locked
Windows Server 2008 R2 - NT4 Two way trust

    Question

  • Hi,

    We are about to undertake a project to upgrade our Windows Server 2003 domain to Windows Server 2008 R2, we have done this in test with no problems however our production environment has a 2 way external trust with an NT4 domain. I was hoping someone on here may have had to do this already (despite how much I wish we could get away from this NT4 domain at present it is not possible).

    Any feedback/articles would be greatly appreciated. I am going to be setting up a trust between my test environment and this NT4 domain early next week so I will let everyone know how we go/what issues we run into.

    Regards,
    Leigh

    Thursday, January 07, 2010 10:58 PM

Answers

All replies

  • Hello Leigh,

    You may have a look at the KB 8890303.

    Trust between a Windows NT domain and an Active Directory domain cannot be established or it does not work as expected
    http://support.microsoft.com/Default.aspx?id=889030

    In addition, the following thread might be also helpful for you to configure Windows 2008 R2 - NT4 two way trust.

    configuring trusts between an Windows NT4 domain and sevrer 2008 domain
    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/4c96207a-2d96-4002-b626-272c53a5a703

    Best regards,
    Wilson Jia
    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Wilson Jia Wednesday, January 13, 2010 1:49 AM
    Friday, January 08, 2010 8:27 AM
  • Thank you very much for the reply Wilson. I had seen those articles already and am just testing the process out now. Will keep you updated
    Thursday, January 14, 2010 9:51 PM
  • Well i have finally been able to test the steps in the posts above and they do not allow a 2 way trust. I have implemented the following GP changes as per various articles I have read

    http://support.microsoft.com/default.aspx/kb/889030
    &
    http://support.microsoft.com/kb/942564/

    Windows Server 2008 R2 Domain to NT4 Domain
    You can ONLY have a one way trust (with the above settings)

    Windows Server 2008 Domain to NT4 Domain
    A two way external trust works perfectly

    Windows Server 2003 R2 Domain to NT4 Domain
    A two way external trust works perfectly

    Windows Server 2008 R2 Domain to Windows Server 2003 R2 Domain
    A two way forest trust works perfectly

    So there is clearly a problem with R2 as opposed to just Windows Server 2008. I hope someone from MS or these forums can help me out with this. Maybe it's just another group policy setting or a hotfix.

    Here is some of the troubleshooting/steps i have gone through

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    One-way incoming trust
    ------------------------------

    NT4 PDC has been setup with the W2K8R2 Domain name in the trusted domains
    W2K8R2 DC has been setup with the NT4 Domain name in the incoming trusts

    I then validate the trust in W2K8R2 and get a confirmation box that everything is fine. 
    On the PDC i run the following command and get a success. 

    C:\TEMP\Files\netmgmt>nltest /sc_query:W2K8R2Domain
    Flags: 0
    Connection Status = 0 0x0 NERR_Success
    Trusted DC Name \\W2K8R2DC
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    The command completed successfully

    I can now log onto the nt4 domain with an account from my W2K8R2 domain and connect to file shares in the NT4 domain
    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Two way External Trust
    ------------------------------

    NT4 PDC has been setup with the W2K8R2 Domain name in the trusted & trusting domains
    W2K8R2 DC has been setup with the NT4 Domain name in the incoming & outgoing trusts

    I then validate the trust in W2K8R2 on both the incoming and outgoing trusts. Both fail with the following error:

    "Verification of the trust between the domain W2K8R2.local and the domain NT4Domain was unsuccessful because: Access denied.
    To repair a trust to a pre-Windows 2000 domain you must remove and re-add the trust on both sides"

    However if i run the following nltest /sc_query in either the NT4 or W2K8R2 domain i get a success.

    C:\Windows\system32>nltest /sc_query:NT4Domain
    Flags: 0
    Trusted DC Name \\NT4PDC
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    The command completed successfully

    C:\TEMP\Files\netmgmt>nltest /sc_query:W2K8R2Domain
    Flags: 0
    Connection Status = 0 0x0 NERR_Success
    Trusted DC Name \\W2K8R2DC
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    The command completed successfully

    But if i run the nltest /sc_verify from the W2K8R2DC i get

    C:\Windows\system32>nltest /sc_verify:NT4Domain
    Flags: 80
    Trusted DC Name
    Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED
    Trust Verification Status = 5 0x5 ERROR_ACCESS_DENIED
    The command completed successfully

    On the NT4 box in the event viewer i see the following

    The session setup from the computer W2K8R2DC failed to authenticate. The name of the account referenced in the security database is W2K8R2Domain$.  The following error occurred:
    Access is denied. 

    I can still log onto the nt4 domain with an account from my W2K8R2 domain and connect to file shares in the NT4 domain
    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Hopefully someone on here can help me out as it's got me stumped

    Wednesday, January 20, 2010 3:06 AM
  • LeighMo, did you ever get this figured out? We are having the same problem with our R2 to NT4 trust as well and need some help!

    thx


    Mugshots
    Tuesday, April 20, 2010 7:58 PM
  • I have the same problem between NT4 and Windows 2008 R2, unfortunately found this note in the KB 942564, so I understand that this kind of Trust is not supported. If someone resolves this issue, please let us know the way....

    Important:
                    Windows NT 4.0 trusts cannot be created between Windows Server 2008 R2-based domains and Windows NT 4.0-based domains. The workaround steps that are documented later in this article apply to only Windows Server 2008. Security changes that are in Windows Server 2008 R2 prevent a trust between Windows Server 2008 R2-based domains and Windows NT 4.0-based domains. This behavior is by design.

    Look for your self: http://support.microsoft.com/kb/942564/en-us

    thx...

    Thursday, June 03, 2010 9:53 PM
  • Trusts between NT 4.0 and 2008 R2 domains are not supported.  I have verified this with Microsoft Premier Support.

    Windows NT 4.0 and 2008 R2 Domain Trust Relationships
    http://www.anitkb.com/2010/06/windows-nt-40-and-2008-r2-domain-trust.html


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, June 03, 2010 10:49 PM
  • Hi there,

    we have asked the query in respect to the domain controllers and not just  domain level and not had an answer. So let me try again ....

    Nt4 Domain with NT PDC BDC TRUST with Windows 2003 domain but win 2008 DC/s ? Works not work what settings ?

    NT4 domain with pdc bdc (NT4) TRUST with Windows 2003 Domain but 2008 DC/s ? Works not work what settings ?

    Windows 2003 with DC's in 2003 and domain level Windows 2003 TRUST with Windows 2008 domain and Windows 2008 R2 Dc's ? what settings ?

    Windows 2003 with DC's in 2003 and domain level windows 2003 trust with Windows 2008 R2 Domain ? What settings ?

    thx

     

    Thursday, June 17, 2010 8:57 PM
  • It is not the domain functional level specifically that you need to be concerned with in regards to the trusts.  All of the versions of Windows NT-2008 support trusts between the DCs in their respective domains.  However, with Windows 2008 R2, trusts with DCs in an NT 4.0 domain is NOT supported, even with the custom settings that allowed it for 2008.

    For instance, if I have a Windows 2008 domain and I run adprep for R2, I can still have existing trusts with an NT 4.0 domain.  However, I will begin to experience issues the trusts as I start introducing 2008 R2 DCs.

    I hope this explains it for you.  All four of your questions/scenarios are supported.


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, June 17, 2010 11:44 PM
  • Jorge, thanks for writting back. I'm going to be pedantic here - I forgot the R2 in scenario 2 

    NT4 domain with pdc bdc (NT4) TRUST with Windows 2003 Domain but Windows 2008 R2 DC/s ? Works not work what settings ?

    My understanding is no this is not supported as per link http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2%28WS.10%29.aspx and "Secure channels between computers running Windows NT 4.0 and Windows 7 or Windows Server 2008 R2 are not supported. Affected operations include validation of trusts , domain joins, and authentications over secure channels."

    This would suggest that after adprep for Windows 2008 R2 DC's BUT with a Domain remaining at functional level 2003 once the DC's are Windows 2008 R2 the Trust relationship cannot happen.

    Has anyone asked this to Microsoft Premier ?

     

    D

     

    Friday, June 18, 2010 2:02 PM