NT4 and Win 2003/2008R2 trust
Well back to the dreaded configuring a trust.
I am trying to create a trust between 2003/2008 AD and a NT 4 domain.
Setup:
Dual 2008 R2 SP1 domain controllers.
1 Win 2003 Server Sp2. Running as PDC Emulator, RID, Infrastucture and Operations manager (just in case)
I followed the KB 325874 but to no avail.
This led me to KB 889030 and followed it but there 1 difference.
Under the GPO is states “Network access: Named pipes can be accessed anonymously”
and set it to enable.
That option does not exist in 2008R2 you have to select (input) what you want to allow.
On the NT 4 domain I get access denied and the following Error in the event log on the Win 2003 server.
Source: Netlogon
EventID: 5721
The session setup to the Windows NT or Windows 2000 Domain Controller \\CTANT for the domain CTACORP failed because the Domain Controller
did not have an account CTANEW$ needed to set up the session by this computer YSV07.
ADDITIONAL DATA
If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a computer account for this
computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.
I have spent 2 day pouring over the forums and goggled till my eyes are sore but can’t seem to find the secret to make this
work.
On the NT 4 server I get
ID: 529
Unknown Username from CTANEW
ID:5723
Session setup from the computer AD2003 failed because there is no trust account.
Any help would be greatly appreciated Thanks
May 10th, 2011 6:48pm
Hello,
see here about trust between NT4 and Windows server 2008 R2, which is not possible:
http://blogs.technet.com/b/askds/archive/2010/07/30/friday-mail-sack-newfie-from-the-grave-edition.aspx
http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/ca7911ec-4f18-4757-808c-e34db8084bcf
http://support.microsoft.com/kb/942564/Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2011 6:58pm
I am trying to setup the trust between the 2003AD server and NT4. The forest is running in 2003 mode.
May 10th, 2011 7:01pm
Trusts between 2008 R2 DC's and NT4 domains are not supported
http://blogs.technet.com/b/askds/archive/2010/07/30/friday-mail-sack-newfie-from-the-grave-edition.aspx
Windows Server 2008 R2 PDCE’s cannot create an outbound or two-way trusts to NT 4.0 due to fundamental security changes . We have a specific article in mind for this right now, but the KB942564 was updated to reflect this also. No, this will not
change. No, there is no workaround.
I know the PDC edmulator is on the 2003 server, but the presence of the 2008 R2 DC's may be enough to trip it up.
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2011 7:05pm
Trust relationships are NOT supported between NT 4.0 and 2008 R2 DCs. support of that type of external trust ended at 2008. its not enough to have one 2003 Dc in the forest. DCs in one domain will attempt to establish secure channels with the
DC is the other domain.
Windows NT 4.0 and 2008 R2 Domain Trust Relationships
http://www.anitkb.com/2010/06/windows-nt-40-and-2008-r2-domain-trust.html
Visit: anITKB.com, an IT Knowledge Base.
May 10th, 2011 7:33pm
Thanks for all the input. Alot of good info.
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2011 12:13pm
FYI Once I switched the NT to NTLM 2, the trust formed.
May 11th, 2011 2:55pm
One thing is getting work-arounds in place vs. running under a supported configuration.Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2011 8:08pm