none
configuring trusts between an Windows NT4 domain and sevrer 2008 domain

    Question

  • Hi Guys,

    I'm at my wits end trying to configure a trust between windows NT4 and windows server 2008 domains.

    There are 2 Ms articles I have followd advising different changes in the default domain controllers GPO in the 2008 domain and these are as follows:

    I have set the Allow cryptography algorithms compatible with Windows NT 4.0 setting

    and the following GPO settings:
      Network access: Allow anonymous SID/Name translation -   ENABLED
      Network access: Do not allow anonymous enumeration of SAM accounts -    DISABLED
      Network access: Do not allow anonymous enumeration of SAM accounts and shares -   DISABLED
      Network access: Let Everyone permissions apply to anonymous users -   ENABLED
      Network access: Named pipes can be accessed anonymously -   ENABLED
      Network access: Restrict anonymous access to Named Pipes and shares -   DISABLED
      Network security: LAN Manager authentication level -   "Send NTLM response only"
      Microsoft network client: Digitally sign communications (always) -   DISABLED
      Microsoft network client: Digitally sign communications (if server agrees) -   ENABLED
      Microsoft network server: Digitally sign communications (always) -   DISABLED
      Microsoft network server: Digitally sign communications (if client agrees) -   ENABLED
      Domain member: Digitally encrypt or sign secure channel data (always) -   DISABLED
      Domain member: Digitally encrypt secure channel data (when it is possible)   - ENABLED
      Domain member: Digitally sign secure channel data (when it is possible) -   ENABLED
      Domain member: Require strong (Windows 2000 or later) session key -   DISABLED

    The 2008 domain trusts the NT4 domain however when trying to sset up the NT4 side of the trust I get the error 'Could not find domain controller for this domain'. I can ping the 2008 dc from the NT4 side and the following shows in the NT4 betbios cache:

                  NetBIOS Remote Cache Name Table
     
       
    Name              Type       Host Address    Life [sec]
    ------------------------------------------------------------
    2008-domain    <00>  GROUP       0.0.0.0             175
    2008-domain    <1C>  GROUP       10.30.105.49        -1
    2008-domain    <1B>  UNIQUE      10.30.105.49        -1
    2008-DC        <03>  UNIQUE      10.30.105.49        -1
    2008-DC        <00>  UNIQUE      10.30.105.49        -1
    2008-DC        <20>  UNIQUE      10.30.105.49        -1
    Can anyone hlep me out to get this working?

    Thanks in advance



    Tuesday, September 01, 2009 9:45 AM

Answers

  • Hi shadowman123,

    I'm a little confused as i've read that other people have sucessfully created an NT4 trust. Are you saying that its completly impossible to get an NT4 domain to trust a 2008 domain?

    Sainath IRP_MJ_CREATE - We simply have 2 domains which were never upgraded for one reason or another. Now we're consolodating domains and we need to migrate off of NT4 but in the interim we need trusts between all domains.
    Hi,

    You have to configure on the NT4 domain, NTLMv2 authentication (this can break existing trust who are using NTLMv1).
    After installing SP4, perform the following steps to configure LM Compatibility level on Windows NT workstations and servers. Make sure that SP4 for Windows NT is installed.
    1. Run Registry Editor (Regedt32.exe).
    2. From the HKEY_LOCAL_MACHINE subtree, go to the following key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
    3. Click Add Value on the Edit menu.
    4. Add the following values:
            Value Name: LMCompatibilityLevel
      Data Type: REG_DWORD
      Data: 5
    5. From the HKEY_LOCAL_MACHINE subtree, go to the following key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
    6. Click Add Value on the Edit menu.
    7. Add the following values:
            Value Name: NtlmMinClientSec
      Data Type: REG_DWORD
      Data: 0 (default) or as defined above

      Value Name: NtlmMinServerSec
      Data Type: REG_DWORD
      Data: 0 (default) or as defined above
    8. Click OK and then quit Registry Editor.
    9. Shut down and restart Windows NT.
    Please read this support article very careful:
    How to disable LM authentication on Windows NT4

    On the Windows 2008 domain you need to modify the group policy
    By configuring the following policy setting: Computer Configuration\Windows Settings\Security Settings\Local Polices\Security Options\Network Security: LAN Manager Authentication Level by selecting the “Send NTLMv2 response only\refuse LM & NTLM” option in the policy setting.

    Please do this careful;
    I’ve heard of by administrators who have implemented this setting are (a) some older network appliances stop working since they rely on NTLMv1 and can’t do NTLMv2, and (b) integrated Windows authentication can fail for external users trying to access SharePoint sites. There may be other side effects as well for your environment, so be sure to test everything carefully if you plan on making this change on your network.

    Certifications: MCSA 2003 MCSE 2003
    Wednesday, September 02, 2009 2:30 PM

All replies

  • Hello,

    how did you configure DNS for the trust on both domains?
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, September 01, 2009 10:29 AM
  • Hi, Thanks for the reply.

    I'm a little confused by the questiosn as NT4 has to resolve using netbios for trusts. To enable name resoluiotn I've ammended the LMHosts file on both domains to add the following syntax:

    172.26.0.14   NT4PDC #PRE #DOM:DOMAIN_NAME1
    172.26.0.14   "DOMAIN_NAME1   \0x1b"   #PRE

    And vice-versa for te NT4 domain.

    Tuesday, September 01, 2009 10:44 AM
  • By any chance is this a 2008 R2 domain? I had a trust working fine with a 2008 domain I'm building to replace the NT4 domain, but since upgrading to R2, I can't get it re-established.
    Tuesday, September 01, 2009 7:04 PM
  • This won't work because NTLMv1 is not supported anymore in Windows Server 2008. Exchanging communications with a computer running Windows NT Server 4.0 or earlier uses NTLMv1. Only NTLMv2 and higher is supported in Windows Server 2008. When you create a trust with a NT4 domain, NTLMv1 authentication is used.

    NTLMv2 first became available in Windows NT® 4.0 Service Pack 4 (SP4).
    NTLMv2 NT Authenication

    We all know, or should know that NTLMv1 is not encrypted, and therefore very insecure, that is also the reason that is not supported in Windows Server 2008.

    Does this answer your question?


    Certifications: MCSA 2003 MCSE 2003
    Tuesday, September 01, 2009 8:33 PM
  • hi there,

    I would like to ask one question, why are you still using windows NT server, i would strongly recommend you to upgrade to windows 2003 / windows 2008 , I understand though this doesnt resolve your purpose.
    sainath !analyze
    Wednesday, September 02, 2009 3:56 AM
  • Hi shadowman123,

    I'm a little confused as i've read that other people have sucessfully created an NT4 trust. Are you saying that its completly impossible to get an NT4 domain to trust a 2008 domain?

    Sainath IRP_MJ_CREATE - We simply have 2 domains which were never upgraded for one reason or another. Now we're consolodating domains and we need to migrate off of NT4 but in the interim we need trusts between all domains.
    Wednesday, September 02, 2009 8:19 AM
  • Hi shadowman123,

    I'm a little confused as i've read that other people have sucessfully created an NT4 trust. Are you saying that its completly impossible to get an NT4 domain to trust a 2008 domain?

    Sainath IRP_MJ_CREATE - We simply have 2 domains which were never upgraded for one reason or another. Now we're consolodating domains and we need to migrate off of NT4 but in the interim we need trusts between all domains.
    Hi,

    You have to configure on the NT4 domain, NTLMv2 authentication (this can break existing trust who are using NTLMv1).
    After installing SP4, perform the following steps to configure LM Compatibility level on Windows NT workstations and servers. Make sure that SP4 for Windows NT is installed.
    1. Run Registry Editor (Regedt32.exe).
    2. From the HKEY_LOCAL_MACHINE subtree, go to the following key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
    3. Click Add Value on the Edit menu.
    4. Add the following values:
            Value Name: LMCompatibilityLevel
      Data Type: REG_DWORD
      Data: 5
    5. From the HKEY_LOCAL_MACHINE subtree, go to the following key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
    6. Click Add Value on the Edit menu.
    7. Add the following values:
            Value Name: NtlmMinClientSec
      Data Type: REG_DWORD
      Data: 0 (default) or as defined above

      Value Name: NtlmMinServerSec
      Data Type: REG_DWORD
      Data: 0 (default) or as defined above
    8. Click OK and then quit Registry Editor.
    9. Shut down and restart Windows NT.
    Please read this support article very careful:
    How to disable LM authentication on Windows NT4

    On the Windows 2008 domain you need to modify the group policy
    By configuring the following policy setting: Computer Configuration\Windows Settings\Security Settings\Local Polices\Security Options\Network Security: LAN Manager Authentication Level by selecting the “Send NTLMv2 response only\refuse LM & NTLM” option in the policy setting.

    Please do this careful;
    I’ve heard of by administrators who have implemented this setting are (a) some older network appliances stop working since they rely on NTLMv1 and can’t do NTLMv2, and (b) integrated Windows authentication can fail for external users trying to access SharePoint sites. There may be other side effects as well for your environment, so be sure to test everything carefully if you plan on making this change on your network.

    Certifications: MCSA 2003 MCSE 2003
    Wednesday, September 02, 2009 2:30 PM
  • hi there,

    I would like to ask one question, why are you still using windows NT server, i would strongly recommend you to upgrade to windows 2003 / windows 2008 , I understand though this doesnt resolve your purpose.
    sainath !analyze

    Many reasons, but primarily the odds are very high,  the 2003+ OSes, specially the 2008/7/VISTA renditions needs new hardware and if upgrading the hardware was the plan, then it would be easier to network the more comtemporary and compatiable AD based and supporting OSes.    Thats the current "nit" with Micrsoft's KBs for NT to AD migration suggestions - first upgrade the NT 4.0 PDC to at least Windows 2000.  It usually means new hardware.  This is probably why it appears tons of people are repeatedly having this issue when they make to move to AD.  The requirements for the new OSes and AD are pretty high - hardware wise and we need to do that,  then the IDEAL solution would be one that allows:

         "One time, NO TRUST REQUIRED Conversion Wizard over the NETWORK from
          the source PDC machine to the new target AD box"  

    Once done, this TRUST channels can be actvated. I think the AD Migration Tools tries this, but you it is hindered with the TRUST restriction.  I couldn't too far with it.

    In our case, the NT 4.0 PDC worked perfectly fine as a pure DC and WINS server and we chose tot purchased two new machines and installed the newer OSes on it, one with 2003 and one with 2008.  I installed AD on the 2003 as a new prestine AD domain and I'm now dealing with this trust issue with the PDC machine only.

    If I can't get this TRUST setup to work with it, then I will manually move the accounts over to the AD and have each machine on our small network just the new AD domain.  Its only about 10 total.   

     


    Hector Santos, http://www.santronics.com
    Via Wildcat! Live Exchange NNTP Gateway http://opensite.winserver.com
    Thursday, February 10, 2011 7:53 AM