How to establish trusts with a Windows NT-based domain in Windows 2000 (308195)

SUMMARY

This article describes how to establish a trust relationship between a Microsoft Windows NT 4.0-based domain and a Windows 2000-based domain.

Creating a trust with a Windows NT-based domain is essentially using the Windows NT trust model in a Windows 2000-based environment. Windows NT trusts are one-way trusts between a "trusting" domain and a "trusted" domain. For example, if you have a Windows 2000-based domain whose users want to gain access to resources that are stored in a Windows NT-based domain, you must create a trust relationship in which the Windows NT-based domain trusts the users from the Windows 2000-based domain. In this case, the Windows NT-based domain is the trusting domain and the Windows 2000-based domain is the trusted domain.

back to the top

How to Create a Trust Relationship

You can create either of the following trust relationships between a Windows NT-based domain and a Windows 2000-based domain:

Windows NT trusts Windows 2000
Windows 2000 trusts Windows NT

You must be logged on to the domain controllers of both domains with an administrator account to create a trust. In each case, first create the trust on the trusting domain, and then on the trusted domain.

back to the top

Windows NT Trusts Windows 2000

To create a trust relationship in which a Windows NT-based domain trusts a Windows 2000-based domain:

On the Windows NT-based primary domain controller (PDC):
1. Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
2. On the Policies menu, click Trust Relationships.
3. Click the Add button that corresponds to the Trusted Domains box. The Add Trusted Domain dialog box appears.
4. In the Domain box, type the Windows 2000-based domain name without the .com extension. For example, if the Windows 2000-based domain is Microsoft.com, type Microsoft.
5. In the Password box, type a password for the trust.
  
  Note: The same trust password must be used on both the domain controller from the trusting and the domain controller from the trusted domain.
6. Click OK. The following message appears, where Windows 2000-based domain name is the name of the Windows 2000-based domain and where Windows NT-based domain name is the name of the Windows NT domain: The trust relationship could not be verified at this time. If you find that it was not established, contact the administrator of the Windows 2000-based domain name domain and verify that it includes Windows NT-based domain name on its list of trusting domains.
7. Click OK. The Windows 2000-based domain is listed in the Trusted Domains list.
8. In the Trust Relationships dialog box, click Close.
On the Windows 2000-based domain controller:
1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Administrative Tools, and then double-click Active Directory Domains and Trusts.
3. In the Active Directory Domains and Trusts snap-in, right-click the domain that you want, and then click Properties.
4. Click the Trusts tab.
5. Click the Add button that corresponds to the Domains that trust this domain list.
6. In the Trusting domain box, type the name of the Windows NT-based domain.
7. In the Password box, type the same trust password that you used on the Windows NT-based domain controller. Type the password again in the Confirm password box.
8. Click OK. The following message appears, where Windows NT-based domain name is the name of the Windows NT-based domain: To verify the new trust, you must have permission to administer trusts for the domain Windows NT-based domain name.
9. Make sure that you are currently logged on to both the Windows NT-based domain controller and the Windows 2000-based domain controller as Administrator, and then click Yes.
10. In the Active Directory dialog box, type the user name and password of an administrator account from the Windows NT-based domain, and then click OK. The following message appears: The trusting domain has been added and the trust verified.
11. Click OK. The Windows NT-based domain is listed in the Domains that trust this domain list.
12. Click OK, and then quit Active Directory Domains and Trusts.

The trust is created. The Windows NT-based domain trusts accounts from the Windows 2000-based domain. However, this trust is a one-way trust. The Windows 2000-based domain does not trust the Windows NT-based domain accounts.

back to the top

Windows 2000 Trusts Windows NT

To create a trust relationship in which a Windows 2000-based domain trusts a Windows NT-based domain:

On the Windows 2000-based domain controller:
1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Administrative Tools, and then double-click Active Directory Domains and Trusts.
3. In the Active Directory Domains and Trusts snap-in, right-click the domain that you want, and then click Properties.
4. Click the Trusts tab.
5. Click the Add button that corresponds to the Domains trusted by this domain list.
6. In the Trusted domain box, type the name of the Windows NT-based domain.
7. In the Password box, type a password for the trust. Type this password again in the Confirm password box.
8. Click OK. The following message appears: Active Directory cannot verify the trust.
  If the other side of the trust relationship doesn't exist yet, you must create it.
  If the passwords for both sides of the trust relationship don't match, you must remove this trust and re-create it using the correct password.
  The error returned was: The security database on the server does not have a computer account for this workstation trust relationship.
9. Click OK.
10. Click OK, and then quit Active Directory Domains and Trusts.
On the Windows NT-based PDC:
1. Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
2. On the Policies menu, click Trust Relationships.
3. Click the Add button that corresponds to the Trusting Domains box. The Add Trusting Domain dialog box appears.
4. In the Trusting Domain box, type the Windows 2000-based domain name without the .com extension. For example, if the Windows 2000-based domain is Microsoft.com, type Microsoft.
5. In the Initial Password box, type the same password that you used for the trust on the Windows 2000-based domain controller.
  
  Note: The same trust password must be used on both the domain controller from the trusting and the domain controller from the trusted domain.
6. Type the password again in the Confirm Password box, make sure that you are currently logged on to both the Windows NT-based domain controller and the Windows 2000-based domain controller as Administrator, and then click OK. The Windows 2000-based domain is listed in the Trusting Domains list.
7. In the Trust Relationships dialog box, click Close.

The trust is created. The Windows 2000-based domain trusts accounts from the Windows NT-based domain.

back to the top

Troubleshooting

When you attempt to create a trust between domains, you may receive an error message similar to:

Could not find domain controller for this domain

This error message can occur for the following reasons:

Networking issues

Make sure that both computers are using TCP/IP and that you can connect to the other computer by using a network utility such as Ping.exe.
Name resolution issues

Make sure that the Windows NT-based domain controller can resolve the host name of the Windows 2000-based domain controller, and that the Windows 2000-based domain controller can resolve the NetBIOS name of the Windows NT-based domain controller. If you cannot resolve the NetBIOS and host names, create an entry in the Lmhosts file on each domain controller that specifies the location of the other controller. For additional information about creating and modifying Lmhosts files, click the following article numbers to view the articles in the Microsoft Knowledge Base:
102725 Lmhosts file information and predefined keywords

back to the top