Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Windows 2003 - NT 4 Trust Issue

93 views
Skip to first unread message

Mark Planner

unread,
Jan 7, 2005, 6:16:40 AM1/7/05
to
Hello

We are trying to create a trust between a new windows 2003 domain and our
legacy NT 4 domain. We are able to create the trust on the NT 4 PDC, but
whe we run through the wizard to create the 2003 side we keep getting the
following error message when trying to validate the trust:

The verification of the incoming trust failed with the following error(s):
The target system MKGCONTROLLER does not support NetLogon trust password
verification.
A secure channel reset will be attempted.
The secure channel reset failed with error 5: Access is denied.

The verification of the outgoing trust failed with the following error(s):
The trust password verification failed with error 5: Access is denied.
A secure channel reset will be attempted.
The secure channel reset failed with error 5: Access is denied.


We did have a trust working for our test domain, but can't seem to get it
working in the production environment. We have searched all over the
internet to try and find an answer to this - it is turning out to be a major
issue.........


Thanks in advance

Mark


Shaun Pillay

unread,
Jan 7, 2005, 4:21:48 PM1/7/05
to
Hi Mark,

I've experienced this problem once in a test environment and it turned out
to be that the password that I was using on one domain did not match the
password on the other domain.

Just a thought :-)

PS* It's vital to keep our NHS running smoothly ;-)

"Mark Planner" <mark.p...@mkgeneral.nhs.uk> wrote in message
news:exaKuoK9...@tk2msftngp13.phx.gbl...

Frances [MSFT]

unread,
Jan 10, 2005, 6:13:41 AM1/10/05
to
Hello Mark,
According to my experience, there are several steps to isolate this issue.
If it is an urgent issue, it is recommended that you contact Microsoft
Product Support Services (PSS) via telephone so that a dedicated Support
Professional can help you resolve your issue in a more efficient manner.
Please be advised that contacting phone support will be a charged call.
To obtain the phone numbers for a specific technology request please take a
look at the web site listed below.
<http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS>
If you are outside the US please see http://support.microsoft.com for
regional support phone numbers.

I agree on ShaunK to check the password first and make sure you have used
the same password in the trust creation process.

If that is not the problem, I suggest you use the following steps to narrow
down this issue:
Step 1: Turn off the SMB signing
=======================
Please follow the steps below to check SMB Signing in Domain Controller
Security Policy:
1 On the Windows Server 2003 DC, click Start->Adminitrative Tools->Domain
Controller Security Policy.
2 Browse to:
Security Settings\Local Policies\Security Options
3 Disable the following settings:
Microsoft network server: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (always)
4 Restart the Windows Server 2003 PDC.
Step 2: Check the following registry key
=================================
Please disable require strong windows 2003 session key and disable
digitally encrypt and sign secure channel. Please check the registry key
and set like the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\parameters
DisablePasswordChange [REG_DWORD] = 0x0
maximumpasswordage [REG_DWORD] = 0x1E
requiresignorseal [REG_DWORD] = 0x1
requirestrongkey [REG_DWORD] = 0x1
sealsecurechannel [REG_DWORD] = 0x1
signsecurechannel [REG_DWORD] = 0x1
Update [REG_SZ] = no
refusepasswordchange [REG_DWORD] = 0x0
DbFlag [REG_SZ] = 0x2080ffff
DynamicSiteName [REG_SZ] = USRACI99S
SysvolReady [REG_DWORD] = 0x1
SysVol [REG_SZ] = C:\WINNT\SYSVOL\sysvol
WARNING: Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall Windows. Microsoft cannot guarantee that
problems resulting from the incorrect use of Registry Editor can be solved.
Use Registry Editor at your own risk.
Hope it helps! Any update, let us get in touch.

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

0 new messages