Hi, We have an NT4 domain and are migrating to W2K3 AD. The trusts between the two work OK.
We also have the following configuration though when we created the W2K3 AD domain: "Permissions compatible with pre-Windows 2000 servers" to enable anonymous access for services during the migration. If you chose "Permissions compatible only with Windows 2000 servers" you can still enable anonymous access by executing the following commands from the command-line (you can also do this using ADUC): * net localgroup "Pre-Windows 2000 Compatible Access" everyone /add * net localgroup "Pre-Windows 2000 Compatible Access" "anonymous logon" /add For more info see: * http://support.microsoft.com/?id=325363 * http://support.microsoft.com/?id=257988 Oh, and by the way be sure that the RestrictAnonymous registry key is not set (default not set to 2) more info on this: http://support.microsoft.com/kb/q246261/ http://support.microsoft.com/kb/q296405/ See also: http://www.eventid.net/display.asp?eventid=3210&eventno=1115&source=NETLOGON &phase=1 http://www.eventid.net/display.asp?eventid=5721&eventno=674&source=NETLOGON&; phase=1 Regards, Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: maandag 8 november 2004 15:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD Trust with NT Domain Fails We have created a two-way trust between an W2K3 domain (freshly installed) and an existing NT domain using the MS documentation on how to create a trust so that we can conduct a migration. However, our trust seems to fail after about five minutes of activity and we receive an event log error 3210. This computer could not authenticate with \\domaincontroller, a Windows domain controller for domain TRUSTEDDOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator. And Event log error 5721: The session setup to the Windows NT or Windows 2000 Domain Controller \\domaincontroller for the domain TRUSTEDDOMAIN failed because the Domain Controller did not have an account TRUSTINGDOAIN$ needed to set up the session by this computer DOMAINCONTROLLEROFTRUSTEDDOMAIN. We have also noted that when we do a netdom query to all of the DCs they call come back correctly except when we try to query our secondary DC in the W2K3 domain from the NT domain. When we do that the netdom query command returns a RPC error. This error does not show up when we query the secondary DC from the primary DC. Also, immediately after setting up the trust, we can then utilize all of the system resources between both domains for about five minutes before the trust goes south. We have done some research (we checked to see that the RPC reg entry was set to 68 with the netlogon, and we found the restarting the authentication password using the netdom tool and then restarting machine password) but we are starting to run out of options. Can anyone suggest a new route of investigation. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
