Microsoft KB Archive/295335

= You May Be Unable to Establish a Trust Relationship Between Either Windows 2000 or Windows Server 2003 and Windows NT Domains =

Article ID: 295335

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

-



This article was previously published under Q295335



SYMPTOMS
You may be unable to establish a trust relationship between a Windows NT domain and either a Windows 2000 domain or a Windows Server 2003 domain. When you try to add the trust from the Windows 2000 domain, you may receive the following error message:

The trust cannot be created because no mapping between account names and security IDs was done.

When you try to add the trust from the Windows Server 2003 domain, you may receive the following error message:

Cannot Continue. The trust relationship cannot be created because the following error occurred: The operation failed. The error is: The specified user already exists.

When you attempt to add the trust from the Windows NT domain, you may receive the following error message:

The trust relationship could not be verified at this time.

You may receive an event 5721 (session setup failed) in the event log when you try to establish the trust.



CAUSE
This behavior can occur because the &quot;Internet&quot; domain name cannot be accessed. This domain name is a restricted name and it cannot be used for either a domain name or a computer name.

Although you can name a Windows computer or domain &quot;Internet&quot;, you cannot establish a trust to a domain named &quot;Internet&quot; from Windows 2000.



RESOLUTION
To work around this behavior, do not use restricted names for computer names or domain names.

To facilitate access to a domain named &quot;Internet&quot; if the domain (or computer) already exists and it cannot be rebuilt:
 * Pass-through authentication can be used from the Windows 2000 domain to access the domain named &quot;Internet&quot;.
 * Pass-through authentication should still function with the domain named &quot;Internet&quot;.
 * Pass-through authentication occurs when a domain (or computer) contains a user account with the same name and password as a user in the Windows 2000 domain that needs to access the domain named &quot;Internet&quot;.

For additional information about restricted names, click the following article number to view the article in the Microsoft Knowledge Base:

266633 &quot;Computer name is already in use&quot; error message when you add user names in Windows 2000

Keywords: kberrmsg kbnetwork kbprb kbtrusts KB295335

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.