General discussion

Locked

Trust Relationship

By Randrew ·
Lots of people have been experiencing some problems with trust relationship between NT4 domains and Active Directory. This document will list options of implementing trust relationship between NT4 domains and Active Directory.
Creating trust relationship between NT4 domain and Active Directory domain needs some basic requirement that must be met for the trust to function properly. The requirement are listed as below

1. Make sure that the Windows NT-based domain controllers can resolve the host names of the Windows 2000-based domain controllers, and that the Windows 2000-based domain controllers can resolve the NetBIOS names of the Windows NT-based domain controllers
2. If using WINS server, use a central Wins server that is available to both NT4 domain and AD domain. And both domains , Domain Controllers are registering with the central Wins server
3. If each domain have separate Wins servers, configure replication between the Wins servers and confirm that records have replicated between the Wins servers and both domain can resolve resources names in other domain
4. If replication is not possible between both domains Wins servers, then on each domain Wins servers, create a static record for resources that will participate in the trust relationship. Refer to Appendix for types of entries required on Wins server.
5. The account used in creating trust in each domain must have administrative right to the domain it is creating the trust from
6. For Account management of AD domain from NT4 domain, the Domain controller with the PDC emulator role must be reachable

Once the above requirement have been met, trust relationship between AD and NT4 domains should not cause a problem and will remove any single point of failure for the trust relationship


Tools
There are some tools that will aid in troubleshooting and understanding name resolution and trust relationship. I have listed some of the tools below

1. NBLookup ---This works like NSLookup but queries Wins servers
2. NLtest -------- This is a resource kit tool and can be used to check which DC you are connected to or to reset and query secure channels
3. Netdom-------Same as NLtest
4. SetPrfDC-----This is included with NT4 service packs and used to control secure channel to preferred domain controllers


WINS Entries
For each domain controller in each domain that is participating in the trust must have entries in the wins database. The entries should have the following

? A domain name record that list all domain controllers in the domain
? A unique record for each domain controller listed in the domain record

The domain name record will create the 1ch records and allows adding the IP addresses of all domain controllers in the domain
The unique record will automatically create 00h, 03h and 20h record for each domain controller added.
So for example if you have two domains with each domain having its own Wins server with no Wins replication between them, then we have

Domain A (NT4 Domain)
1 PDC, 3 BDC and 1 Win server

Domain B (AD Domain)
5 Domain controllers, 1 Wins server


To configure the Wins server

On Wins server A
Create a Domain Name record for Domain B, and add the IP address of all Domain Controllers in domain B.
Create a unique record for each domain controller in Domain B
All domain controllers in Domain A should dynamically register with Wins server A

On Wins server B
Create a Domain Name record for Domain A, and add the IP address of all Domain Controllers in domain A.
Create a unique record for each domain controller in Domain A
All domain controllers in Domain B should dynamically register with Wins server B

This conversation is currently closed to new comments.

0 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Back to IT Employment Forum
0 total posts (Page 1 of 1)  

Related Discussions

Related Forums