192.168.1.30 "MY2KDOM \0x1B" #PRE

    When you save this file in NotePad make sure that you do not save it as
    LMHOSTS.txt......it is just LMHOSTS. There is no extension. Also, and this
    is important, make sure that there are 15 'spaces' between the first " and
    the \. What does this mean? After the IP Address ( I leave four spaces but
    I do not think that this really matters ) you enter the NetBIOS domain name
    of the WIN2000 AD Domain. You must begin - or open - this with the
    quotation mark ( " ) as well as end - or close - it with the quotation mark.
    You will note that 'my2kdom' has seven characters. So, you need to hit the
    space bar eight times and then add the \0x1B". And it is also important
    that the NetBIOS name be in all caps! So, save this on the WINNT 4.0 PDC in
    c:\winnt\system32\drivers\etc ( the default location ). Step 1 is now
    completed.

    Now, sit down at the WIN2000 Domain Controller ( the one that holds the FSMO
    Role of PDC Emulator ) in the W2K domain and create the following LMHOSTS
    file:

    172.16.15.30 "MYNT4DOM \0x1B" #PRE

    Save this in the same location ( c:\winnt\system32\drivers\etc ). Note that
    in this LMHOSTS file you would hit the space bar only seven times as the
    NetBIOS name has eight characters! Step 2 is now completed.

    BTW - how do you determine which DC holds the FSMO Role of PDC Emulator? If
    you have only one WIN2000 DC in that domain / environment then it would be
    that DC. However, if you have multiple DCs then you can look in the Active
    Directory Users and Computers MMC, you can use replmon ( part of the Support
    Tools ) or you can even use netdom. Let's take a look at that. Simply open
    up a command prompt and enter the following: netdom query fsmo. You will be
    give a response with ( hopefully ) five entries, one of which will be the
    PDC Emulator. Go to the machine indicated there.

    Open up a command prompt and simply enter the following: netdom trust
    mynt4dom /D:my2kdomaim.com /User0:NTAdministrator /Password0:passwordNT
    /UserD:2KAdministrator /PasswordD:password2K /add /twoway

    Watch how this might be chopped up in my posting of this. When you enter it
    this would all be one continuous line.

    Also, note the following: A) in the LMHOSTS file with the \0x1B that the 0
    is the number zero and not the letter!
    B) in the netdom syntax we have
    /User0: and /Password0: - again, this is the number zero

    HTH,

    Cary
     
    Cary Shultz [A.D. MVP], Mar 4, 2004
    #5
  6. Andrew,

    In a Down-Level Trust ( such as a WINNT 4.0 / WIN2000 ) NetBIOS is used for
    name resolution, not DNS. DNS would be the case in a WIN2000/WIN2000 or
    WIN2000/WIN2003 Trust situation. BTW - I do not see any mention of DNS in
    either of the two links that you provided.

    Cary

    PDC should be pointing to the W2K DC/DNS.
     
    Cary Shultz [A.D. MVP], Mar 10, 2004
    #6
  7. zia

    Guest Guest

    I know there is no mention of DNS in those links. I included those as possible sources of help, not as specific articles referring to DNS

    As it is, I had to do a dozen different things to eventually get the trust relationship working, and the main one was that the NT PDC could never find the AD DC until I added the AD DC IP address to the DNS server list for the NT PDC

    Actually, could you clarify Down-Level Trust for me? As I see the trust type as an external, non-transitive, type

    Also, do you think that the SID filtering could be the reason that my NT Domain Admin account cannot be granted Enterprise Admin rights on the AD domain?
     
    Guest, Mar 12, 2004
    #7
  8. Andrew,

    Understood! Please do not misunderstand my reply. I was just trying to
    clarify things. I worded my question ( starting with "BTW -" ) poorly.

    I will gladly explain what a downlevel trust is and provide you with a
    couple of links to better explain this.

    Simply put, a 'downlevel' trust is a trust created between WINNT and
    WIN2000. Take a look at the following links for a more in-depth
    explanation:

    Definition: http://www.win2000mag.com/Article/ArticleID/7427/7427.html
    http://support.microsoft.com/?id=228477 ( look at the bottom specifically )
    http://support.microsoft.com/?kbid=256250 ( look at the bottom
    specifically )

    Remember that NT-style trusts are one-way and intransitive. Furthermore,
    remember that these trusts use NetBIOS name resolution ( whereas WIN2000
    trusts are typically two-way, transitive and use DNS ).

    To answer your second question: did you create the trust using NETDOM or did
    you create the trust using the GUIs? naturally your WIN2000 domain is in
    Native Mode.

    Take a look at the following:
    http://support.microsoft.com/?id=289243

    I think this might just answer your question.

    HTH,

    Cary









    possible sources of help, not as specific articles referring to DNS.
    relationship working, and the main one was that the NT PDC could never find
    the AD DC until I added the AD DC IP address to the DNS server list for the
    NT PDC.
    type as an external, non-transitive, type.
    Domain Admin account cannot be granted Enterprise Admin rights on the AD
    domain?
     
    Cary Shultz [A.D. MVP], Mar 12, 2004
    #8
  9. zia

    Guest Guest

    I tried to use the GUI to start with but was having no end of problems... I spent quite some time trawling the newsgroups doing various things... And your comment about LMHOSTS sounds very familiar..

    Yes. Here is what I added to LMHOSTS on the NT box

    192.168.0.163 W2KDC #PRE #DOM:W2KDOMAI
    192.168.0.163 "W2KDOMAIN \0x1b" #PR

    This is what I added to LMHOSTS on the W2K box

    192.168.0.2 NTPDC #PRE #DOM:NTDOMAI
    192.168.0.2 "NTDOMAIN \0x1b" #PR

    I may have confused this with DNS as I knew the problem was caused by name resolution. In the end I think the various steps I did with NETDOM got it to work finally in mixed mode

    Additionally, I can add my NT4 account to any Domain Local security group of the Active Directory DC, but not to any of the Global groups. Looks like AD wants to be the boss.
     
    Guest, Mar 15, 2004
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.