Another Trust issue

I have three domains. Two NT and one AD. I can establish a trust between one
of the NT1 domains and the AD domain, and I can establish a trust between
the two NT domains, but I can not establish a trust between the second NT2
domain and the AD domain. I get the error "No logon servers available"

I have checked the lmhosts and removed and added the trusts several times
between the NT2 and the AD domain and still nothing.

Using the Domain monitor on the AD server I can see NT1 fine. The NT2 domain
is red with no trusted domains listed in that column. When I look at the
properties for NT2 I see the following: DC Name - \\NT2Server, DC State -
OnLine, DC Status - AccDeni, Replication Status - Unknown, Connection to
PDC - BadPath, Link to Trusted Domain - Success

Using the Domain Monitor on the NT2 server I can see the NT1 fine. The AD is
red with all the lines filled in properly. When I select the properties I
have two servers listed, which are both AD DCs. The first server is insync
and everything looks good. the second server has DC Status - NoLogSr,
Connection to PDC - Bad Path, Link to Trusted Domain - Error

I'm not sure what exactly you put in your lmhosts file, but but for those
two that aren't working, be sure that it includes the 1B registration for
both the nt4 pdc and your win2k pdce. If that isn't there, you can look at
the following to get it in there, and be sure that you see the registration
with you run nbtstat;
180094 How to Write an LMHOSTS File for Domain Validation and Other Name
http://support.microsoft.com/?id=180094

Also compare the following registry entries between the one nt4 pdc that
will set the trust with win2k, and the one where it won't.
Restrictanonymous is a fairly common cause, and may need to be set to "0",
at least initially to get the trust established;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA\Lmcompatibilitylevel

And

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\restrictanonymous





--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
"MS News" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I have three domains. Two NT and one AD. I can establish a trust between
one
> of the NT1 domains and the AD domain, and I can establish a trust between
> the two NT domains, but I can not establish a trust between the second NT2
> domain and the AD domain. I get the error "No logon servers available"
>
> I have checked the lmhosts and removed and added the trusts several times
> between the NT2 and the AD domain and still nothing.
>
> Using the Domain monitor on the AD server I can see NT1 fine. The NT2
domain
> is red with no trusted domains listed in that column. When I look at the
> properties for NT2 I see the following: DC Name - \\NT2Server, DC State -
> OnLine, DC Status - AccDeni, Replication Status - Unknown, Connection to
> PDC - BadPath, Link to Trusted Domain - Success
>
> Using the Domain Monitor on the NT2 server I can see the NT1 fine. The AD
is
> red with all the lines filled in properly. When I select the properties I
> have two servers listed, which are both AD DCs. The first server is insync
> and everything looks good. the second server has DC Status - NoLogSr,
> Connection to PDC - Bad Path, Link to Trusted Domain - Error
>
>

I did all that, still no luck.

"David Brandt [MSFT]" <(E-Mail Removed)> wrote in message
news:4007f258$(E-Mail Removed)...
> I'm not sure what exactly you put in your lmhosts file, but but for those
> two that aren't working, be sure that it includes the 1B registration for
> both the nt4 pdc and your win2k pdce. If that isn't there, you can look
at
> the following to get it in there, and be sure that you see the
registration
> with you run nbtstat;
> 180094 How to Write an LMHOSTS File for Domain Validation and Other Name
> http://support.microsoft.com/?id=180094
>
> Also compare the following registry entries between the one nt4 pdc that
> will set the trust with win2k, and the one where it won't.
> Restrictanonymous is a fairly common cause, and may need to be set to "0",
> at least initially to get the trust established;
>
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA\Lmcompatibilitylevel
>
> And
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\restrictanonymous
>
>
>
>
>
> --
> David Brandt
> Microsoft Corporation
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send e-mail directly to this alias. This alias is for
> newsgroup purposes only.
> "MS News" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > I have three domains. Two NT and one AD. I can establish a trust between
> one
> > of the NT1 domains and the AD domain, and I can establish a trust
between
> > the two NT domains, but I can not establish a trust between the second
NT2
> > domain and the AD domain. I get the error "No logon servers available"
> >
> > I have checked the lmhosts and removed and added the trusts several
times
> > between the NT2 and the AD domain and still nothing.
> >
> > Using the Domain monitor on the AD server I can see NT1 fine. The NT2
> domain
> > is red with no trusted domains listed in that column. When I look at the
> > properties for NT2 I see the following: DC Name - \\NT2Server, DC
State -
> > OnLine, DC Status - AccDeni, Replication Status - Unknown, Connection to
> > PDC - BadPath, Link to Trusted Domain - Success
> >
> > Using the Domain Monitor on the NT2 server I can see the NT1 fine. The
AD
> is
> > red with all the lines filled in properly. When I select the properties
I
> > have two servers listed, which are both AD DCs. The first server is
insync
> > and everything looks good. the second server has DC Status - NoLogSr,
> > Connection to PDC - Bad Path, Link to Trusted Domain - Error
> >
> >
>
>

Open a dos prompt and run nbtstat -c on the W2k DC
then mark, copy and post the contents. You can mask
the names and tcp/ip addresses.

"MS News" <(E-Mail Removed)> wrote in message
> I did all that, still no luck.

Local Area Connection:
Node IpAddress: [10.0.0.8] Scope Id: []

NetBIOS Remote Cache Name Table

Name Type Host Address Life [sec]
------------------------------------------------------------
AD <1C> GROUP 10.0.0.12 -1
NT1 <1C> GROUP 10.10.0.24 -1
NT1 <1C> GROUP 10.0.0.67 -1
NT1 <1B> UNIQUE 10.0.0.67 -1
NT1Server <03> UNIQUE 10.0.0.67 -1
NT1Server <00> UNIQUE 10.0.0.67 -1
NT1Server <20> UNIQUE 10.0.0.67 -1
NT2 <1B> UNIQUE 10.10.0.24 -1
NT2Server <03> UNIQUE 10.10.0.24 -1
NT2Server <00> UNIQUE 10.10.0.24 -1
NT2Server <20> UNIQUE 10.10.0.24 -1


"Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote in
message news:uxqfE%(E-Mail Removed)...
> Open a dos prompt and run nbtstat -c on the W2k DC
> then mark, copy and post the contents. You can mask
> the names and tcp/ip addresses.
>
> "MS News" <(E-Mail Removed)> wrote in message
> > I did all that, still no luck.
>
>

From the win2k server.

C:\WINDOWS\system32\drivers\etc>net view \\nt2
System error 5 has occurred.

Access is denied.

"MS News" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I have three domains. Two NT and one AD. I can establish a trust between
one
> of the NT1 domains and the AD domain, and I can establish a trust between
> the two NT domains, but I can not establish a trust between the second NT2
> domain and the AD domain. I get the error "No logon servers available"
>
> I have checked the lmhosts and removed and added the trusts several times
> between the NT2 and the AD domain and still nothing.
>
> Using the Domain monitor on the AD server I can see NT1 fine. The NT2
domain
> is red with no trusted domains listed in that column. When I look at the
> properties for NT2 I see the following: DC Name - \\NT2Server, DC State -
> OnLine, DC Status - AccDeni, Replication Status - Unknown, Connection to
> PDC - BadPath, Link to Trusted Domain - Success
>
> Using the Domain Monitor on the NT2 server I can see the NT1 fine. The AD
is
> red with all the lines filled in properly. When I select the properties I
> have two servers listed, which are both AD DCs. The first server is insync
> and everything looks good. the second server has DC Status - NoLogSr,
> Connection to PDC - Bad Path, Link to Trusted Domain - Error
>
>

This might help. I orginally installed the 2k3 server with a different
domain name. At that time the trust worked. I then decided to change the
domain name so I completely reinstalled the 2k3 with the same server name,
but new domain name. Now the trust does not work.


"MS News" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I have three domains. Two NT and one AD. I can establish a trust between
one
> of the NT1 domains and the AD domain, and I can establish a trust between
> the two NT domains, but I can not establish a trust between the second NT2
> domain and the AD domain. I get the error "No logon servers available"
>
> I have checked the lmhosts and removed and added the trusts several times
> between the NT2 and the AD domain and still nothing.
>
> Using the Domain monitor on the AD server I can see NT1 fine. The NT2
domain
> is red with no trusted domains listed in that column. When I look at the
> properties for NT2 I see the following: DC Name - \\NT2Server, DC State -
> OnLine, DC Status - AccDeni, Replication Status - Unknown, Connection to
> PDC - BadPath, Link to Trusted Domain - Success
>
> Using the Domain Monitor on the NT2 server I can see the NT1 fine. The AD
is
> red with all the lines filled in properly. When I select the properties I
> have two servers listed, which are both AD DCs. The first server is insync
> and everything looks good. the second server has DC Status - NoLogSr,
> Connection to PDC - Bad Path, Link to Trusted Domain - Error
>
>

I don't know if this mens anything or not.
I added the AD server to the Server Manager in the NT2 computer. If I select
the AD server I can see everything. Not only that but I can change to the AD
domain in the Server Manager and see all the computer, shares and everything
in the AD domain. But if I try to add AD domain users to a folder it can't
browse the corp domain. I am assuming that that means that one way of the
trust works, but not the other.


"MS News" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I have three domains. Two NT and one AD. I can establish a trust between
one
> of the NT1 domains and the AD domain, and I can establish a trust between
> the two NT domains, but I can not establish a trust between the second NT2
> domain and the AD domain. I get the error "No logon servers available"
>
> I have checked the lmhosts and removed and added the trusts several times
> between the NT2 and the AD domain and still nothing.
>
> Using the Domain monitor on the AD server I can see NT1 fine. The NT2
domain
> is red with no trusted domains listed in that column. When I look at the
> properties for NT2 I see the following: DC Name - \\NT2Server, DC State -
> OnLine, DC Status - AccDeni, Replication Status - Unknown, Connection to
> PDC - BadPath, Link to Trusted Domain - Success
>
> Using the Domain Monitor on the NT2 server I can see the NT1 fine. The AD
is
> red with all the lines filled in properly. When I select the properties I
> have two servers listed, which are both AD DCs. The first server is insync
> and everything looks good. the second server has DC Status - NoLogSr,
> Connection to PDC - Bad Path, Link to Trusted Domain - Error
>
>

Assuming the NT1 1c group name pointing towards
tcp/ip address 10.10.0.24 is a typo and should be NT2?
I think name resolution looks good. I suspect something
is blocking the necessary netbios traffic between the two
domains e.g., router or firewall.

"MS News" <(E-Mail Removed)> wrote in message
> Local Area Connection:
> Node IpAddress: [10.0.0.8] Scope Id: []
>
> NetBIOS Remote Cache Name Table
>
> Name Type Host Address Life [sec]
> ------------------------------------------------------------
> AD <1C> GROUP 10.0.0.12 -1
> NT1 <1C> GROUP 10.10.0.24 -1
> NT1 <1C> GROUP 10.0.0.67 -1
> NT1 <1B> UNIQUE 10.0.0.67 -1
> NT1Server <03> UNIQUE 10.0.0.67 -1
> NT1Server <00> UNIQUE 10.0.0.67 -1
> NT1Server <20> UNIQUE 10.0.0.67 -1
> NT2 <1B> UNIQUE 10.10.0.24 -1
> NT2Server <03> UNIQUE 10.10.0.24 -1
> NT2Server <00> UNIQUE 10.10.0.24 -1
> NT2Server <20> UNIQUE 10.10.0.24 -1
>
>
> "Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote
in
> message news:uxqfE%(E-Mail Removed)...
> > Open a dos prompt and run nbtstat -c on the W2k DC
> > then mark, copy and post the contents. You can mask
> > the names and tcp/ip addresses.
> >
> > "MS News" <(E-Mail Removed)> wrote in message
> > > I did all that, still no luck.
> >
> >
>
>

Your correct looks like a typo.

There is a router separating the two domains. I have an NT trust between the
two working. NT1 and NT2 trust each other fine. NT1 is on the same side of
the router as AD.

In another email I mentioned that I had the trust working at one time. I
changed the name of the AD domain by completely reinstalling win2k3. I used
the same server name, but different domain name. Now I can not get it to
connect.

"Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote in
message news:Ouy$(E-Mail Removed)...
> Assuming the NT1 1c group name pointing towards
> tcp/ip address 10.10.0.24 is a typo and should be NT2?
> I think name resolution looks good. I suspect something
> is blocking the necessary netbios traffic between the two
> domains e.g., router or firewall.
>
> "MS News" <(E-Mail Removed)> wrote in message
> > Local Area Connection:
> > Node IpAddress: [10.0.0.8] Scope Id: []
> >
> > NetBIOS Remote Cache Name Table
> >
> > Name Type Host Address Life [sec]
> > ------------------------------------------------------------
> > AD <1C> GROUP 10.0.0.12 -1
> > NT1 <1C> GROUP 10.10.0.24 -1
> > NT1 <1C> GROUP 10.0.0.67 -1
> > NT1 <1B> UNIQUE 10.0.0.67 -1
> > NT1Server <03> UNIQUE 10.0.0.67 -1
> > NT1Server <00> UNIQUE 10.0.0.67 -1
> > NT1Server <20> UNIQUE 10.0.0.67 -1
> > NT2 <1B> UNIQUE 10.10.0.24 -1
> > NT2Server <03> UNIQUE 10.10.0.24 -1
> > NT2Server <00> UNIQUE 10.10.0.24 -1
> > NT2Server <20> UNIQUE 10.10.0.24 -1
> >
> >
> > "Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote
> in
> > message news:uxqfE%(E-Mail Removed)...
> > > Open a dos prompt and run nbtstat -c on the W2k DC
> > > then mark, copy and post the contents. You can mask
> > > the names and tcp/ip addresses.
> > >
> > > "MS News" <(E-Mail Removed)> wrote in message
> > > > I did all that, still no luck.
> > >
> > >
> >
> >
>
>