DOCUMENT:Q112214 08-AUG-2001 [winnt] TITLE :Trusting Domain Shows Trust Failure or "Account Unknown" PRODUCT :Microsoft Windows NT PROD/VER:3.1 OPER/SYS: KEYWORDS:kbnetwork ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Advanced Server, version 3.1 ------------------------------------------------------------------------------- SYMPTOMS ======== A trusting domain shows event log entries indicating trust failure. Or, a trusting domain doesn't grant appropriate access to accounts on the trusted domain, or displays accounts on the trusted account as "Account unknown." NOTE: It is possible to add accounts from a trusted domain to ACLs or local groups even when a trust relationship is incomplete or broken because User Browser can obtain account lists that may work even though the trust relationship doesn't work. CAUSE ===== Trust failure occurs when internal passwords are out of sync. This happens when: One side of the trust relationship is deleted and then recreated after the trust relationship has gone through one or more automatic password changes. -or- The "permit to trust" and "trust" sides of the relationship were initially set up with different passwords. User Manager for Domains can detect if this is the case if the "B permits A to trust" side was set up first, but not if the "A trusts B" side was set up first. (This is why the "B permits A to trust" side should be set up first, and one reason why User Manager for Domains sometimes warns that "the trust relationship could not be verified at this time" when the "A trusts B" side is set up.) WORKAROUND ========== To work around this problem, check to see that both halves of the trust relationship exist (A must trust B, and B must permit A to trust). If both halves of the trust relationship exist, their internal passwords may be out of sync. If the internal passwords are out of sync, remove both halves, and then replace them. For information on doing this, see the chapter titled "User Manager for Domains" of the Windows NT "System Guide." It is recommended to add the "B permits A to trust" side of the trust relationship before the "A trusts B" side. Additional query words: prodnt ====================================================================== Keywords : kbnetwork Technology : kbWinNTsearch kbWinNTAdvSerSearch kbWinNTAdvServ310 kbWinNT310Search Version : 3.1 ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.