Guido, thanks for the post reply. i have subsequently read that default ACL's do not let even Admins delete the GPO so hopefully only the link should need to be restored.
i agree totally with the view that the removal of the default domain policy can only have a negative impact, but should not affect the trust going the "other way" as surely the account settings / policies that it defines would affect the accounts in the w2k define. and as such affect the "NT4 trusts W2K" trust and not as i am experiencing. or are there sublte differences in the establishment of a trust between a w2k / nt4 domain - i assume wherever we read PDC in the context of a NT4-NT4 trust the focus is on the host holding the PDC emulator role ?? GT ----- Original Message ----- From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 28, 2003 2:04 PM Subject: RE: [ActiveDir] windows 2000 / NT4 trust > yes, removal of the "Default Domain policy" GPO from the w2k domain sounds > like it's related to your issue - this is definitely a bad idea. Various > permissions and user-rights are set here, which define who can do what on > the domain-level. Although I believe the Default Domain Controller policy > contains even more settings explicit to trust creation etc, you should > definitely re-add the Default Domain Policy as well. > > With Windows Server 2003, you can use dcgpofix.exe to restore a Default GPO > to it's initial state - I'm not sure how you'd do it in 2000, except by > creating a new domain and using the export/import feature from GPMC. > > /Guido > > -----Original Message----- > From: Graham Turner [mailto:[EMAIL PROTECTED] > Sent: Mittwoch, 28. Mai 2003 14:35 > To: [EMAIL PROTECTED] > > please can anyone pass on the in's and out's of diagnosing failure of trust > relationship establishment. > > the trust that is required is two-way between an NT4 domain (source in the > context of migration) and a W2k domain (target) > > i am able to establish easily enough the trust; > > NT4 trusts W2K > > however for love nor money am i able to establish the other way round; > > w2k trusts NT4 > > get whole loads of access denied messages ... > > thought for a moment it might have something to do with the presence of the > security principal in the NT4 domain which is required for migration; > > NT4$$$ > > as the accounts used for trusts are the domain name with $ appended - red > herring me thinks ?? > > but then as i read it in the context of the failed trust the interdomain > trust account used would be W2K$ defined in the NT4 domain ???? > > the other issue that looked a bit hookie was the removal of the "Default > Doman policy" GPO from the w2k domain - not me gov !! > > perhaps there are values in there that are relevant to the trust failure - > > notwithstanding it would be ideal to understand the full troubleshoot of a > failed trust > > have been using "nltest" but all we get returned is a generic "access > denied" error; > > event logs give us the following; > > 5721 - session setup to DC for NT4domain failed because DC does not have > account for w2k dcname > > 8B-01-00-C0 > > 3210 - failed to authenticate with nt4 dcname; > 22 00 00 C0 > > apologies for the essay but have attempted to include all relevant > information > > GT > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
