Question

Locked

NT4

By Wizard-09 ·
Hi i am to young to know about nt4 i no a bit, problem is i have setup 2 other trusts with other domains from the main office to other sites all other sites used 2000 - 2003 i have problems setting up the trust within NT4.

I have lmhosts files, DNS forwarders and host files in place, can ping the domain names from each server, when i try to run the new trust wizard it says the name you have given is not a windows domain please try again or use v5rlam i have done everything as i did for the other servers so way wont this work. The only thing that i can think of its when i was working on the nt4 server the in dns it only let me add one of the dns servers for the other site and not the other one can you only input 3 dns severs in NT4?

Domain name is belfast_dom

lmhosts file is as below its prefect

***.***.***.* FID_BELFAST_PDC #PRE #DOM:BELFAST_DOM
***.***.***.* "BELFAST_DOM \0x1b" #PRE

more information, when i do a start run \\belfast_dom\ it will not provide me with a logon box, but when i do IP address it provides me with one could this be related to the problem?

Any help would be great thanks.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

See any of these methods work for your issue in Adding NT4 trust.

Adding the machine's names isn't all that you need to add to the lmhosts file, you need to define the Domain Master Browser as well; have a look here:
How to write an Lmhosts file for domain validation and other name resolution issues
http://support.microsoft.com/?kbid=180094
And make sure you don't use the AD domain's FQDN name in the lmhosts file; use the NetBIOS name.
You won't need the hosts file; DNS has nothing to do when creating a trust with an NT4 domain.
.........................................

SECURITY SETTINGS
Most commonly the Active Directory side is the "locked down" side of the trust that
causes problems. However, both sides must be checked.

For Windows 2000 and 2003 these settings may be applied/configured via group policy
or a local policy (or applied security template). When determining the current
values of these settings it is imperative that the proper tools be used or
inaccurate readings may occur.

Simply viewing these settings via GPEdit.msc, SecPol.msc, or by looking at the
values in the registry is not sufficient. These methods display the configured
values, not the effective ones. For instance, one may configure RestrictAnonymous=2
via group policy. Viewing this setting in the registry would show a value of 2, but
that is what it set to, not what the effective setting is. A reboot is needed to
make this value actually apply.

To obtain an accurate snapshot of the current security settings there is one way in
W2K and two in W2K3.
- Windows 2000: Use the Security Configuration and Analysis mmc.
Gpresult Does Not Enumerate the Resultant Computer Security Policy
http://support.microsoft.com/?id=258595

- Windows 2003: Use the Security Configuration and Analysis mmc or RSOP.
How To Install and Use RSoP in Windows Server 2003
http://support.microsoft.com/?id=323276

Once determination of the current settings is made the next step is to identify
from where these settings are coming (which group policy in the AD, or local
settings, etc). With Windows 2003 the RSoP tool shows the policy from which the
values are set. In Windows 2000 we must look at the following two items:
- Enable Winlogon logging
How to Enable Logging for Security Configuration Client Processing in Windows 2000
http://support.microsoft.com/?id=245422

- Look at the local cache of the group policy applied security policies.
Event ID 1000 and event ID 1202 are logged to the event log every five minutes
in Windows 2000 Server
http://kb/article.asp?id=319352
For NT4 these settings are accessible primarily in the registry.

Ensure the following settings are configured as shown:
WINDOWS 2000
RestrictAnonymous
- Additional restrictions for anonymous connections "None. Rely on default
permissions"

LM Compatibility
- LAN Manager authentication level:
"LM & NTLM responses" OR
"Send LM & NTLM - use NTLMV2 session security if negotiated"

SMB Signing and/or Encrypting
- Digitally sign client communications (always) DISABLED
- Digitally sign client communications (when possible) ENABLED
- Digitally sign server communications (always) DISABLED
- Digitally sign server communications (when possible) ENABLED
- Secure channel: Digitally encrypt or sign secure channel data (always) DISABLED
- Secure channel: Digitally encrypt secure channel data (when possible) DISABLED
- Secure channel: Digitally sign secure channel data (when possible) DISABLED
- Secure channel: Require strong (Windows 2000 or later) session key DISABLED


WINDOWS 2003 SERVER
RestrictAnonymous and RestrictAnonymousSam
- Network access: Allow anonymous SID/Name translation ENABLED
- Network access: Do not allow anonymous enumeration of SAM accounts DISABLED
- Network access: Do not allow anonymous enumeration of SAM accounts and shares DISABLED
- Network access: Let Everyone permissions apply to anonymous users ENABLED
- Network access: Named pipes can be accessed anonymously ENABLED
- Network access: Restrict anonymous access to Named Pipes and shares DISABLED

LM Compatibility
- Network security: LAN Manager authentication level: "LM & NTLM responses" or
"Send LM & NTLM - use NTLMV2 session security if negotiated"

SMB Signing and/or Encrypting
- Microsoft network client: Digitally sign communications (always) DISABLED
- Microsoft network client: Digitally sign communications (if server agrees) ENABLED
- Microsoft network server: Digitally sign communications (always) DISABLED
- Microsoft network server: Digitally sign communications (if client agrees) ENABLED
- Domain member: Digitally encrypt or sign secure channel data (always) DISABLED
- Domain member: Digitally encrypt secure channel data (when possible) ENABLED
- Domain member: Digitally sign secure channel data (when possible) ENABLED
- Domain member: Require strong (Windows 2000 or later) session key DISABLED

2. Once the settings are properly configured, reboot. These settings may appear to
be in effect (GPEdit.msc, SecPol.msc, registry values) but are not enforced until
reboot.

3. After reboot ensure the values are still set as expected.
Use Security Configuration and Analysis (or appropriate tool)in Windows 2000 and
2003 to check the settings. It may require a wait of 10 minutes before this check
show the correct values. AD policy occurs every 5 minutes on a DC and may alter
these values, so waiting 10 minutes ensures all security polices have applied and
the effective settings are in place.

With NT4 the only way to verify the settings is with the Regedt32 tool.


Registry and Group Policy locations for the above values:
RestrictAnonymous
- Windows NT registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rdr\Parameters

- Windows 2000/2003 registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

- Windows 2000/2003 group policy:
Computer Configuration \ Windows Settings \ Security Settings \ Security Options
Additional restrictions for anonymous connections

RestrictAnonymousSAM
- Windows 2003 registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

- Windows 2003 group policy:
Computer Configuration \ Windows Settings \ Security Settings \ Security Options
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares

EveryoneIncludesAnonymous
- Windows 2003 registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

- Windows 2003 group policy:
Computer Configuration \ Windows Settings \ Security Settings \ Security Options
Network access: Let Everyone permissions apply to anonymous users

LM Compatibility
- Windows NT/2000/2003 registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LsaLMCompatibilityLevel

- Windows 2000/2003 group policy
Computer Configuration \ Windows Settings \ Security Settings \ Security Options
- Windows 2000: LAN Manager authentication level
- Windows 2003: Network security: LAN Manager authentication level

EnableSecuritySignature (client)
- Windows 2000/2003 registry:
HKey_Local_Machine\System\CurrentControlSet\Services\LanManWorkstation\Parameters\En
ableSecuritySignature

- Windows 2000/2003 group policy
Computer Configuration \ Windows Settings \ Security Settings \ Security Options
- Windows 2000: Digitally sign client communication (when possible)
- Windows 2003: Microsoft network client: Digitally sign communications (if server agrees)


RequireSecuritySignature (client)
- Windows 2000/2003 registry:
HKey_Local_Machine\System\CurrentControlSet\Services\LanManWorkstation\Parameters\Re
quireSecuritySignature

- Windows 2000/2003 group policy
Computer Configuration \ Windows Settings \ Security Settings \ Security Options
- Windows 2000: Digitally sign client communication (always)
- Windows 2003: Microsoft network client: Digitally sign communications (always)

EnableSecuritySignature (server)
- Windows NT registry:
HKey_Local_Machine\System\CurrentControlSet\Services\Rdr\Parameters\EnableSecuritySignature

- Windows 2000/2003 registry:
HKey_Local_Machine\System\CurrentControlSet\Services\LanManServer\Parameters\EnableS
ecuritySignature

- Windows 2000/2003 group policy
- Windows 2000: Digitally sign server communication (when possible)
- Windows 2003: Microsoft network server: Digitally sign communications (if client agrees)

RequireSecuritySignature (server)
- Windows NT registry:
HKey_Local_Machine\System\CurrentControlSet\Services\Rdr\Parameters\RequireSecuritySignature

- Windows 20002003 registry:
HKey_Local_Machine\System\CurrentControlSet\Services\LanManServer\Parameters\Require
SecuritySignature

- Windows 20002003 group policy
- Windows 2000: Digitally sign server communication (always)
- Windows 2003: Microsoft network server: Digitally sign communications (always)

RequireSignOrSeal
- Windows NT/2000/2003 registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

- Windows 2000/2003 group policy:
- Windows 2000: Digitally encrypt or sign secure channel data (always)
- Windows 2003: Domain member: Digitally encrypt or sign secure channel data (always)

SealSecureChannel
- Windows NT/2000/2003 registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

- Windows 2000/2003 group policy:
- Windows 2000: Secure channel: Digitally encrypt secure channel data (when possible)
- Windows 2003: Domain member: Digitally encrypt secure channel data (when possible)

SignSecureChannel
- Windows NT/2000/2003 registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

- Windows 2000/2003 group policy:
- Windows 2000: Secure channel: Digitally sign secure channel data (when possible)
- Windows 2003: Domain member: Digitally sign secure channel data (when possible)

RequireStrongKey
- Windows NT/2000/2003 registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

- Windows 2000/2003 group policy:
- Windows 2000: Secure channel: Require strong (Windows 2000 or later) session key
- Windows 2003: Domain member: Require strong (Windows 2000 or later) session key


USER RIGHTS
Ensure User Rights are set as the following:
- Access this computer from network Everyone
- Deny access to this computer from network Does not contain a principal that
would affect the PDC (e.g. Everyone, Authenticated Users, etc)


GROUP MEMBERSHIP
This aspect only applies to 2000/2003 domain controllers.

Ensure the following group memberships are in place.
Pre-Windows 2000 compatible access group contains:
- Windows 2000: Everyone
- Windows 2003: Everyone, Anonymous Logon
Note: "Anonymous Logon" must be added if the "Let Everyone permissions apply to
anonymous users" policy setting is not enabled.

If changes are needed the only way to add members to the Pre-Windows 2000
compatible access group is with the "NET Localgroup" command. Please see
Error Message: Unable to Browse the Selected Domain Because the Following Error
Occurred...
http://support.microsoft.com/?id=257942
for more information. If changes to the group are made the DC must be rebooted for
the changes to take effect.

Please post back if you have any more problems or questions.
If this information is useful, please mark as helpful. Thanks

Collapse -

?

by Wizard-09 In reply to See any of these methods ...

I dont think it's any of the above, i have 2 other trusts setup with 2000 - 2003 servers trying to add the nt4 server for trusting but it cant resolve the name belfast_dom it says its not a domain controller i can ping by name belfast_dom and in the lmhost file i am using the netbios name belfast_dom and not the FQDN?

So any other thoughts on what it might be thanks for the help?

Collapse -

OK here you need to run the 2000 sever in Mixed Mode

by OH Smeg In reply to NT4

Because the system in NT4 Server is different to 2000 Server. While you can have a 2000 Server communicate with a NT Server the settings are different to either 2000 or 2003.

I think that this M$ Knowledge Base Article will be of more help to you here

http://support.microsoft.com/kb/555038/en-us

Col

Collapse -

Sorry

by Wizard-09 In reply to OK here you need to run t ...

Again this does not help me, i just need to setup the trust between the sites when i lauch the new trust wizard it says belfast_dom is not a domain controller so im thinking it can't resolve the name i have lmhosts files host files and the like i can cmd ping belfast_dom but the wizard wont pick it up ?

Collapse -

I am not too sure you read ALL of what i have put in my earlier post.

The earlier post, i have put in a bit of detail. Have a another read of it and see if it helps out.

Collapse -

Ok

by Wizard-09 In reply to I am not too sure you rea ...

Ok i will have a read over all of it, i just thought that because it worked with 2000 - 2003 servers that these settings should not be changed because it picked up the 2000 - 2003 servers, plus i am not even getting to the stage with i can setup the two way trust, but i will take your advise as i asked for it and will read over everything if it dont help then at lease i knew something new.

Collapse -

No you are mistaken

by OH Smeg In reply to Ok

When we moved from NT4 to 2000 and then 2003 changes had to be made to the Basic Systems at the Software Level to allow the NT Boxes to be usable.

You need to change both 2000 & 2003 to Mixed Mode to work with a NT4 Box at the very least. You have to change things long before you can establish a Trust between the latter M$ Server Applications and NT4.

Col

Collapse -

Mix Mode

by Wizard-09 In reply to No you are mistaken

This is already in place, i cant see way the wizard will not find the domain name belfast_dom i can ping it from the server the turst is being setup in, also in that server i have DNS forwarders in place to point to the dns of the NT4 box i can map to from domain a to b and from b to a i have the right lmhosts files in place with the right spacing, have hosts files so way wont the wizard see belfast_dom as a domain ? Is at the point of cracking up at this stage lol it took a while to sort of the other trusts in the domain i dont want the same thing again lol.

Collapse -

Still no luck after trying that ?

by Wizard-09 In reply to NT4

Still cant get the wizard to find belfast_dom to setup the trust ?

Back to Networks Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums