Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trusts

Status
Not open for further replies.
thunderflash

thunderflash

IS-IT--Management
Oct 2, 2004
1
BE
Trying to setup a 2way trust relationship between NT 4 PDC and Windows 2003 DC to start migration tests. This seems to work fine. I cannot add a user from the 2003 domain in the 'domain admins' group on the NT4 domain. Is driving me crazy ...
Usefull tips R welcome.
Thx
 
Sort by date Sort by votes
What mode is your 2003 domain currently operating in? It should be "Windows2000 Mixed" or "Interim."

ShackDaddy
 
Upvote 0 Downvote
The mode of the 2003 domain doesn't matter for a trust relationship. Judging by the original post, there are no 2000 or NT DCs in the 2003 domain, so it could be in 2003 native mode.

Thunderflash, can you add a user in the opposite direction, from the NT domain to a group in the 2003 domain? How did you set up name resolution for the trust? You can use lmhost files on the PDC in the NT domain and the PDCe in the 2003 domain, or use DNS.
 
Upvote 0 Downvote
I believe (though could be wrong) that you need a WINS server for connectivity to NT4 servers as they don't fully support DNS.

-------------------------------

If it doesn't leak oil it must be empty!!
 
Upvote 0 Downvote
Thanks for the correction, mlichstein. I wasn't reading very carefully.

I think I remember that certain settings in a registry entry called RestrictAnonymous will prevent you from properly enumerating users across a trust. It's especially a pain before you've had the chance to add your local admin account to the remote domain's admin group.

For information on the registry entry to adjust, check out the following link:

I've had to use this fix myself in the past.

ShackDaddy
 
Upvote 0 Downvote
actually there are quite a few security settings you need to disable on the 2003 side

for admt migrations, the target 2003 domain MUST be in Native mode...or else it will error out saying your target domain si nto in native mode

also to establish connectivity...keep it easy
forget wins and use a lmhosts file..its the simplest and most efficient method

the settings you need to change are in the default domain controllers policy (do not make more policies on the domain controllers OU):
go to computer config|windows settings|security settings|local policies|security options

set the followign to the values listed after the setting:
domain member: digitally encrypt or sign secure channel data (always)-disabled
domain member: use strong windows 2000 or later session key-disable
microsoft netowrk client: digitally sign communications (always)-disabled
microsfot network server:digitally sign communications (always)-disabled
network access:allow anonymous sid/name translation-enabled
network access: do not allow anonymous enumeration of sam accounts and shares-disabled
network access: do not allow anonymous enumeration of sam accounts-disabled
network security: LAN manager authentication level should be set to Send LM & NTLM

In addition, those settings with always in parenthasis, make sure the when possible, when client requests, or when server requests settings are enabled (this is the safest route. by default, they are set to what we need them to be...but its always better to be safe than sorry in case anyone messed something up

as a side ntoe...DO NOT use the nt4emulator value mentioned in the mastering windows server 2003 books....the book is wrong on what it does, trust me

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
ADGod, the three suggested "network access.." changes are sure ways to get hacked if you don't have some type of firewall up. Are these from MS ? Not a big deal since we edit our own templates here but was just wondering.

I hope that someday we will be able to put away our fears and prejudices and just laugh at people ~ Jack Handy
 
Upvote 0 Downvote
those will be required for proper communication betweenthe old dumb NT4 domain and the new and improved, almost smart, 2003 domain

especially if planning to use admt to migrate

yes they are a big security risk, but a necessary one in order to maintain a good trust relationship

NT isn't capable of the communications that 2003 is, that's why it's necessary. 2003 is locked down by default. As far as adding your user to the domain admins group in the NT4 domain....

domain admins group should be a global group...it will only take resources from within the domain....

gotta remember for NT4 :~


-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

djhawthorn
  • Locked
  • Question
Active Directory Trusts & Firewalls - Authentication Flows
Replies
0
Views
156
djhawthorn
djhawthorn
djhawthorn
  • Locked
  • Question
Active Directory Trusts & Firewalls - Authentication Flows
Replies
0
Views
151
djhawthorn
djhawthorn
DannyBoy01
  • Locked
  • Question
Domain trusts
Replies
1
Views
96
58sniper
58sniper
enbw
  • Locked
  • Question
Domain Names and Trusts
Replies
2
Views
104
enbw
enbw
SCs5thGen
  • Locked
  • Question
Domains and trusts
Replies
3
Views
115
dberg35
dberg35

Part and Inventory Search

Sponsor

Back
Top