Rick, thanks for this and duly noted. this for me was a particularly nasty one - was able to with Mr Wilkinson's help come quite promptly to the issue / fix
however looking at the bigger picture of how this would have been resolved without this "divine intervention" !! was able to go roll back through change control and map this failure to the application of the GPO with the hardened settings - but as to how i would have found the specific registry value not too sure here ?? 1. event logs - giving me 3210 / 5721 errors all very general; a little bit disappointing for me that the issues of interoperability between NT4 and W2K domains was not documented under a technet search of these event ID's even allowing for my hardening (using MS distributed security templates) this does not seem that uncommon a scenario ?? it would seem to me and i would be glad for others input on this is that the next (and last ?) resort is the between NT4 and W2K domains would have to be the capture of the data relating to the secure channel / trust establishment - GT ----- Original Message ----- From: "Rick Kingslan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, June 01, 2003 8:18 PM Subject: RE: [ActiveDir] w2k / nt4 trust -possible fix Graham - No other dependent values on this particular setting. I take this to mean that if you change this one and only this one settings, will it have a negative impact on anything else. If this is the question, the no - you're safe in changing the strong session key requirement. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, June 01, 2003 5:54 AM To: [EMAIL PROTECTED] Stephen, thanks for post reply "good" to see someone else experiencing same issues as it gives me a bit of a sanity check !!! I traced it back to the application of the policy settings defined by the baseline security templates distributed with the MS security operations guide - but only after 7 days !! i had established the trust with the weaker settings, applied the template settings and lo and behold 7 days later the trust breaks - conveniently ties in with the interval of reset of an interdomain account password reset was my theory ?? any way thanks for the specfic steer to the specific policy which sorts this out - i was focussing on thinks like lmcompatibilitylevel and restrictanonymous !! i guess the "requires strong (Windows 2000 or later) session key " policy sets this value as defined by the security template; MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongK ey=4,1 I have "fixed" the issue in the interim by removing the link to the GPO but will proceed having made the above change - do you have any view on the impact of changing this value in isolation - or are there any other dependent values ? thanks again - GT ----- Original Message ----- From: "Wilkinson, Stephen (DrKW)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 29, 2003 5:28 PM Subject: RE: [ActiveDir] w2k / nt4 trust -possible fix > We have fixed this now.. We had the policy > > "Require strong (Windows 2000 or later) session key" > > set to "enable"- which results in the failure to establish a secure channel > with NT4 DCS in the trusted\trusting domain. > > MSDN explanation of policy is below > > > ************************ > Require strong (Windows 2000 or later) session key > > Computer Configuration\Windows Settings\Security Settings\Local > Policies\Security Options > > Description > If this policy is enabled, all outgoing secure channel traffic will require > a strong (Windows 2000 or later) encryption key. > > If this policy is disabled, the key strength is negotiated with the DC. This > option should only be enabled if all of the DCs in all trusted domains > support strong keys. > > By default, this value is disabled. > **************************** > > > -----Original Message----- > From: Wilkinson, Stephen (DrKW) [mailto:[EMAIL PROTECTED] > Sent: 29 May 2003 14:37 > To: '[EMAIL PROTECTED]' > > > Graham, > > You will be pleased to know that we are currently experiencing exactly > the same issues and are now stepping through resetting the polices we > had applied on the AD DCS to the reverse and stepping through w2k3 > version of the doc you referenced (PSS 325874). > > There is a PSS article (295335) referencing this issue and it > supposedly is > caused by name resolution errors.. although our name resolution, both > DNS and WINS seems ok. > > Will keep you posted > > Stephen Wilkinson > E-Mail: [EMAIL PROTECTED] > > > -----Original Message----- > From: Graham Turner [mailto:[EMAIL PROTECTED] > Sent: 28 May 2003 18:40 > To: [EMAIL PROTECTED] > > forgive me for a second post on the same topic but have just gone > through a > whole load of docs on issues of w2k / nt4 trusts > > have referenced Q308195 > > it would seem that this documents a process that is the reverse of the > process by which one would establish trust between two NT4 domains > > is this by design or do i read it wrong ??? - why different as surely > for a > downlevel trust the process should be the same ?? > > ie on NT4 domains we would add the trusting domain on the trusted > domain (permit it to trust the trusting domain) first and then add the > trusted domain on the trusting domain > > GT > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > ---------------------------------------------------------------------- > If you have received this e-mail in error or wish to read our e-mail > disclaimer statement and monitoring policy, please refer to > http://www.drkw.com/disc/email/ or contact the sender. > ---------------------------------------------------------------------- > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > ---------------------------------------------------------------------- > If you have received this e-mail in error or wish to read our e-mail > disclaimer statement and monitoring policy, please refer to > http://www.drkw.com/disc/email/ or contact the sender. > ---------------------------------------------------------------------- > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
