yes, removal of the "Default Domain policy" GPO from the w2k domain sounds like it's related to your issue - this is definitely a bad idea. Various permissions and user-rights are set here, which define who can do what on the domain-level. Although I believe the Default Domain Controller policy contains even more settings explicit to trust creation etc, you should definitely re-add the Default Domain Policy as well.
With Windows Server 2003, you can use dcgpofix.exe to restore a Default GPO to it's initial state - I'm not sure how you'd do it in 2000, except by creating a new domain and using the export/import feature from GPMC. /Guido -----Original Message----- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 28. Mai 2003 14:35 To: [EMAIL PROTECTED] please can anyone pass on the in's and out's of diagnosing failure of trust relationship establishment. the trust that is required is two-way between an NT4 domain (source in the context of migration) and a W2k domain (target) i am able to establish easily enough the trust; NT4 trusts W2K however for love nor money am i able to establish the other way round; w2k trusts NT4 get whole loads of access denied messages ... thought for a moment it might have something to do with the presence of the security principal in the NT4 domain which is required for migration; NT4$$$ as the accounts used for trusts are the domain name with $ appended - red herring me thinks ?? but then as i read it in the context of the failed trust the interdomain trust account used would be W2K$ defined in the NT4 domain ???? the other issue that looked a bit hookie was the removal of the "Default Doman policy" GPO from the w2k domain - not me gov !! perhaps there are values in there that are relevant to the trust failure - notwithstanding it would be ideal to understand the full troubleshoot of a failed trust have been using "nltest" but all we get returned is a generic "access denied" error; event logs give us the following; 5721 - session setup to DC for NT4domain failed because DC does not have account for w2k dcname 8B-01-00-C0 3210 - failed to authenticate with nt4 dcname; 22 00 00 C0 apologies for the essay but have attempted to include all relevant information GT List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
