Mike, duly noted but if this is set to 0 on the PDC (of the NT4 domain) then this should (and has been ok);
also even if set to 1 as i understand (only 2 on a wk2 domain as the trusted domain does it become a problem) in my failed scenario the trusted domain is Nt4 what i am trying to understand is how the likely scenario of a removed default domain policy from the trusting domain affects the above trust establishment. GT ----- Original Message ----- From: "Thommes, Michael M." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 28, 2003 2:20 PM Subject: RE: [ActiveDir] windows 2000 / NT4 trust One thing to keep in mind is the value you have set for RestrictAnonymous. See Technet articles 178640 and 296403 for details. Mike Thommes -----Original Message----- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 28, 2003 7:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] windows 2000 / NT4 trust please can anyone pass on the in's and out's of diagnosing failure of trust relationship establishment. the trust that is required is two-way between an NT4 domain (source in the context of migration) and a W2k domain (target) i am able to establish easily enough the trust; NT4 trusts W2K however for love nor money am i able to establish the other way round; w2k trusts NT4 get whole loads of access denied messages ... thought for a moment it might have something to do with the presence of the security principal in the NT4 domain which is required for migration; NT4$$$ as the accounts used for trusts are the domain name with $ appended - red herring me thinks ?? but then as i read it in the context of the failed trust the interdomain trust account used would be W2K$ defined in the NT4 domain ???? the other issue that looked a bit hookie was the removal of the "Default Doman policy" GPO from the w2k domain - not me gov !! perhaps there are values in there that are relevant to the trust failure - notwithstanding it would be ideal to understand the full troubleshoot of a failed trust have been using "nltest" but all we get returned is a generic "access denied" error; event logs give us the following; 5721 - session setup to DC for NT4domain failed because DC does not have account for w2k dcname 8B-01-00-C0 3210 - failed to authenticate with nt4 dcname; 22 00 00 C0 apologies for the essay but have attempted to include all relevant information GT List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
