How to establish trusts with a Windows NT-based domain in Windows Server 2003 (325874)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
This article was previously published under Q325874
For a Microsoft Windows 2000 version of this article, see 308195.

SUMMARY

This step-by-step article describes how to establish a trust relationship between a Microsoft Windows NT 4.0-based domain and a Windows Server 2003-based domain.

The creation of a trust with a Windows NT-based domain uses the Windows NT trust model in a Windows Server 2003-based environment. Windows NT trusts are one-way trusts between a "trusting" domain and a "trusted" domain. For example, if you have a Windows Server 2003-based domain whose users want to gain access to resources that are stored in a Windows NT-based domain, you must create a trust relationship in which the Windows NT-based domain trusts the users from the Windows Server 2003-based domain. In this case, the Windows NT-based domain is the trusting domain, and the Windows Server 2003-based domain is the trusted domain.

Note You must use NetBIOS name resolution to enable trust between the two domains.

How to create a trust relationship

You can create either of the following one-way trust relationships between a Windows NT-based domain and a Windows Server 2003-based domain:
  • Windows NT trusts Windows Server 2003
  • Windows Server 2003 trusts Windows NT
Or you can create a two-way trust where both domains trust each other.

You must be logged on to the domain controllers of both domains with an administrator account to create a trust. When you create a one-way trust, first create the trust on the trusting domain, and then on the trusted domain.

Windows NT trusts Windows Server 2003

To create a trust relationship in which a Windows NT-based domain trusts a Windows Server 2003-based domain:
  1. On the Windows NT-based primary domain controller (PDC):
    1. Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
    2. On the Policies menu, click Trust Relationships.
    3. Click the Add button that corresponds to the Trusted Domains box. The Add Trusted Domain dialog box appears.
    4. In the Domain box, type the Windows Server 2003-based domain name without the .com portion of the domain name. For example, if the Windows Server 2003-based domain is Example.com, type Example.
    5. In the Password box, type a password for the trust.

      Note You must use the same trust password on both the domain controller from the trusted domain and the domain controller from the trusting domain.
    6. Click OK. The following message appears, where Windows Server 2003-based domain name is the name of the Windows Server 2003-based domain and where Windows NT-based domain name is the name of the Windows NT domain:
      The trust relationship could not be verified at this time. If you find that it was not established, contact the administrator of the Windows Server 2003-based domain name domain and verify that it includes Windows NT-based domain name on its list of trusting domains.
    7. Click OK. Note that the Windows Server 2003-based domain is listed in the Trusted Domains list.
    8. In the Trust Relationships dialog box, click Close.
  2. On the Windows Server 2003-based domain controller:
    1. Click Start, point to Administrative Tools, and then double-click Active Directory Domains and Trusts.
    2. In the Active Directory Domains and Trusts snap-in, right-click the domain that you want, and then click Properties.
    3. Click the Trusts tab, and then click New Trust.
    4. The New Trust Wizard appears. Click Next to continue.
    5. Type the NetBIOS name of the Windows NT domain for this trust. For example, type supplier01-int, and then click Next.
    6. In the Direction of Trust window, click One-way: incoming
      Users in this domain can be authenticated in the specified domain, realm, or forest.
    7. Click Next, and then in the Trust password box, type the same trust password that you used on the Windows NT-based domain controller. Type the password again in the Confirm trust password box.
    8. Click Next, review your settings, and then click Next.
    9. A message similar to the following message appears
      Trust relationship created successfully.
      Specified domain: supplier01-int
      Direction:
      Incoming: Users in the local domain can authenticate in the specified domain.
      Trust type: External
      Windows will authenticate users from the specified domain for all resources in the local domain.
      Transitive: No
      Sides of trust: Created the trust for this domain only.
      where supplier01-int is the NetBIOS name of the Windows NT domain for this trust. Click Next, and then click Yes, confirm the incoming trust.
    10. Type the user name and password of an account with administrative privileges for the specified domain, and then click Next. A message similar to the following message appears:
      Completing the New Trust Wizard
      You have successfully completed the New Trust Wizard.
      Status of changes:
      The trust relationship was successfully created and confirmed.
    11. Click Finish to close the wizard, and then click OK to close the domain properties dialog box.
    12. Quit Active Directory Domains and Trusts.
The trust is created. The Windows NT-based domain trusts accounts from the Windows Server 2003-based domain. However, this trust is a one-way trust. The Windows Server 2003-based domain does not trust the Windows NT-based domain accounts.

Windows Server 2003 trusts Windows NT

To create a trust relationship in which a Windows Server 2003-based domain trusts a Windows NT-based domain:
  1. On the Windows Server 2003-based domain controller:
    1. Click Start, point to Administrative Tools, and then double-click Active Directory Domains and Trusts.
    2. In the Active Directory Domains and Trusts snap-in, right-click the domain that you want, and then click Properties.
    3. Click the Trusts tab, and then click New Trust.
    4. The New Trust Wizard appears. Click Next to continue.
    5. Type the NetBIOS name of the Windows NT domain for this trust. For example, type supplier01-int, and then click Next.
    6. In the Direction of Trust window, click One-way: outgoing
      Users in the specified domain, realm, or forest can be authenticated in this domain.
    7. Click Next, and then click one of the following to select the scope of authentication for users from the Windows NT domain:
      • Allow authentication for all resources in the local domain
        Windows authenticates users from the specified domain for all resources in the local domain. This option is preferred when both domains belong to the same organization.
      • Allow authentication only for selected resources in the local domain
        Windows does not automatically authenticate users from the specified domain for any resources in the local domain. After you finish this wizard, grant individual access to each server that you want to make available to users in the specified domain. This option is preferred if the domains belong to different organizations.
    8. Click Next, and then type a password for this trust in the Trust password box. You must use the same password when you create this trust relationship in the specified domain. After you create the trust, Active Directory periodically updates the trust password for security purposes. Type the password again in the Confirm trust password box, and then click Next.
    9. Review your settings, and then click Next.
    10. A message similar to the following message appears
      Trust relationship created successfully.
      Specified domain: supplier01-int
      Direction:
      Outgoing: Users in the specified domain can authenticate in the local domain.
      Trust type: External
      Windows will authenticate users from the specified domain for all resources in the local domain.
      Transitive: No
      Sides of trust: Created the trust for this domain only.
      where supplier01-int is the NetBIOS name of the Windows NT domain for this trust. Click Next, and then click Yes, confirm the incoming trust.
    11. Click Finish to close the wizard, and then click OK to close the domain properties dialog box.
    12. Quit Active Directory Domains and Trusts.
  2. On the Windows NT-based PDC:
    1. Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
    2. On the Policies menu, click Trust Relationships.
    3. Click the Add button that corresponds to the Trusted Domains box. The Add Trusted Domain dialog box appears.
    4. In the Trusted Domain box, type the Windows Server 2003-based domain name without the .com portion of the domain name. For example, if the Windows Server 2003-based domain is Example.com, type Example.
    5. In the Initial Password box, type the same password that you used for the trust on the Windows Server 2003-based domain controller.

      Note You must use the same trust password on both the domain controller from the trusting and the domain controller from the trusted domain.
    6. Type the password again in the Confirm Password box, make sure that you are currently logged on to both the Windows NT-based domain controller and the Windows Server 2003-based domain controller as an administrator, and then click OK. The Windows Server 2003-based domain is listed in the Trusted Domains list.
    7. In the Trust Relationships dialog box, click Close.
The trust is created. The Windows Server 2003-based domain trusts accounts from the Windows NT-based domain.

Create a two-way trust relationship

To create a two-way trust so both domains trust each other:
  1. On the Windows Server 2003-based domain controller:
    1. Click Start, point to Administrative Tools, and then double-click Active Directory Domains and Trusts.
    2. In the Active Directory Domains and Trusts snap-in, right-click the domain that you want, and then click Properties.
    3. Click the Trusts tab, and then click New Trust.
    4. The New Trust Wizard appears. Click Next to continue.
    5. Type the NetBIOS name of the Windows NT domain for this trust. For example, type supplier01-int, and then click Next.
    6. In the Direction of Trust window, click Two-way
      Users in this domain can be authenticated in the specified domain, realm, or forest, and users in the specified domain, realm, or forest can be authenticated in this domain.
    7. Click Next, and then click one of the following to select the scope of authentication for users from the Windows NT domain:
      • Allow authentication for all resources in the local domain
        Windows authenticates users from the specified domain for all resources in the local domain. This option is preferred when both domains belong to the same organization.
      • Allow authentication only for selected resources in the local domain
        Windows does not automatically authenticate users from the specified domain for any resources in the local domain. After you finish this wizard, grant individual access to each server that you want to make available to users in the specified domain. This option is preferred if the domains belong to different organizations.
    8. Click Next, and then in the Trust password box, type a password for this trust. You must use the same password when you create this trust relationship in the specified domain. After the trust is created, Active Directory periodically updates the trust password for security purposes. Type the password again in the Confirm trust password box, and then click Next.
    9. Review your settings, and then click Next.
    10. A message similar to the following message appears
      Trust relationship created successfully.
      Specified domain: supplier01-int
      Direction:
      Two-way: Users in the local domain can authenticate in the specified domain and users in the specified domain can authenticate in the local domain.
      Trust type: External
      Windows will authenticate users from the specified domain for all resources in the local domain.
      Transitive: No
      Sides of trust: Created the trust for this domain only.
      where supplier01-int is the NetBIOS name of the Windows NT domain for this trust.
    11. Click Next, and then click Yes, confirm the outgoing trust.
    12. Click Yes, confirm the incoming trust, type the user name and password of an account with administrative privileges for the specified domain, and then click Next. A message similar to the following message appears
      Completing the New Trust Wizard
      You have successfully completed the New Trust Wizard, but the newly created trust relationship could not be confirmed for the following reasons:

      The verification of the incoming trust failed with the following error(s):
      The target system supplier01-int does not support NetLogon trust password verification.
      A secure channel reset will be attempted.
      The secure channel reset failed with error 1355: The specified domain either does not exist or could not be contacted.
      The verification of the outgoing trust failed with the following error(s):
      The trust password verification failed with error 1787: The security database on the server does not have a computer account for this workstation trust relationship.
      A secure channel reset will be attempted.
      The secure channel reset failed with error 1787: The security database on the server does not have a computer account for this workstation trust relationship.

      Before this trust can function, it must also be created in the other domain. Ensure that the same password is used in both domains.
      where supplier01-int is the NetBIOS name of the Windows NT domain for this trust.
    13. Click Finish to close the wizard, and then click OK to close the domain properties dialog box.
    14. Quit Active Directory Domains and Trusts.
  2. On the Windows NT-based PDC:
    1. Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
    2. On the Policies menu, click Trust Relationships.
    3. Click the Add button that corresponds to the Trusted Domains box. The Add Trusted Domain dialog box appears.
    4. In the Domain box, type the Windows Server 2003-based domain name without the .com portion of the domain name. For example, if the Windows Server 2003-based domain is Example.com, type Example.
    5. In the Password box, type a password for the trust.

      Note You must use the same trust password on both the domain controller from the trusted domain and the domain controller from the trusted domain.
    6. Click OK. Note that the Windows Server 2003-based domain is listed in the Trusted Domains list.
    7. Click the Add button that corresponds to the Trusted Domains box. The Add Trusted Domain dialog box appears.
    8. In the Trusted Domains box, type the Windows Server 2003-based domain name without the .com portion of the domain name.
    9. In the Password box, type the same password that you used for the trust on the Windows Server 2003-based domain controller, and then click OK. The Windows Server 2003-based domain is listed in the Trusted Domains list.
    10. In the Trust Relationships dialog box, click Close.
    The two-way trust is created. The Windows NT-based domain trusts accounts from the Windows Server 2003-based domain, and the Windows Server 2003-based domain trusts the Windows NT-based domain accounts.

    Verify a trust

    To verify that the trust relationship is working, follow these steps on the Windows Server 2003-based domain controller:
    1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.
    2. In the console tree, right-click the domain that contains the trust you want to verify, and then click Properties.
    3. Click the Trusts tab, and then under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be verified, and then click Properties.
    4. Click Validate.

Troubleshooting

When you try to create a trust between domains, you may receive the following error message:
Could not find domain controller for this domain
This error message can occur for the following reasons:
  • Networking issues

    Make sure that both computers are using TCP/IP and that you can connect to the other computer by using a network utility such as Ping.exe.
  • Name resolution issues

    Make sure that the Windows NT-based domain controller can resolve the host name of the Windows Server 2003-based domain controller, and that the Windows Server 2003-based domain controller can resolve the NetBIOS name of the Windows NT-based domain controller. If you cannot resolve the NetBIOS and host names, create an entry in the Lmhosts file on each domain controller that specifies the location of the other controller. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    102725 Lmhosts file information and predefined keywords

  • Trust issues

    On a computer that is running an original release version of Windows Server 2003, you may have to set the value of the RestrictAnonymous registry subkey to 0 to establish the trust. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    246261 How to use the RestrictAnonymous registry value in Windows 2000

    On a computer that is running Windows Server 2003 Service Pack 1 (SP1), you may have to set the value of the RestrictAnonymous registry subkey to 0 and set the value of the RestrictNullSessAccess registry subkey to FALSE to establish the trust.

    To set the value of the RestrictNullSessAccess registry subkey to FALSE, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK to open Registry Editor.
    2. Locate the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

    3. Right-click this registry subkey, point to New, and then click DWORD Value.
    4. Type RestrictNullSessAccess, and then press ENTER.
    5. Double-click RestrictNullSessAccess, type 0 in the Value data box, and then click OK.
    6. Exit Registry Editor.
    7. Restart the computer.

REFERENCES

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

139410 "There are currently no logon servers available" error message

175025 How to build and reset a trust relationship from a command line

255551 Cannot set up trust in Window 2000 domain from Windows NT 4.0

Modification Type:MinorLast Reviewed:9/11/2006
Keywords:kbActiveDirectory kbHOWTOmaster kbnetwork KB325874 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.