'TRUST' troubleshooting

[Fran Rhomberg]

Could someone help me troubleshoot a TRUST between
Windows 2000 and NT4? The trust was previously working.
To my knowledge nothing changed on my domaian, however
I'm unsure about any network (routers/switches) changes.
Here is some background and the error I'm receiving:

* Trouble started when user could not map drives from NT4
domain in 2000 domain. Error: "There are currently no
logon servers available to service the logon request"

SOURCE domain = NT4
TARGET domain = 2000 (running in Native Mode)

- SOURCE and TARGET are on two separate classes.
NT4 = 10.1.x.x; 2000 = 10.50.x.x

- a new local group was created on the source "NT4$$$",
containing no members.

- trust = external, on-way, non-transitive trust. When
establishing the trust, I used identical passwords.

- There are two identical admin accounts used for this
trust with identical passwords.

FROM Source (NT4):
ping fqdn of target = successfull
ping ip of target = successfull
nslookup of target = successfull

FROM Target (2000):
ping fqdn of source = successfull
ping ip of source = successfull
nslookup of source = successfull

When trying to VERIFY the trust from the Target (2000), I
receive the following error:
"The secure channel query on domain controller \\"NT" of
domain <nt4domain> to domain <2000 domain> failed with
error: the specified domain either does not exist or
could not be contacted."

In Network Neighborhood:
NT4 - CAN see the 2000 domain.
2000 - can NOT see the NT4 domain.

What I tried:
- Tried recreating the trust on both sides with no
success. NT4 give me an error of "could not find domain
controller for this domain"
- Tried rebooting both primary servers [nt4=pdc,
2000=fsmo], then tried to recreate trust, with no success.

Thanks in advance for any help
Regards,
-FR

 

[Steven Liu]

Hi Fran,

Suggestion 1
==========

First, let's run the "\\<Windows 2000 FQDN domain name>" without quotation
marks from a client of the Windows 2000 domain. Let's check whether you can
see the NetLogon and the SysVol share.

If the 2 shares are missing, let's refer to the article to solve the
problem.

257338 Troubleshooting Missing SYSVOL and NETLOGON Shares on Windows 2000
http://support.microsoft.com/?id=257338

The error may cause the problem.

Suggestion 2
==========

Please also make sure the Windows NT 4 domain has the WINS server
installed. And, all the computers have pointed to the WINS server in the
TCP/IP properties and the WINS server works well.

Also, make sure the WINS and DNS servers are installed in the Windows 2000
domain. And, all the computers have pointed to the DNS and WINS servers in
the TCP/IP properties and the DNS and WINS servers work well.

Suggestion 3
==========

The Lmhosts file is located in the %SystemRoot%\System32\Drivers\Etc folder
on a Windows computer.

Let's create the lmhosts file in the folder of the Windows 2000 FSMO server
and the Windows NT PDC.

Note: For example, the nt4 PDC computer name is nt4pdc. Domain name is
nt4dom. IP address is 10.1.0.1. Windows 2000 FSMO server name is w2k.
Domain name is w2kdom. IP address is 10.50.0.1.

lmhosts file on the Windows 2000 DC

=================

10.1.0.1 nt4pdc #PRE #DOM:nt4dom
10.1.0.1 "nt4pdc \0x1b" #PRE
10.1.0.1 "nt4pdc \0x1c" #PRE

==================

Note: there should have 15 characters between the " and the \. For example,
the computer name nt4pdc is 6 characters. You should add 9 spaces after the
nt4pdc as the following.

"nt4pdc \0x1b" and "nt4pdc \0x1c"

lmhosts file on the Windows NT 4 PDC

==================

10.50.0.1 w2k #PRE #DOM:w2kdom
10.50.0.1 "w2k \0x1b" #PRE
10.50.0.1 "w2k \0x1c" #PRE

===================

Note: there should have 15 characters between the " and the \. For example,
the computer name w2k is 3 characters. You should add 12 spaces after the
w2k as the following.

"w2k \0x1b" and "w2k \0x1c"

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

 

[Fran]

Steven, Thanks for your response. I'll take this one
point at a time:
1. I was able to see the NetLogon and SysVol shares from
another member server in the 2000 domain. From the
NT4PDC, I tried to navigate through the 2000 domain in
Network Neighborhood and I saw the servers that existed
at that level of the 2000 domain. I was not able to
drill down to the NetLogon and SysVol folders of the FSMO
server from the NT4PDC.

After trying to make this attempt, an error came up in
the event log on the FSMO server: "The session setup to
the windows NT or windows 2000 domain controller
<unknown> for the domain <NT4 domain> failed because th
edomain controller does not have an account for the
computer <2000FMSO server>

2. NT4 domain has WINS and it is working. We were trying
to eliminate the use of WINS in our new infrasturcture,
but I installed it on the FSMO server in our 2000 domain
anyway. I made sure nt4pdc was registered in FSMO's
database. I was still unable to create the trust, the
same errors came up.

3. lmhosts: I set this up on both servers in the paths
that you indicated below. I also made sure that there
were 15 charaters between the " and \. I was still
unable to create the trust.

What else can I try or check for?
Thanks again,
- Fran

 

[Cary Shultz [A.D. MVP]]

Fran,

I might jump in here for a second. Steven, hope that you do not mind.
Sometimes when attempting to create a trust between WINNT 4 and WIN2000 you
can do everything correctly but it just does not work. Now, this might not
apply to your case as it *was* working but automagically decided to not work
anymore ( well, it did not just decide to not work anymore. Something
happened somewhere! ).

If all you want to accomplish is to re-create the trust then you might want
to take a look at NETDOM. This is usually the prescribed way to create
Trusts between WINNT 4 and WIN2000. The WIN2000 ADDT MMC just does not do
it sometimes. I have seen it myself!

However, in your shoes I would be very curious to find out what broke it so
I would really follow what Steven is suggesting. You are in very good hands
with him as he really knows his stuff.

You might want to take a look at these MSKB article to supplement what Steve
is doing:

http://support.microsoft.com/default.aspx?scid=kb;en-us;228477

HTH,

Cary

 

[Cary Shultz [A.D. MVP]]

Fran,

Here is the link to using NETDOM:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;175025

HTH,

Cary

 

[Steven Liu]

Hi Fran,

Cray's suggestion is also good. You can try the netdom to establish the
trust.

If you want to visit the Windows 2000 shared resource from the WIndows NT 4
domain clients, you should add the related NT4 account in the Windows 2000
share ACL. Then, the user have the permission to visit the share. Please do
this first.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

 

[Fran Rhomberg]

Steven & Cary,
I have still been trying to resolve this issue. Let me
ask this. Does a trust need to be on the same Subnet and
Class IP? When I first started this project, my 2000
domain was 10.1.5.x, and my NT4 domain was 10.1.1.x.
Then I changed the 2000 domain to the 10.50.5.x. (all on
255.255.0.0) Everything seemed to be fine, but then it
stopped working. Sorry that I don't have exact times on
this, but for all I know, the change in IP class may have
caused the issue. I just tried to change fsmo back to
10.1.5.x, but the trust still does not work. Any other
ideas?
- FR

 

[Jody Flett [MSFT]]

I missed the original post but, the Domains do not need to be on the same
subnet in order for a trust to exist between them, but there does need to be
a IP route for them to be able to talk to each other.

You also need to ensure that Netbios Name resolution for domain A to dom B
and vice versa works. Ensure that WINS or lmhosts files enable the PDC's
from both domain to resolve the 1b and 1c records for the alternate Domain
(nbtstat -c will show the name cache and can be used to show what the DC is
resolving the other Domain's 1b and 1c records to). Also the DC's in each
domain need to be able to resolve back to the 1c and 1b records in the other
Domain.

It may be that broadcast was resolving these names when they were on the
same subnet previously.

Take a look at
http://support.microsoft.com/?id=300598 and
http://support.microsoft.com/?id=180094

Is the trust established and users are unable to use resources or is it that
you cannot create a trust?

Thanks

Jody

 

[Steven Liu]

Hi Fran,

The 10.1.1.x and 10.50.5.x are not the same network with the 255.255.0.0
subnet mask.

Please first check the route information and make sure the 2 networks can
communicate successfully.

Please also check the lmhosts file. You can send the file to me. I can
check whether it's correct.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

 

[g]

Hi Fran,

Suggestion 1
==========

First, let's run the "\\<Windows 2000 FQDN domain name>" without quotation
marks from a client of the Windows 2000 domain. Let's check whether you can
see the NetLogon and the SysVol share.

If the 2 shares are missing, let's refer to the article to solve the
problem.

257338 Troubleshooting Missing SYSVOL and NETLOGON Shares on Windows 2000
http://support.microsoft.com/?id=257338

The error may cause the problem.

Suggestion 2
==========

Please also make sure the Windows NT 4 domain has the WINS server
installed. And, all the computers have pointed to the WINS server in the
TCP/IP properties and the WINS server works well.

Also, make sure the WINS and DNS servers are installed in the Windows 2000
domain. And, all the computers have pointed to the DNS and WINS servers in
the TCP/IP properties and the DNS and WINS servers work well.

Suggestion 3
==========

The Lmhosts file is located in the %SystemRoot%\System32\Drivers\Etc folder
on a Windows computer.

Let's create the lmhosts file in the folder of the Windows 2000 FSMO server
and the Windows NT PDC.

Note: For example, the nt4 PDC computer name is nt4pdc. Domain name is
nt4dom. IP address is 10.1.0.1. Windows 2000 FSMO server name is w2k.
Domain name is w2kdom. IP address is 10.50.0.1.

lmhosts file on the Windows 2000 DC

=================

10.1.0.1 nt4pdc #PRE #DOM:nt4dom
10.1.0.1 "nt4pdc \0x1b" #PRE
10.1.0.1 "nt4pdc \0x1c" #PRE

==================

Note: there should have 15 characters between the " and the \. For example,
the computer name nt4pdc is 6 characters. You should add 9 spaces after the
nt4pdc as the following.

"nt4pdc \0x1b" and "nt4pdc \0x1c"

lmhosts file on the Windows NT 4 PDC

==================

10.50.0.1 w2k #PRE #DOM:w2kdom
10.50.0.1 "w2k \0x1b" #PRE
10.50.0.1 "w2k \0x1c" #PRE

===================

Note: there should have 15 characters between the " and the \. For example,
the computer name w2k is 3 characters. You should add 12 spaces after the
w2k as the following.

"w2k \0x1b" and "w2k \0x1c"

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Hi!
I hope you are still watching this thread because I had/have the exact
same problem.
I upgraded a windows nt 4 domain and put it in native mode, I have 9 user+
resource domains in hub and spoke layout.
Two of my domains lost their trusts. Wins was working. I did not have any
dns settings for the nt4 domains, but dns was setup correctly and was
working fine in the windows 2000 ad, the windows nt4 also had a secondary
zone of my 2k ad zone.
I tried to recreate the trusts but i could not.
I then saw a posting somewhere like yours above but it was different
10.50.0.1 w2k #PRE #DOM:w2kdom

10.50.0.1 "w2kdom \0x1b" #PRE
10.50.0.1 "w2kdom \0x1c" #PRE

it had the w2kdom in the =0x1b" lines where yo uhave the netbios name of
the server?
Everything seemed to work, expect when the nt4domain tries to access a
resouce on one of my dc. Then i get the unable to find a domain controller
message.
The clients can access any other resource except the clients on the nt4
domain trying to access shares on one dc.
This dc is also the second in lmhosts file.

10.50.0.1 w2k1 #PRE #DOM:w2kdom

10.50.0.1 "w2kdom \0x1b" #PRE
10.50.0.1 "w2kdom \0x1c" #PRE

10.50.0.2 w2k2 #PRE #DOM:w2kdom

10.50.0.2 "w2kdom \0x1b" #PRE
10.50.0.2 "w2kdom \0x1c" #PRE

Is what I have on my nt4 bdc.
On my 2k dcs I have the pdc of each spoke nt4 domain.
in the same format as my entries above

10.20.0.1 nt41 #PRE #DOM:nt4dom

 

[Jody Flett [MSFT]]

Hello

I think I can see what the problem is here

The 1b record needs to be unique for the Domain. The 1b record is for the
Master Browser for the Domain, the PDC will always register itself as the
master browser and there can be only one per domain.

The 1c record on the other hand is a group record and is a list of all of
the DC's in a Domain, therefore there can be multiple entries for 1c.

In your lmhosts file below you have specified 2 1b records for the win2kdom:

10.50.0.1 w2k1 #PRE #DOM:w2kdom
10.50.0.1 "w2kdom \0x1b" #PRE
10.50.0.1 "w2kdom \0x1c" #PRE
10.50.0.2 w2k2 #PRE #DOM:w2kdom
10.50.0.2 "w2kdom \0x1b" #PRE
10.50.0.2 "w2kdom \0x1c" #PRE

But there can only be one 1b, so assuming that W2K1 is the PDC Emulator the
lmhosts should look like this: (BTW the #PRE #DOM records will populate the
1c Group record so a separate unique 1c entry is not needed......)

10.50.0.1 "w2kdom \0x1b" #PRE
10.50.0.1 w2k1 #PRE #DOM:w2kdom
10.50.0.2 w2k2 #PRE #DOM:w2kdom

Set the lmhosts file on all of the NT4 Domain Controllers as above and
hopefully this should sort out the issues, but let us know if not ...
once you have modified the lmhosts file run nbtstat -R and then nbtstat -c
to view the remote name cache. This should then read:

C:\WINDOWS\system32\drivers\etc>nbtstat -c
Local Area Connection 3:
Node IpAddress: [157.58.33.178] Scope Id: []
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
W2KDOM <1C> GROUP 10.50.0.1 -1
W2K2 <03> UNIQUE 10.50.0.2 -1
W2K2 <00> UNIQUE 10.50.0.2 -1
W2K2 <20> UNIQUE 10.50.0.2 -1
W2K1 <03> UNIQUE 10.50.0.1 -1
W2K1 <00> UNIQUE 10.50.0.1 -1
W2K1 <20> UNIQUE 10.50.0.1 -1
w2kdom <1B> UNIQUE 10.50.0.1 -1

Ideally WINS should be used for the resolution of these records as it is a
pain maintaining distributed lmhosts files, but lmhosts are good for
eliminating name res issues from troubleshooting.

HTH

Jody

 

[Guest]

Jody,
Here are my troubleshooting steps thus far:
* WINS is enabled on the 2000domain
before I begin, here is what I have in my lmhost file:
2000DC's lmhost file:
10.1.1.x nt4pcd #PRE #DOM:nt4dom
# 10.1.1.x "nt4pcd \0x1b" #PRE
# 10.1.1.x "nt4pcd \0x1c" #PRE
* my boss recommended remarking out the last two lines.
NT4PDC's lmhost file:
10.50.5.x 2000DC #PRE #DOM:2000dom

(1)On the 2000DC, I set NIC2, with an IP address of the
10.1.1.x subnet. This did not repair the trust

(2)on 2000DC I disabled NIC2, and changed the IP on NIC1
from the 10.50.5.x to 10.1.5.x. I let this sit for 30
minutes. Then I tried to recreate the trust on both ends
and it worked. The trust was created and verified.

(3)on 2000DC I set the IP back to 10.50.5.x on NIC1 and
re-enabled NIC2. Everything has been holding steady for
this week. With one exception. - see #4 next.

(4)My 2000 domain has the following setup:
parent = parentDC1 & parentDC2
child = childDC1 & 9 member servers.
in the child only 1 member server can map over to the
nt4domain. here is what i receive for the following tests:
### parentDC1 ###
[ping nt4pdc server name] = successfull
[nslookup nt4pdc server name] = can't find nt4pdc. non-
existent domain.
[nbtstat -c] = (lines below)
main adapter: 10.50.5.x <2000dc1's NIC1 IP>
NETBIOS remote cache name table
nt4pdc <00> unique 10.1.1.x <nt4pdc's IP> 492
secondary adapter: 10.1.5.x <2000dc1's NIC2 IP>
NETBIOS remote cache name table
nt4pdc <00> unique 10.1.1.x <nt4pdc's IP> 492

### nt4pdc ###
[ping parent2000dc1 server name] = successful
[nslookup parent2000dc1 server name] = successful
[nbtstat -c] = (lines below)
NETBIOS remote cache name table
no reference to 2000dc, only servers local to the nt4
domain are listed here.

### parentDC2 ###
[ping nt4pdc server name] = successfull
[nslookup nt4pdc server name] = can't find nt4pdc. non-
existent domain.
[nbtstat -c] = (lines below)
main adapter: 10.50.5.x <2000dc2's NIC1 IP>
NETBIOS remote cache name table
nt4pdc <00> unique 10.1.1.x <nt4pdc's IP> 592
2000dc <20> unique 10.50.5.x <2000dc2's IP> 310

### childDC1 ###
[ping nt4pdc server name] = successfull
[nslookup nt4pdc server name] = can't find nt4pdc. non-
existent domain.
[nbtstat -c] = (lines below)
main adapter: 10.50.5.x <2000childDC1's NIC1 IP>
NETBIOS remote cache name table
nt4pdc <00> unique 10.1.1.x <nt4pdc's IP> 590

Currently only 1 member server (a terminal server) can
map successfully to the nt4 domain. The rest, including
the childDC1 cannot.

In answer to your last question, Originally, I was unable
to create the trust, but now the the trust created and
verified on the 2000 parent domain, some child domain
servers are unable to access resources.
Thanks so much for your help.
- FR

 

[Guest]

Hi Steve,
Here is what I have in my lmhost file:
10.1.1.x nt4pdc #PRE #DOM:nt4dom
# 10.1.1.x "nt4pdc \0x1b" #PRE
# 10.1.1.x "nt4pdc \0x1c" #PRE
* my boss recommended that I remark out the last two
lines. Also, take a look at my response to Jody Flett in
this same thread. It's longer winded..

In regards to checking the route information, I receive
the following output:
### from 2000DC1 ###
[tracert <nt4pdc server name>] = (see next line)
tracing route to nt4pdc (nt4pdc's ip)
over a maximum of 30 hops
1 <10ms <10ms <10ms nt4pdc.nt4dom.com [nt4pdc's ip]
Trace Complete

### from nt4pdc ###
[tracert <2000DC1 server name>] = (see next line)
tracing route to 2000DC1 (2000DC1's Secondary NIC's ip,
which is 10.1.5.x)
over a maximum of 30 hops
1 <10ms <10ms <10ms 2000DC1.2000dom.com [2000DC1's
Secondary NIC's ip, which is 10.1.5.x ip]
Trace Complete

let me know your thoughts. Thanks again.
- Fran

-----Original Message-----
Hi Fran,

The 10.1.1.x and 10.50.5.x are not the same network with the 255.255.0.0
subnet mask.

Please first check the route information and make sure the 2 networks can
communicate successfully.

Please also check the lmhosts file. You can send the file to me. I can
check whether it's correct.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and

confers no rights.

 

[Steven Liu]

Hi,

Please don't remark the 0x1b and 0x1c in the lmhost. And, the Domain-name
in this entry is case sensitive.

<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers

0x1b means the domain master browser. 0x1c means the domain controllers.

163409 NetBIOS Suffixes (16th Character of the NetBIOS Name)
http://support.microsoft.com/?id=163409

Let's see whether this works.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

 

[Guest]

OK Steven, I'll remove the remarks for these lines. And
let you know how it goes. Once this is done on
the "Parent"- fsmo server, everything should work for the
child domain as well right? Currently it seems that this
trust is working for certain accounts only. the admin
account on fsmo-2000 domain, and one user account in the
2000child domain (on a terminal server).. strange.
- Fran

 

[Steven Liu]

Hi Fran,

OK, if you encounter any problem, please let me knwo and I will continue to
help you.

And, it's better to enable the Global Catalog on the DC of the child domain.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

 

[Fran]

OK, Great, I'll enable the GC on the child DC. Just
curious why? Is it so the schema gets copied to the
child? I have the lmhost changes done, but I wont be
able to test it until both Domain Controllers have been
rebooted. I'll reboot them at midnight. Thanks so much
for your help with this Steve. I'm learning a great deal
from you.

-----Original Message-----
Hi Fran,

OK, if you encounter any problem, please let me knwo and I will continue to
help you.

And, it's better to enable the Global Catalog on the DC of the child domain.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and

confers no rights.

 

[Steven Liu]

Hi Fran,

When the client try to access the object in the AD, it will contact the GC
first. So, we should make sure at least one DC in the domain provides the
GC function.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

 

[Fran Rhomberg]

Well Steve, my nt4domain appears in network neighborhood
now from my 2000 domain, however, the trust appears to be
broken again. I can even drill down into the nt4domain
and see all the servers listed. I am unable to map
network drives and either is the one end user that was
able to before. Thanks for any help.
- FR

 

[Steven Liu]

Hi Fran,

Now, we have enabled the lmhost file on the 2 domain controller of the NT4
domain and the Windows 2000 domain. The 2 domain now can access each other.

What error do you get now?

If it's possible, would you please give me the error message screen capture?

1. Press PrnScn key on the keyboard when the error message appears
2. Open the MS Paint
3. Press Ctrl-V to paste the picture
4. Save the picture in 256 colors and send it to me

I will continue to help you.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.