Fixed... finally, with a little help from a friend.
Would you believe that the netlogon changelog (c:\winnt\netlogon.chg) was corrupt? Moving the PDCE role around didn't help because the file gets copied along with the move.
Solution was to put an acl on it to deny system access, boot the DC, rename the file, boot again, and the logfile got recreated.
I'm told that when the DCs were taken down on Friday night they came down clean, so I have no idea what caused this.
Trusts now re-established without any problem, and my trousers off to the cleaners...
Paul
| "Rick Kingslan" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 07/07/2002 16:25
|
To: <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] Trusts between AD and NT4 - HELP!! |
Once again, Diane makes a good point. I fought this same issue with one of
our subsidiaries about 2 mos. ago. We DID have a name resolution problem,
but we also had a cart before the horse problem. Seems that I had
pre-created trusts before the admin on the NT 4.0 side had created his.
This caused all kinds of havoc. Ended up that we deleted trusts all the way
around, waited about 10 - 15 mins, he created his end for the trusting, I
created mine for the trusted. I created mine for the trusting, he created
his for the trusted.
Him - NT 4.0 side, me Windows 2000 side.
Now, when prompted during the verification for credentials to verify the
trust - cancel out.
These are the notes that I found after being pinged by Diane's post.
Hope this helps!
Rick Kingslan - Microsoft Certified Trainer
MCSE+I on Windows NT 4.0
MCSE on Windows 2000
MVP [Windows NT/2000 Server]
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 07, 2002 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Trusts between AD and NT4 - HELP!!
I was working on our Exchange upgrade and had to convert a one way trust
relationship to a two way trust relationship. I worked for several hours to
get the second one way trust in place. I focused on name resolution as the
issue as the error message I got was "The specified domain either does not
exist or could not be contacted". I also tried the lmhosts solution that
Rick suggested. Despite the error message, it was not a name resolution
issue. In my case, was due to the fact that the trust was in place before
our Active Directory upgrade. See
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q306101.
Gotta love those MS error messages. Always so concise... :-)
You mentioned that you deleted the trust and recreated it. Maybe you need
the AD side to replicate the deletion before you recreate it.
See the below links for other possible solutions:
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q306733
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q180094
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q255551
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q317178
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q295335
Diane
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Rick Kingslan
Sent: Sunday, July 07, 2002 10:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Trusts between AD and NT4 - HELP!!
The close to last thing that I can think of doing is to create a HOSTS file
and an LMHOSTS file on both machines.
The LMHOSTS file should have:
xx.xx.xx.xx PDC machine name #PRE #DOM:Domain-name
xx.xx.xx.xx "Domain-name \0x1b" #PRE
Note that the second string MUST BE EXACTLY 20 characters in length,
including the \0x1b, and muct be in double quotes.
Take a look at this Q for more:
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q245172
Good luck!
Rick Kingslan - Microsoft Certified Trainer
MCSE+I on Windows NT 4.0
MCSE on Windows 2000
MVP [Windows NT/2000 Server]
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sobey
Sent: Sunday, July 07, 2002 12:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Trusts between AD and NT4 - HELP!!
Hi Rick,
I'm trying every combination of nltest and netdom I can think of.
WINS entries are good - the domain controllers didn't change IP address,
they just got properly rack mounted then switched back on! It's almost like
there's a GP somewhere that is preventing the trusts going up, but I can't
find it. I've disabled everything that looks remotely suspect (ie force
NTLMv2 authentication, disabled anonymous connections etc.)
If I delete the trust on both sides and try re-adding, the error on the NT4
side is 'Could not find a domain controller for this domain'. nltest
correctly reports the name of the dcs, and they can be pinged.
Anyone else seen this before? It has me completely confounded, and I am in
big trouble if it doesn't work tomorrow....
Paul
"Rick Kingslan" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
06/07/2002 14:01
Please respond to ActiveDir
To: <[EMAIL PROTECTED]>
cc:
Subject: RE: [ActiveDir] Trusts between AD and NT4 - HELP!!
Paul,
Diane has a potential good cath on the 1B records (make sure that you
have the whole of the NetBIOS records for ht machines - 1B, 1C, 1D, 1E,
00, 20, 03, etc.).
You might attempt a password resynch with Netdom as I've seen secure
channel password failures many times.
If all else fails, break down the trusts and try again. Sometimes,
there just is no rhyme or reason to trust failures.
Good luck!
Rick Kingslan - Microsoft MVP [Windows NT/2000]
Microsoft Certified Trainer
MCSA, MCSE+I - Windows NT / 2000
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sobey
> Sent: Saturday, July 06, 2002 2:52 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Trusts between AD and NT4 - HELP!!
>
>
> Hi Guys,
>
> For migration purposes I have established a one way trust
> between my legacy domain (trusting) and my new AD (trusted).
> Yesterday, both DCs got powered off one at a time, and moved
> to new homes in the comms room. After they were powered back
> up, the trust had failed. All attempts to re-establish it
> using the GUI tools fail - the NT4 User Management refuses to
> add the trust with 'Cannot Find a Domain Controller for this
> domain'. When I use netdom, from either the trusted or
> trusting DCs, it reports that the command has completed
> successfully, the correct entries appear in the
> trusted/trusting domains lists for the domains, but
> verification fails, as does secure channel reset with 'ACCESS DENIED'.
>
> Both sets of DCs point at the same domain, and the WINS 1c
> records on both sides are correct. They can ping each other
> by hostname.
>
> Does anyone have any idea how to fix this? I am at my wits
> end, and users are due in Monday who will not be abke to work
> if the trust isn't in place!
>
> Thanks for any help you can offer.
>
> Paul
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
winmail.dat
Description: Binary data
