MORE INFORMATION

In Windows NT 4.0, member servers that attempt to assign trusted domain entities to shared resources, contact the domain controller with which they have a secure channel to obtain the entity lists of the trusted domain. The domain controller that owns the secure channel in turn contacts a domain controller in the trusted domain for the list of entities. In Windows 2000, this behavior has changed slightly. The initial verification of the domain trust is performed by means of the secure channel (as has been performed in a Windows NT 4.0 environment).

The actual entity list, however, is obtained directly by the Windows 2000-based server that requests the list from the primary domain controller (PDC) of the trusted domain. The Windows 2000-based computer that requests the list of entities must be able to resolve and contact the PDC in the trusted domain. This requirement means that the Windows 2000-based computer must be able to use NetBIOS name resolution to resolve the NetBIOS 0x1B for the trusted domain which points to the PDC. Some methods of NetBIOS name resolution use the Windows Internet Name Service (WINS) and Lmhosts files.

In addition to the name resolution that is required, the correct trust relationship must enable the Windows 2000-based computer to make a computer account-authenticated connection to the PDC of the trusted domain as Windows 2000 cannot create a null session to the trusted domain.

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base: