The creation of a trust with a Windows NT-based domain uses the Windows NT trust model in a Windows Server 2003-based environment. Windows NT trusts are one-way trusts between a "trusting" domain and a "trusted" domain. For example, if you have a Windows Server 2003-based domain whose users want to gain access to resources that are stored in a Windows NT-based domain, you must create a trust relationship in which the Windows NT-based domain trusts the users from the Windows Server 2003-based domain. In this case, the Windows NT-based domain is the trusting domain, and the Windows Server 2003-based domain is the trusted domain.
Note You must use NetBIOS name resolution to enable trust between the two domains.
How to create a trust relationship
You can create either of the following one-way trust relationships between a Windows NT-based domain and a Windows Server 2003-based domain:- Windows NT trusts Windows Server 2003
- Windows Server 2003 trusts Windows NT
You must be logged on to the domain controllers of both domains with an administrator account to create a trust. When you create a one-way trust, first create the trust on the trusting domain, and then on the trusted domain.
Windows NT trusts Windows Server 2003
To create a trust relationship in which a Windows NT-based domain trusts a Windows Server 2003-based domain:- On the Windows NT-based primary domain controller (PDC):
- Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
- On the Policies menu, click Trust Relationships.
- Click the Add button that corresponds to the Trusted Domains box. The Add Trusted Domain dialog box appears.
- In the Domain box, type the Windows Server 2003-based domain name without the .com portion of the domain name. For example, if the Windows Server 2003-based domain is Example.com, type Example.
- In the Password box, type a password for the trust.
Note You must use the same trust password on both the domain controller from the trusted domain and the domain controller from the trusting domain. - Click OK. The following message appears, where Windows
Server 2003-based domain name is the name of the Windows Server
2003-based domain and where Windows NT-based domain
name is the name of the Windows NT domain:The trust relationship could not be verified at this time. If you find that it was not established, contact the administrator of the Windows Server 2003-based domain name domain and verify that it includes Windows NT-based domain name on its list of trusting domains.
- Click OK. Note that the Windows Server 2003-based domain is listed in the Trusted Domains list.
- In the Trust Relationships dialog box, click Close.
- On the Windows Server 2003-based domain controller:
- Click Start, point to Administrative Tools, and then double-click Active Directory Domains and Trusts.
- In the Active Directory Domains and Trusts snap-in, right-click the domain that you want, and then click Properties.
- Click Next, and then in the Trust password box, type the same trust password that you used on the Windows NT-based domain controller. Type the password again in the Confirm trust password box.
- Click the Trusts tab, and then click New Trust.
- The New Trust Wizard appears. Click Next to continue.
- Type the NetBIOS name of the Windows NT domain for this trust. For example, type supplier01-int, and then click Next.
- In the Direction of Trust window,
click One-way: incoming
Users in this domain can be authenticated in the specified domain, realm, or forest. - Click Next, review your settings, and then click Next.
- A message similar to the following message appears
where supplier01-int is the NetBIOS name of the Windows NT domain for this trust. Click Next, and then click Yes, confirm the incoming trust.Trust relationship created successfully.
Specified domain: supplier01-int
Direction:
Incoming: Users in the local domain can authenticate in the specified domain.
Trust type: External
Windows will authenticate users from the specified domain for all resources in the local domain.
Transitive: No
Sides of trust: Created the trust for this domain only. - Type the user name and password of an account with
administrative privileges for the specified domain, and then click Next. A message similar to the following message
appears:Completing the New Trust Wizard
You have successfully completed the New Trust Wizard.
Status of changes:
The trust relationship was successfully created and confirmed. - Click Finish to close the wizard, and then click OK to close the domain properties dialog box.
- Quit Active Directory Domains and Trusts.
Windows Server 2003 trusts Windows NT
To create a trust relationship in which a Windows Server 2003-based domain trusts a Windows NT-based domain:- On the Windows Server 2003-based domain controller:
- Click Start, point to Administrative Tools, and then double-click Active Directory Domains and Trusts.
- In the Active Directory Domains and Trusts snap-in, right-click the domain that you want, and then click Properties.
- Click the Trusts tab, and then click New Trust.
- The New Trust Wizard appears. Click Next to continue.
- Type the NetBIOS name of the Windows NT domain for this trust. For example, type supplier01-int, and then click Next.
- In the Direction of Trust window, click One-way: outgoing
Users in the specified domain, realm, or forest can be authenticated in this domain. - Click Next, and then click one of the following to select the scope of
authentication for users from the Windows NT domain:
- Allow authentication for all resources in
the local domain
Windows authenticates users from the specified domain for all resources in the local domain. This option is preferred when both domains belong to the same organization. - Allow authentication only for selected
resources in the local domain
Windows does not automatically authenticate users from the specified domain for any resources in the local domain. After you finish this wizard, grant individual access to each server that you want to make available to users in the specified domain. This option is preferred if the domains belong to different organizations.
- Allow authentication for all resources in
the local domain
- Click Next, and then type a password for this trust in the Trust password box. You must use the same password when you create this trust relationship in the specified domain. After you create the trust, Active Directory periodically updates the trust password for security purposes. Type the password again in the Confirm trust password box, and then click Next.
- Review your settings, and then click Next.
- A message similar to the following message appears
where supplier01-int is the NetBIOS name of the Windows NT domain for this trust. Click Next, and then click Yes, confirm the incoming trust.Trust relationship created successfully.
Specified domain: supplier01-int
Direction:
Outgoing: Users in the specified domain can authenticate in the local domain.
Trust type: External
Windows will authenticate users from the specified domain for all resources in the local domain.
Transitive: No
Sides of trust: Created the trust for this domain only. - Click Finish to close the wizard, and then click OK to close the domain properties dialog box.
- Quit Active Directory Domains and Trusts.
- On the Windows NT-based PDC:
- Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
- On the Policies menu, click Trust Relationships.
- Click the Add button that corresponds to the Trusting Domains box. The Add Trusting Domain dialog box appears.
- In the Trusting Domains box, type the Windows Server 2003-based domain name without the .com portion of the domain name. For example, if the Windows Server 2003-based domain is Example.com, type Example.
- In the Initial Password box, type the same password that you used for the trust on the
Windows Server 2003-based domain controller.
Note You must use the same trust password on both the domain controller from the trusting and the domain controller from the trusted domain. - Type the password again in the Confirm Password box, make sure that you are currently logged on to both the Windows NT-based domain controller and the Windows Server 2003-based domain controller as an administrator, and then click OK. The Windows Server 2003-based domain is listed in the Trusting Domains list.
- In the Trust Relationships dialog box, click Close.
Create a two-way trust relationship
To create a two-way trust so both domains trust each other:- On the Windows Server 2003-based domain controller:
- Click Start, point to Administrative Tools, and then double-click Active Directory Domains and Trusts.
- In the Active Directory Domains and Trusts snap-in, right-click the domain that you want, and then click Properties.
- Click the Trusts tab, and then click New Trust.
- The New Trust Wizard appears. Click Next to continue.
- Type the NetBIOS name of the Windows NT domain for this trust. For example, type supplier01-int, and then click Next.
- In the Direction of Trust window,
click Two-way
Users in this domain can be authenticated in the specified domain, realm, or forest, and users in the specified domain, realm, or forest can be authenticated in this domain. - Click Next, and then click one of the following to select the scope of
authentication for users from the Windows NT domain:
- Allow authentication for all resources in
the local domain
Windows authenticates users from the specified domain for all resources in the local domain. This option is preferred when both domains belong to the same organization. - Allow authentication only for selected
resources in the local domain
Windows does not automatically authenticate users from the specified domain for any resources in the local domain. After you finish this wizard, grant individual access to each server that you want to make available to users in the specified domain. This option is preferred if the domains belong to different organizations.
- Allow authentication for all resources in
the local domain
- Click Next, and then in the Trust password box, type a password for this trust. You must use the same password when you create this trust relationship in the specified domain. After the trust is created, Active Directory periodically updates the trust password for security purposes. Type the password again in the Confirm trust password box, and then click Next.
- Review your settings, and then click Next.
- A message similar to the following message appears
where supplier01-int is the NetBIOS name of the Windows NT domain for this trust.Trust relationship created successfully.
Specified domain: supplier01-int
Direction:
Two-way: Users in the local domain can authenticate in the specified domain and users in the specified domain can authenticate in the local domain.
Trust type: External
Windows will authenticate users from the specified domain for all resources in the local domain.
Transitive: No
Sides of trust: Created the trust for this domain only. - Click Next, and then click Yes, confirm the outgoing trust.
- Click Yes, confirm the incoming
trust, type the user name and password of an account with
administrative privileges for the specified domain, and then click Next. A message similar to the following message appears
where supplier01-int is the NetBIOS name of the Windows NT domain for this trust.Completing the New Trust Wizard
You have successfully completed the New Trust Wizard, but the newly created trust relationship could not be confirmed for the following reasons:
The verification of the incoming trust failed with the following error(s):
The target system supplier01-int does not support NetLogon trust password verification.
A secure channel reset will be attempted.
The secure channel reset failed with error 1355: The specified domain either does not exist or could not be contacted.
The verification of the outgoing trust failed with the following error(s):
The trust password verification failed with error 1787: The security database on the server does not have a computer account for this workstation trust relationship.
A secure channel reset will be attempted.
The secure channel reset failed with error 1787: The security database on the server does not have a computer account for this workstation trust relationship.
Before this trust can function, it must also be created in the other domain. Ensure that the same password is used in both domains. - Click Finish to close the wizard, and then click OK to close the domain properties dialog box.
- Quit Active Directory Domains and Trusts.
- On the Windows NT-based PDC:
- Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
- On the Policies menu, click Trust Relationships.
- Click the Add button that corresponds to the Trusted Domains box. The Add Trusted Domain dialog box appears.
- In the Domain box, type the Windows Server 2003-based domain name without the .com portion of the domain name. For example, if the Windows Server 2003-based domain is Example.com, type Example.
- In the Password box, type a password for the trust.
Note You must use the same trust password on both the domain controller from the trusted domain and the domain controller from the trusted domain. - Click OK. Note that the Windows Server 2003-based domain is listed in the Trusted Domains list.
- Click the Add button that corresponds to the Trusting Domains box. The Add Trusing Domain dialog box appears.
- In the Trusting Domains box, type the Windows Server 2003-based domain name without the .com portion of the domain name.
- In the Password box, type the same password that you used for the trust on the Windows Server 2003-based domain controller, and then click OK. The Windows Server 2003-based domain is listed in the Trusting Domains list.
- In the Trust Relationships dialog box, click Close.
Verify a trust
To verify that the trust relationship is working, follow these steps on the Windows Server 2003-based domain controller:- Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.
- In the console tree, right-click the domain that contains the trust you want to verify, and then click Properties.
- Click the Trusts tab, and then under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be verified, and then click Properties.
- Click Validate.
Troubleshooting
When you try to create a trust between domains, you may receive the following error message: Could not find domain
controller for this domain
- Networking issues
Make sure that both computers are using TCP/IP and that you can connect to the other computer by using a network utility such as Ping.exe. - Name resolution issues
Make sure that the Windows NT-based domain controller can resolve the host name of the Windows Server 2003-based domain controller, and that the Windows Server 2003-based domain controller can resolve the NetBIOS name of the Windows NT-based domain controller. If you cannot resolve the NetBIOS and host names, create an entry in the Lmhosts file on each domain controller that specifies the location of the other controller. For more information, click the following article number to view the article in the Microsoft Knowledge Base:102725 Lmhosts file information and predefined keywords - Trust issues
On a computer that is running an original release version of Windows Server 2003, you may have to set the value of theRestrictAnonymousregistry subkey to 0 to establish the trust. For more information, click the following article number to view the article in the Microsoft Knowledge Base:246261 How to use the RestrictAnonymous registry value in Windows 2000On a computer that is running Windows Server 2003 Service Pack 1 (SP1), you may have to set the value of theRestrictAnonymousregistry subkey to 0 and set the value of theRestrictNullSessAccessregistry subkey to FALSE to establish the trust.
To set the value of theRestrictNullSessAccessregistry subkey to FALSE, follow these steps:- Click Start, click Run, type regedit, and then click OK to open Registry Editor.
- Locate the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- Right-click this registry subkey, point to New, and then click DWORD Value.
- Type RestrictNullSessAccess, and then press ENTER.
- Double-click RestrictNullSessAccess, type 0 in the Value data box, and then click OK.
- Exit Registry Editor.
- Restart the computer.