Microsoft KB Archive/178640

= Could Not Find Domain Controller When Establishing a Trust =

Article ID: 178640

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 3.51
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



This article was previously published under Q178640



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
Regardless of the protocols being used, when you try to establish a trust, you may receive the following error message:

Could not find domain controller for this domain.

You may receive this error message even though LMHOSTS files and the WINS database are correct and there are nNo connectivity problems on the network. Also, you may see the following information in a network trace:

SMB R session setup & X - NT error, System, Error, Code = (109) STATUS_LOGON_FAILURE



CAUSE
Windows NT 4.0 Service Pack 3 and in a hotfix for Windows NT 3.51 have a registry setting that permits administrators to restrict the ability for anonymous logon users (also known as NULL session connections) to list account names and enumerate share names. This registry setting also restricts a trusting domain from establishing a connection to the trusted primary domain controller to establish a trust relationship.



RESOLUTION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. Set the RestrictAnonymous value to 0 in the registry, or remove the value to establish the trust.  Open Registry Editor. Locate the following key in the registry:

 Click to select the following value:

RestrictAnonymous

 On the Edit menu, click DWORD, and then change the data (value) to 0, as indicated in the following information:

Value Name: RestrictAnonymous

Data Type: REG_DWORD

Value: 0

 Exit Registry Editor, and then restart the computer for the change to take effect.</ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. Microsoft is researching this problem and will post more information in this article when the information becomes available.

<div class="moreinformation_section">

MORE INFORMATION
The registry value configures the local system policy to determine whether users must authenticate to perform common enumeration functions. Requiring authentication to obtain the account name list is an optional feature. When the RestrictAnonymous value is set to 1, users who make anonymous connections from the Graphical User Interface tools for security management receive an "access denied" error message when they try to obtain the list of account names. When the RestrictAnonymous value is set to 0, or the value is not defined, anonymous connections can list account names and enumerate share names. However, although you set the value of RestrictAnonymous to 1, the user interface tools with the computer does not list the account names. However, there are Win32 programming interfaces that support individual name lookup and do not restrict anonymous connections.

Windows NT networks using a multiple domain model can restrict anonymous connections without loss of functionality. To disable anonymous connections, administrators in resource domains must add members of trusted account domains to specific local groups before they change the value for the  registry entry. Users who log on by using accounts from trusted account domains continue to use authenticated connections to obtain the list of account names. This helps to manage security access control.

Additional query words: restrict anonymous security

Keywords: kbbug KB178640

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.