Sharing folders on a Domain Network with Win7, non-domain computers receive "The trust relationship between this workstation and the primary domain failed".
I have 1 Windows 7 computer connected to the my SBS2003 Domain. This has been fine so far and I can see the network shares, logon scripts work, and domain settings seem to work.
I use the administrative share for a backup program that runs on a machine that isn't connected to the Domain. It has the same workgroup name as the domain, but is not "attached" to the domain. This machine uses a Domain Administrator's credentials to log into each machine at night and backup the user's profile folder. This works fine for all machines on the network 2000,XP, Vista.
The Windows 7 machine rejects the connection with the error "The trust relationship between this workstation and the primary domain failed." I assume this is because the backup machine is not listed in the domain.
I also have various other machines on the network that are not attached to the domain but use the same workgroup name. These machines also receive the same error when trying to connect to any share on the Windows 7 machine. Connecting to shares via computers not attached to the domain results in a popup box asking for credentials. After proper domain/username/password is entered, they are allowed to browse the device. This no longer happens with Windows 7, the connection is rejected immediately.
I assume this is some sort of security policy that doesn't allow shares to be browsed by computers not listed in the domain computers OU. Is there a way to disable this policy?
Answers
Please change the NTLM authentication level in Windows 7. You may refer the following article.
Network security: LAN Manager authentication level
Please change the level to “Send LM & NTLM - use NTLMv2 session security if negotiated”.
If the issue persists, I suggest that you make the following changes on the Windows 7 computer:
1. Open gpedit.msc.
2. Find the policyWindows Settings -> Security Settings -> Local Policies -> Security Options ->Network Security: Configure encryption types allowed for Kerberos
3. Configure the policy. If it is not configured, actually both DES cipher suites are disabled. I suggest that you enable all the suits.
Then please check the result.
Arthur Xie - MSFT- Marked As Answer byDLeVasseur Friday, November 06, 2009 5:38 PM
- Well, I applied the policies via GPO and still the same issue. Hrm...
EDIT:
I finally dug a little deeper and found that the Win7 machine did suffer from the NETLOGON issues where on first connection to the domain the computer passwords do not sync up and the trust relationship is broken. I removed the machine from the network, deleted it from the computer list and reconnected it and with the above fixes, everything is working splendidly! Hopefully this trust isn't broken again in the future.
Thanks Arthur!- Marked As Answer byArthur XieMSFT, ModeratorTuesday, November 10, 2009 2:50 AM
All Replies
Please change the NTLM authentication level in Windows 7. You may refer the following article.
Network security: LAN Manager authentication level
Please change the level to “Send LM & NTLM - use NTLMv2 session security if negotiated”.
If the issue persists, I suggest that you make the following changes on the Windows 7 computer:
1. Open gpedit.msc.
2. Find the policyWindows Settings -> Security Settings -> Local Policies -> Security Options ->Network Security: Configure encryption types allowed for Kerberos
3. Configure the policy. If it is not configured, actually both DES cipher suites are disabled. I suggest that you enable all the suits.
Then please check the result.
Arthur Xie - MSFT- Marked As Answer byDLeVasseur Friday, November 06, 2009 5:38 PM
- Neither of those options worked. Probably because the local GP is being overridden by the domain policy. I found the settings in the domain policy and they are not configured. I think I'll move the Win7 Computer to a test OU and make the changes to see if the help.
Thanks for the quick reply. - Well, I applied the policies via GPO and still the same issue. Hrm...
EDIT:
I finally dug a little deeper and found that the Win7 machine did suffer from the NETLOGON issues where on first connection to the domain the computer passwords do not sync up and the trust relationship is broken. I removed the machine from the network, deleted it from the computer list and reconnected it and with the above fixes, everything is working splendidly! Hopefully this trust isn't broken again in the future.
Thanks Arthur!- Marked As Answer byArthur XieMSFT, ModeratorTuesday, November 10, 2009 2:50 AM
