One weird
thing about secure channels is that they are not always established with the
PDC for a domain. They are established with the fastest server in the domain. Further
they periodically reset themselves and connect to the fastest responder in a
domain. We had an issue where the
secure channel needed to be established with the NT4 PDC in order for our
migrations to work. Ended up that
we had to run the following commands to first determine if our ADS was
communicating with the correct PDC and then reset it to the correct one.
To see
which server is providing the secure channel: ( this is not always the PDC)
nltest /server:SERVERNAME /sc_query:DOMAIN | where server name is the DC for ADS and
DOMAIN is the name of your NT4 domain.
To change which server provides the secure trust.
nltest /server:SERVERNAME /sc_reset:SOURCEDOMAIN\SOURCEDOMAINPDC
Byron Fackenthall
-----Original Message-----
From: Ayers, Diane
[mailto:[EMAIL PROTECTED]]
Sent: Monday, July 08, 2002 3:46
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Trusts
between AD and NT4 - HELP!!
So what
happened? Did the users have your head this AM?
-----Original
Message-----
From: Paul Sobey
[mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 07, 2002 10:11
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Trusts
between AD and NT4 - HELP!!
Hi Rick,
I'm trying every combination of
nltest and netdom I can think of.
WINS entries are good - the domain
controllers didn't change IP address, they just got properly rack mounted then
switched back on! It's almost like there's a GP somewhere that is preventing
the trusts going up, but I can't find it. I've disabled everything that looks
remotely suspect (ie force NTLMv2 authentication, disabled anonymous
connections etc.)
If I delete the trust on both sides
and try re-adding, the error on the NT4 side is 'Could not find a domain
controller for this domain'. nltest correctly reports the name of the dcs, and
they can be pinged.
Anyone else seen this before? It has
me completely confounded, and I am in big trouble if it doesn't work
tomorrow....
Paul
|
|
"Rick
Kingslan" <[EMAIL PROTECTED]>
Sent by:
[EMAIL PROTECTED]
06/07/2002 14:01
Please respond to
ActiveDir
|
To: <[EMAIL PROTECTED]>
cc:
Subject: RE: [ActiveDir] Trusts between AD
and NT4 - HELP!!
|
Paul,
Diane has a potential good cath on the 1B records (make sure that you
have the whole of the NetBIOS records for ht machines - 1B, 1C, 1D, 1E,
00, 20, 03, etc.).
You might attempt a password resynch with Netdom as I've seen secure
channel password failures many times.
If all else fails, break down the trusts and try again. Sometimes,
there just is no rhyme or reason to trust failures.
Good luck!
Rick Kingslan - Microsoft MVP [Windows NT/2000]
Microsoft Certified Trainer
MCSA, MCSE+I - Windows NT / 2000
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sobey
> Sent: Saturday, July 06, 2002 2:52 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Trusts between AD and NT4 - HELP!!
>
>
> Hi Guys,
>
> For migration purposes I have established a one way trust
> between my legacy domain (trusting) and my new AD (trusted).
> Yesterday, both DCs got powered off one at a time, and moved
> to new homes in the comms room. After they were powered back
> up, the trust had failed. All attempts to re-establish it
> using the GUI tools fail - the NT4 User Management refuses to
> add the trust with 'Cannot Find a Domain Controller for this
> domain'. When I use netdom, from either the trusted or
> trusting DCs, it reports that the command has completed
> successfully, the correct entries appear in the
> trusted/trusting domains lists for the domains, but
> verification fails, as does secure channel reset with 'ACCESS DENIED'.
>
> Both sets of DCs point at the same domain, and the WINS 1c
> records on both sides are correct. They can ping each other
> by hostname.
>
> Does anyone have any idea how to fix this? I am at my wits
> end, and users are due in Monday who will not be abke to work
> if the trust isn't in place!
>
> Thanks for any help you can offer.
>
> Paul
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
