Configure IT Quick: Establishing trusts between Windows NT and Windows 2000 domains

Establishing trusts between Windows NT and Windows 2000 domains doesnt require a wholesale changeover to Windows 2000.

When you begin to implement Windows 2000 domains, chances are you’ll have at least one or more NT 4 domains that will need to talk to the newly installed Windows 2000 domains. By establishing trusts between the two different domains, you’ll have the ability to share information between systems without requiring a wholesale changeover to Windows 2000. In this Daily Feature, I’ll show you the steps required to establish trusts in both the NT 4 and Windows 2000 domains.

A few considerations
When you establish domain trusts between NT and Windows 2000 networks, you should have the two networks in the same physical connection, or at least connected by a high-speed link. You need that because of security and the type of information that flows between the domains.

If your two networks aren’t in the same location, you’ll need one of two things:
  • A direct private-line connection
  • A VPN connection (over the Internet) between sites

This is because the domain trust communication process involves the use of remote procedure call (RPC) communications. RPC traffic can’t pass over the Internet. Even if it could, it’s not the type of traffic you would want to pass on a connection that isn’t secure.

If you haven’t already implemented WINS on your Windows 2000 network, now would be a good time to do so. You aren’t supposed to need WINS with Windows 2000; however, when I recently set up domain trusts between an NT 4 network and a Windows 2000 network, I posed a question about this to Microsoft. The company told me that this was one case where you needed to implement WINS on Windows 2000. If you didn’t install WINS on your server when you first installed Windows 2000, you should do so now. If you don’t know how, check the Daily Feature entitled "Setting up WINS in Windows 2000."

Likewise, if you haven’t implemented WINS on your NT 4 network, you’ll need to do so before trying to implement domain trusts. A word to the wise: Set up the WINS service on your PDC. If you don’t have that option, pick your BDC and then put the IP address of the BDC in the WINS server entry in the TCP/IP properties of the PDC. To find out more about WINS in a Windows NT 4 environment, see the Daily Drill Down titled "Understanding Windows Internet Naming Service (WINS)."

Establish domain trusts from Windows 2000
From the Windows 2000 server, open a command prompt. Ping the NT 4 server with which you’ll be establishing a trust. (This tells you very quickly if you have a good communications path to the other domain. If you can’t ping the NT 4 server, you’ll need to identify the cause of the problem and fix it before proceeding.)

After you’ve verified communications, click Start | Programs | Administrative Tools | Active Directory Domains And Trusts. Click the domain in which your Windows 2000 server resides. Right-click on the domain and select the Properties menu option.

When the Domain Properties screen appears (in Windows 2000, this will look something like yourdomain.local), click on the Trusts tab and then click Add. Enter the name of the NT 4 domain that you are going to establish a trust with in the Trusted Domain Input field. You’ll also need to enter a password in the Domain Trust Password field to establish the trust. (This can be any password you wish, but you’ll need to also use it on your NT 4 domain.) Enter the same password in the Confirm Password input field and click OK to continue. If the other controller can’t be found, you may have a WINS issue. This should be addressed before going further. If everything’s okay, click on OK to continue. The domain trust you entered should now be showing on the Trusts tab in the Domain Properties screen.

Click the Add button next to the Domains That Trust This Domain option. Enter the name of the NT 4 domain with which you are establishing a trust in the Trusting Domain input field. Enter the domain trust password in both the Password and the Confirm Password input fields. Click OK to continue. The domain trust that you created should now appear on the Domain Properties screen. Once you have the domain trust set up on the Windows 2000 side, you’ll need to repeat the domain trusts process on the NT 4 side.

Checking the effect on WINS
After you’ve established trusts on both sides, you should start a WINS replication process from one network or the other—but not both. To do so, from the Windows 2000 side, start WINS Manager. Select your server’s name from the left pane. Select Start Pull Replication from the Actions menu to pull WINS information from your Windows NT server. Conversely, you can do a Push Replication if you want.

Once things have had a chance to settle (this can be anywhere from at least 10 minutes to several hours depending on the size of your network), click on the Active Registrations item in the Windows 2000 WINS Manager. Select Find By Name from the Actions menu. Enter the first letter in the name of one of your servers in the Find Names Beginning With field and you should begin to see the information the WINS server has about both networks. Nevertheless, don’t be surprised if you don’t see anything show up right away. Depending on the network activity on both networks and the available bandwidth between networks, it could take several hours before any information starts to appear.

One thing that you’ll want to add to your list of periodic maintenance tasks (or actually preventative maintenance tasks) will be to make sure the domain trusts are actually in place and working. This is done on the Active Directory Domains And Trust program that you used to create the domain trusts on the Windows 2000 network and in Server Manager on the NT 4 network to which you have connected. Unfortunately, the tools to fix domain problems are practically nonexistent, so be prepared to remove the domain trust configurations from both networks and then re-create them as if you hadn’t had them in place before.

As you can see, setting up domain trusts isn’t too difficult. Nevertheless, it’s a task that you should start when you have plenty of time to devote to it. And remember, by making sure that WINS is running on both networks before getting started, you should be able to avoid most of the problems that can be encountered by setting up domain trusts.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks