Announcement

Collapse
No announcement yet.

NT4 - Server 2003 trust fail

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NT4 - Server 2003 trust fail

    Hi everybody!

    I've created a trust relationship between two domains, one with NT4 servers and the other with 2003 servers.

    Everything was working ok, but when install SRV2003 SP1, i cannot connect to the other domain from the 2003 domain, i get a message:

    "THE TRUST RELATIONSHIP BETWEEN THE PRIMARY DOMAIN AND THE TRUSTED DOMAIN FAILED"

    Any idea?

    Thanks

  • #2
    Will this help you further?

    How to establish trusts with a Windows NT-based domain in Windows Server 2003

    Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments

    Domain member: Require strong (Windows 2000 or later) session keya. Background• The Domain member: Require strong (Windows 2000 or later) session key setting determines whether a secure channel can be established with a domain controller that cannot encrypt secure channel traffic with a strong, 128-bit session key. Enabling this setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this setting allows 64-bit session keys.
    • Before you can enable this setting on a member workstation or on a server, all domain controllers in the domain that the member belongs to must be able to encrypt secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running Windows 2000 or later.

    b. Risky Configuration

    Enabling the Domain member: Require strong (Windows 2000 or later) session key setting is a risky configuration.
    c. Reasons to Enable This Setting• Session keys that are used to establish secure channel communications between member computers and domain controllers are much stronger in Windows 2000 than they are in earlier versions of Microsoft operating systems.
    • Whenever possible, it is a good idea to take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and from session hijacking network attacks. Eavesdropping is a form of malicious attack where network data is read or is altered in transit. The data can be modified to hide or to change the sender, or to redirect it.

    d. Reasons to Disable This Setting

    The domain contains member computers that are running operating systems other than Windows 2000, Windows XP, or Windows Server 2003.
    e. Symbolic Name: StrongKey
    f. Registry Path:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Netlogon\Parameters\RequireStrongKey (Reg_DWORD)
    g. Examples of Compatibility Problems

    Windows NT 4.0: On Windows NT 4.0-based computers, resetting secure channels of trust relationships between Windows NT 4.0 and Windows 2000 domains with NLTEST fails with "Access Denied" error message:
    The trust relationship between the primary domain and the trusted domain failed.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment

    Working...
    X