configuring trusts between an Windows NT4 domain and sevrer 2008 domain

Ask a question

Tuesday, September 01, 2009 9:45 AM

0
Hi Guys,

I'm at my wits end trying to configure a trust between windows NT4 and windows server 2008 domains.

There are 2 Ms articles I have followd advising different changes in the default domain controllers GPO in the 2008 domain and these are as follows:

I have set the
Allow cryptography algorithms compatible with Windows NT 4.0 setting

and the following GPO settings:
Network access: Allow anonymous SID/Name translation - ENABLED
Network access: Do not allow anonymous enumeration of SAM accounts - DISABLED
Network access: Do not allow anonymous enumeration of SAM accounts and shares - DISABLED
Network access: Let Everyone permissions apply to anonymous users - ENABLED
Network access: Named pipes can be accessed anonymously - ENABLED
Network access: Restrict anonymous access to Named Pipes and shares - DISABLED
Network security: LAN Manager authentication level - "Send NTLM response only"
Microsoft network client: Digitally sign communications (always) - DISABLED
Microsoft network client: Digitally sign communications (if server agrees) - ENABLED
Microsoft network server: Digitally sign communications (always) - DISABLED
Microsoft network server: Digitally sign communications (if client agrees) - ENABLED
Domain member: Digitally encrypt or sign secure channel data (always) - DISABLED
Domain member: Digitally encrypt secure channel data (when it is possible) - ENABLED
Domain member: Digitally sign secure channel data (when it is possible) - ENABLED
Domain member: Require strong (Windows 2000 or later) session key - DISABLED

The 2008 domain trusts the NT4 domain however when trying to sset up the NT4 side of the trust I get the error 'Could not find domain controller for this domain'. I can ping the 2008 dc from the NT4 side and the following shows in the NT4 betbios cache:
```
              NetBIOS Remote Cache Name Table
 
    Name              Type       Host Address    Life [sec]
------------------------------------------------------------
2008-domain    <00>  GROUP       0.0.0.0             175
2008-domain    <1C>  GROUP       10.30.105.49        -1
2008-domain    <1B>  UNIQUE      10.30.105.49        -1
2008-DC        <03>  UNIQUE      10.30.105.49        -1
2008-DC        <00>  UNIQUE      10.30.105.49        -1
2008-DC        <20>  UNIQUE      10.30.105.49        -1
```
Can anyone hlep me out to get this working?

Thanks in advance
- Reply
- Quote

All Replies

Tuesday, September 01, 2009 10:29 AM

0

Hello,

how did you configure DNS for the trust on both domains?
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
- Reply
- Quote
Tuesday, September 01, 2009 10:44 AM

0

Hi, Thanks for the reply.

I'm a little confused by the questiosn as NT4 has to resolve using netbios for trusts. To enable name resoluiotn I've ammended the LMHosts file on both domains to add the following syntax:

172.26.0.14 NT4PDC #PRE #DOM:DOMAIN_NAME1
172.26.0.14 "DOMAIN_NAME1 \0x1b" #PRE

And vice-versa for te NT4 domain.
- Reply
- Quote
Tuesday, September 01, 2009 7:04 PM

0

By any chance is this a 2008 R2 domain? I had a trust working fine with a 2008 domain I'm building to replace the NT4 domain, but since upgrading to R2, I can't get it re-established.
- Reply
- Quote
Tuesday, September 01, 2009 8:33 PM

0
This won't work because NTLMv1 is not supported anymore in Windows Server 2008. Exchanging communications with a computer running Windows NT Server 4.0 or earlier uses NTLMv1. Only NTLMv2 and higher is supported in Windows Server 2008. When you create a trust with a NT4 domain, NTLMv1 authentication is used.

NTLMv2 first became available in Windows NT® 4.0 Service Pack 4 (SP4).
NTLMv2 NT Authenication

We all know, or should know that NTLMv1 is not encrypted, and therefore very insecure, that is also the reason that is not supported in Windows Server 2008.

Does this answer your question?

Certifications: MCSA 2003 MCSE 2003
- Proposed As Answer by Guido van Brakel Tuesday, September 01, 2009 8:34 PM
- Reply
- Quote
Wednesday, September 02, 2009 3:56 AM

Moderator

0

hi there,

I would like to ask one question, why are you still using windows NT server, i would strongly recommend you to upgrade to windows 2003 / windows 2008 , I understand though this doesnt resolve your purpose.
sainath !analyze
- Reply
- Quote
Wednesday, September 02, 2009 8:19 AM

0

Hi shadowman123,

I'm a little confused as i've read that other people have sucessfully created an NT4 trust. Are you saying that its completly impossible to get an NT4 domain to trust a 2008 domain?

Sainath IRP_MJ_CREATE - We simply have 2 domains which were never upgraded for one reason or another. Now we're consolodating domains and we need to migrate off of NT4 but in the interim we need trusts between all domains.
- Reply
- Quote
Wednesday, September 02, 2009 2:30 PM

0
Hi shadowman123,

I'm a little confused as i've read that other people have sucessfully created an NT4 trust. Are you saying that its completly impossible to get an NT4 domain to trust a 2008 domain?

Sainath IRP_MJ_CREATE - We simply have 2 domains which were never upgraded for one reason or another. Now we're consolodating domains and we need to migrate off of NT4 but in the interim we need trusts between all domains.
Hi,

You have to configure on the NT4 domain, NTLMv2 authentication (this can break existing trust who are using NTLMv1).
After installing SP4, perform the following steps to configure LM Compatibility level on Windows NT workstations and servers. Make sure that SP4 for Windows NT is installed.
1. Run Registry Editor (Regedt32.exe).
2. From the HKEY_LOCAL_MACHINE subtree, go to the following key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
3. Click Add Value on the Edit menu.
4. Add the following values:
  Value Name: LMCompatibilityLevel
  Data Type: REG_DWORD
  Data: 5
5. From the HKEY_LOCAL_MACHINE subtree, go to the following key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
6. Click Add Value on the Edit menu.
7. Add the following values:
  Value Name: NtlmMinClientSec
  Data Type: REG_DWORD
  Data: 0 (default) or as defined above
  
  Value Name: NtlmMinServerSec
  Data Type: REG_DWORD
  Data: 0 (default) or as defined above
8. Click OK and then quit Registry Editor.
9. Shut down and restart Windows NT.
Please read this support article very careful:
How to disable LM authentication on Windows NT4

On the Windows 2008 domain you need to modify the group policy
By configuring the following policy setting: Computer Configuration\Windows Settings\Security Settings\Local Polices\Security Options\Network Security: LAN Manager Authentication Level by selecting the “Send NTLMv2 response only\refuse LM & NTLM” option in the policy setting.

Please do this careful;
I’ve heard of by administrators who have implemented this setting are (a) some older network appliances stop working since they rely on NTLMv1 and can’t do NTLMv2, and (b) integrated Windows authentication can fail for external users trying to access SharePoint sites. There may be other side effects as well for your environment, so be sure to test everything carefully if you plan on making this change on your network.

Certifications: MCSA 2003 MCSE 2003
- Proposed As Answer by Guido van Brakel Wednesday, September 02, 2009 2:38 PM
- Marked As Answer by Miles ZhangModerator Monday, September 07, 2009 1:18 AM
- Reply
- Quote
Thursday, February 10, 2011 7:53 AM

0

hi there,

I would like to ask one question, why are you still using windows NT server, i would strongly recommend you to upgrade to windows 2003 / windows 2008 , I understand though this doesnt resolve your purpose.
sainath !analyze

Many reasons, but primarily the odds are very high, the 2003+ OSes, specially the 2008/7/VISTA renditions needs new hardware and if upgrading the hardware was the plan, then it would be easier to network the more comtemporary and compatiable AD based and supporting OSes. Thats the current "nit" with Micrsoft's KBs for NT to AD migration suggestions - first upgrade the NT 4.0 PDC to at least Windows 2000. It usually means new hardware. This is probably why it appears tons of people are repeatedly having this issue when they make to move to AD. The requirements for the new OSes and AD are pretty high - hardware wise and we need to do that, then the IDEAL solution would be one that allows:

   "One time, NO TRUST REQUIRED Conversion Wizard over the NETWORK from
   the source PDC machine to the new target AD box"

Once done, this TRUST channels can be actvated. I think the AD Migration Tools tries this, but you it is hindered with the TRUST restriction. I couldn't too far with it.

In our case, the NT 4.0 PDC worked perfectly fine as a pure DC and WINS server and we chose tot purchased two new machines and installed the newer OSes on it, one with 2003 and one with 2008. I installed AD on the 2003 as a new prestine AD domain and I'm now dealing with this trust issue with the PDC machine only.

If I can't get this TRUST setup to work with it, then I will manually move the accounts over to the AD and have each machine on our small network just the new AD domain. Its only about 10 total.

Hector Santos, http://www.santronics.com
Via Wildcat! Live Exchange NNTP Gateway http://opensite.winserver.com
- Reply
- Quote

configuring trusts between an Windows NT4 domain and sevrer 2008 domain

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?