Article ID: 325874
Article Last Modified on 3/12/2007
APPLIES TO
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
This article was previously published under Q325874
SUMMARY
This step-by-step article describes how to establish a trust relationship between a Microsoft Windows NT 4.0-based domain and a Windows Server 2003-based domain.
The creation of a trust with a Windows NT-based domain uses the Windows NT trust model in a Windows Server 2003-based environment. Windows NT trusts are one-way trusts between a "trusting" domain and a "trusted" domain. For example, if you have a Windows Server 2003-based domain whose users want to gain access to resources that are stored in a Windows NT-based domain, you must create a trust relationship in which the Windows NT-based domain trusts the users from the Windows Server 2003-based domain. In this case, the Windows NT-based domain is the trusting domain, and the Windows Server 2003-based domain is the trusted domain.
Note You must use NetBIOS name resolution to enable trust between the two domains.
How to create a trust relationship
You can create either of the following one-way trust relationships between a Windows NT-based domain and a Windows Server 2003-based domain:
- Windows NT trusts Windows Server 2003
- Windows Server 2003 trusts Windows NT
Or you can create a two-way trust where both domains trust each other.
You must be logged on to the domain controllers of both domains with an administrator account to create a trust. When you create a one-way trust, first create the trust on the trusting domain, and then on the trusted domain.
Windows NT trusts Windows Server 2003
To create a trust relationship in which a Windows NT-based domain trusts a Windows Server 2003-based domain:
- On the Windows NT-based primary domain controller (PDC):
- Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
- On the Policies menu, click Trust Relationships.
- Click the Add button that corresponds to the Trusted Domains box. The Add Trusted Domain dialog box appears.
- In the Domain box, type the Windows Server 2003-based domain name without the .com portion of the domain name. For example, if the Windows Server 2003-based domain is Example.com, type Example.
- In the Password box, type a password for the trust.
Note You must use the same trust password on both the domain controller from the trusted domain and the domain controller from the trusting domain. - Click OK. The following message appears, where
Windows Server 2003-based domain name
is the name of the Windows Server 2003-based domain and whereWindows NT-based domain name
is the name of the Windows NT domain: - Click OK. Note that the Windows Server 2003-based domain is listed in the Trusted Domains list.
- In the Trust Relationships dialog box, click Close.
- On the Windows Server 2003-based domain controller:
- Click Start, point to Administrative Tools, and then double-click Active Directory Domains and Trusts.
- In the Active Directory Domains and Trusts snap-in, right-click the domain that you want, and then click Properties.
- Click Next, and then in the Trust password box, type the same trust password that you used on the Windows NT-based domain controller. Type the password again in the Confirm trust password box.
- Click the Trusts tab, and then click New Trust.
- The New Trust Wizard appears. Click Next to continue.
- Type the NetBIOS name of the Windows NT domain for this trust. For example, type supplier01-int, and then click Next.
- In the Direction of Trust window, click One-way: incoming
Users in this domain can be authenticated in the specified domain, realm, or forest. - Click Next, review your settings, and then click Next.
- A message similar to the following message appears
supplier01-int
is the NetBIOS name of the Windows NT domain for this trust. Click Next, and then click Yes, confirm the incoming trust.
where - Type the user name and password of an account with administrative privileges for the specified domain, and then click Next. A message similar to the following message appears:
- Click Finish to close the wizard, and then click OK to close the domain properties dialog box.
- Quit Active Directory Domains and Trusts.
The trust is created. The Windows NT-based domain trusts accounts from the Windows Server 2003-based domain. However, this trust is a one-way trust. The Windows Server 2003-based domain does not trust the Windows NT-based domain accounts.
Windows Server 2003 trusts Windows NT
To create a trust relationship in which a Windows Server 2003-based domain trusts a Windows NT-based domain:
- On the Windows Server 2003-based domain controller:
- Click Start, point to Administrative Tools, and then double-click Active Directory Domains and Trusts.
- In the Active Directory Domains and Trusts snap-in, right-click the domain that you want, and then click Properties.
- Click the Trusts tab, and then click New Trust.
- The New Trust Wizard appears. Click Next to continue.
- Type the NetBIOS name of the Windows NT domain for this trust. For example, type supplier01-int, and then click Next.
- In the Direction of Trust window, click One-way: outgoing
Users in the specified domain, realm, or forest can be authenticated in this domain. - Click Next, and then click one of the following to select the scope of authentication for users from the Windows NT domain:
- Allow authentication for all resources in the local domain
Windows authenticates users from the specified domain for all resources in the local domain. This option is preferred when both domains belong to the same organization. - Allow authentication only for selected resources in the local domain
Windows does not automatically authenticate users from the specified domain for any resources in the local domain. After you finish this wizard, grant individual access to each server that you want to make available to users in the specified domain. This option is preferred if the domains belong to different organizations.
- Allow authentication for all resources in the local domain
- Click Next, and then type a password for this trust in the Trust password box. You must use the same password when you create this trust relationship in the specified domain. After you create the trust, Active Directory periodically updates the trust password for security purposes. Type the password again in the Confirm trust password box, and then click Next.
- Review your settings, and then click Next.
- A message similar to the following message appears
supplier01-int
is the NetBIOS name of the Windows NT domain for this trust. Click Next, and then click Yes, confirm the incoming trust.
where - Click Finish to close the wizard, and then click OK to close the domain properties dialog box.
- Quit Active Directory Domains and Trusts.
- On the Windows NT-based PDC:
- Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
- On the Policies menu, click Trust Relationships.
- Click the Add button that corresponds to the Trusting Domains box. The Add Trusting Domain dialog box appears.
- In the Trusting Domains box, type the Windows Server 2003-based domain name without the .com portion of the domain name. For example, if the Windows Server 2003-based domain is Example.com, type Example.
- In the Initial Password box, type the same password that you used for the trust on the Windows Server 2003-based domain controller.
Note You must use the same trust password on both the domain controller from the trusting and the domain controller from the trusted domain. - Type the password again in the Confirm Password box, make sure that you are currently logged on to both the Windows NT-based domain controller and the Windows Server 2003-based domain controller as an administrator, and then click OK. The Windows Server 2003-based domain is listed in the Trusting Domains list.
- In the Trust Relationships dialog box, click Close.
The trust is created. The Windows Server 2003-based domain trusts accounts from the Windows NT-based domain.
Create a two-way trust relationship
To create a two-way trust so both domains trust each other:
- On the Windows Server 2003-based domain controller:
- Click Start, point to Administrative Tools, and then double-click Active Directory Domains and Trusts.
- In the Active Directory Domains and Trusts snap-in, right-click the domain that you want, and then click Properties.
- Click the Trusts tab, and then click New Trust.
- The New Trust Wizard appears. Click Next to continue.
- Type the NetBIOS name of the Windows NT domain for this trust. For example, type supplier01-int, and then click Next.
- In the Direction of Trust window, click Two-way
Users in this domain can be authenticated in the specified domain, realm, or forest, and users in the specified domain, realm, or forest can be authenticated in this domain. - Click Next, and then click one of the following to select the scope of authentication for users from the Windows NT domain:
- Allow authentication for all resources in the local domain
Windows authenticates users from the specified domain for all resources in the local domain. This option is preferred when both domains belong to the same organization. - Allow authentication only for selected resources in the local domain
Windows does not automatically authenticate users from the specified domain for any resources in the local domain. After you finish this wizard, grant individual access to each server that you want to make available to users in the specified domain. This option is preferred if the domains belong to different organizations.
- Allow authentication for all resources in the local domain
- Click Next, and then in the Trust password box, type a password for this trust. You must use the same password when you create this trust relationship in the specified domain. After the trust is created, Active Directory periodically updates the trust password for security purposes. Type the password again in the Confirm trust password box, and then click Next.
- Review your settings, and then click Next.
- A message similar to the following message appears
supplier01-int
is the NetBIOS name of the Windows NT domain for this trust.
where - Click Next, and then click Yes, confirm the outgoing trust.
- Click Yes, confirm the incoming trust, type the user name and password of an account with administrative privileges for the specified domain, and then click Next. A message similar to the following message appears
supplier01-int
is the NetBIOS name of the Windows NT domain for this trust.
where - Click Finish to close the wizard, and then click OK to close the domain properties dialog box.
- Quit Active Directory Domains and Trusts.
On the Windows NT-based PDC:
- Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
- On the Policies menu, click Trust Relationships.
- Click the Add button that corresponds to the Trusted Domains box. The Add Trusted Domain dialog box appears.
- In the Domain box, type the Windows Server 2003-based domain name without the .com portion of the domain name. For example, if the Windows Server 2003-based domain is Example.com, type Example.
- In the Password box, type a password for the trust.
Note You must use the same trust password on both the domain controller from the trusted domain and the domain controller from the trusted domain. - Click OK. Note that the Windows Server 2003-based domain is listed in the Trusted Domains list.
- Click the Add button that corresponds to the Trusting Domains box. The Add Trusing Domain dialog box appears.
- In the Trusting Domains box, type the Windows Server 2003-based domain name without the .com portion of the domain name.
- In the Password box, type the same password that you used for the trust on the Windows Server 2003-based domain controller, and then click OK. The Windows Server 2003-based domain is listed in the Trusting Domains list.
- In the Trust Relationships dialog box, click Close.
The two-way trust is created. The Windows NT-based domain trusts accounts from the Windows Server 2003-based domain, and the Windows Server 2003-based domain trusts the Windows NT-based domain accounts.
Verify a trust
To verify that the trust relationship is working, follow these steps on the Windows Server 2003-based domain controller:
- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.
- In the console tree, right-click the domain that contains the trust you want to verify, and then click Properties.
- Click the Trusts tab, and then under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be verified, and then click Properties.
- Click Validate.
Troubleshooting
When you try to create a trust between domains, you may receive the following error message:
This error message can occur for the following reasons:
- Networking issues
Make sure that both computers are using TCP/IP and that you can connect to the other computer by using a network utility such as Ping.exe. - Name resolution issues
Make sure that the Windows NT-based domain controller can resolve the host name of the Windows Server 2003-based domain controller, and that the Windows Server 2003-based domain controller can resolve the NetBIOS name of the Windows NT-based domain controller. If you cannot resolve the NetBIOS and host names, create an entry in the Lmhosts file on each domain controller that specifies the location of the other controller. For more information, click the following article number to view the article in the Microsoft Knowledge Base:102725 Lmhosts file information and predefined keywords
- Trust issues
On a computer that is running an original release version of Windows Server 2003, you may have to set the value of theRestrictAnonymous
registry subkey to 0 to establish the trust. For more information, click the following article number to view the article in the Microsoft Knowledge Base:246261 How to use the RestrictAnonymous registry value in Windows 2000
On a computer that is running Windows Server 2003 Service Pack 1 (SP1), you may have to set the value of the
RestrictAnonymous
registry subkey to 0 and set the value of theRestrictNullSessAccess
registry subkey to FALSE to establish the trust.
To set the value of theRestrictNullSessAccess
registry subkey to FALSE, follow these steps:- Click Start, click Run, type regedit, and then click OK to open Registry Editor.
- Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- Right-click this registry subkey, point to New, and then click DWORD Value.
- Type RestrictNullSessAccess, and then press ENTER.
- Double-click
RestrictNullSessAccess
, type 0 in the Value data box, and then click OK. - Exit Registry Editor.
- Restart the computer.
REFERENCES
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
139410 "There are currently no logon servers available" error message
175025 How to build and reset a trust relationship from a command line
255551 Cannot set up trust in Window 2000 domain from Windows NT 4.0
Keywords: kbactivedirectory kbhowtomaster kbnetwork KB325874