Create Trust  
Author Message
joelp





PostPosted: Wed Mar 09 15:29:56 PST 2005 Top

Directory >> Create Trust

I â??m tiring to set up and external trust from a windows 2000 Domain with
Active directory installed to a Windows NT Domain. We have setup users at on
both sides.
the Window NT domain can create a trust to the Active Directory domain with
out any problems. When we try to create the trust from the AD Domain I get
the error

â??The account is not authorized to login from this workstationâ??

I can ping the WinNt domain controller by name and ip number. When I search
for the domain controller in network neighborhood it will find it but the
location is unknown.
When I do the same search from a workstation with windows 2000 server
installed but not AD it will return the pc name and domain name and allow me
to access the shared folders.

I donâ??t see anything in the event logs that will give me a clue. I have use
dcdiag to see if the AD is having problems but no error is returned. DNS
seems to be working I tested it with ping and nslookup.

Does anyone have any Ideas on what else I can look in to to resolve this
problem.

Thank you,

John Hultgren
Network Administrator

Windows OS82  
 
 
Herb





PostPosted: Wed Mar 09 15:29:56 PST 2005 Top

Directory >> Create Trust

> I 'm tiring to set up and external trust from a windows 2000 Domain with
> Active directory installed to a Windows NT Domain. We have setup users at
on
> both sides.

(FYI: There is no "AD on NT" so the above it likely
a typographical error or language issue.)

NT and all external trusts require NetBIOS name
resolution.

In practice this means the xDCs must all have NetBIOS
enabled (e.g., not disabled on the WINS tab of the IP
properites) AND in a routed environment WINS servers
are a practical requirement.

> the Window NT domain can create a trust to the Active Directory domain
with
> out any problems. When we try to create the trust from the AD Domain I get
> the error


> "The account is not authorized to login from this workstation"

Perhaps the NetBIOS resolution is only working
in one direction OR maybe you have another problem.

> I can ping the WinNt domain controller by name and ip number. When I
search
> for the domain controller in network neighborhood it will find it but the
> location is unknown.

"Location is unknown"? If you mean you
"see it" in Network Neighbood but when
you click on it you get some type of 'not
found error', then nothing has been "found"
yet -- except the Master Browser.

Name resolution only occurs after the user
clicks a particular server to see the list of
shares.

And such name resolution MAY use DNS
methods (either primarily or as a supplement
to NetBIOS.)

> When I do the same search from a workstation with windows 2000 server
> installed but not AD it will return the pc name and domain name and allow
me
> to access the shared folders.

NetBIOS name resolution is likely working
in this direction.

One reason for this might be that SOME of
your servers are NOT "WINS clients". While
others are (likely the NT xDCs are since people
think NetBIOS is unnecessary for Win2000/2003.)

That is incorrect -- practically all Windows domains
require NetBIOS to work. If you have multiple
subnets (i.e., routers) then this means WINS server.

And ALL internal machines need to be WINS clients.

[It is also possible that you have replicated the
WINS database in one direction only -- but this
is a less common problem.]

> I don't see anything in the event logs that will give me a clue. I have
use
> dcdiag to see if the AD is having problems but no error is returned. DNS
> seems to be working I tested it with ping and nslookup.
>
> Does anyone have any Ideas on what else I can look in to to resolve this
> problem.

Check the NetBIOS -- and the WINS server as well as
the client SETTINGS for the WINS server.

(Even the WINS server should be a WINS client.)

> Thank you,
>
> John Hultgren
> Network Administrator
>


 
 
Glenn





PostPosted: Wed Mar 09 23:30:34 PST 2005 Top

Directory >> Create Trust "The account is not authorized to login from this workstation"

Usually is an SMB signing incompatibility issue.
Workstation service (client) talks to the server service (server).
If workstation service requries SMB signing, then the server service on the
other side must have it enabled.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000

e.g. If the lanmanworkstation config on the AD side has
'requiresecuritysignature'=1, then the lanmanserver config on the NT4 side
must have 'enablesecuritysignature'=1

workstation service config on NT4 is
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\parameters]
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000

--
Glenn L
CCNA, MCSE 2000/2003 + Security





>> I 'm tiring to set up and external trust from a windows 2000 Domain with
>> Active directory installed to a Windows NT Domain. We have setup users
>> at
> on
>> both sides.
>
> (FYI: There is no "AD on NT" so the above it likely
> a typographical error or language issue.)
>
> NT and all external trusts require NetBIOS name
> resolution.
>
> In practice this means the xDCs must all have NetBIOS
> enabled (e.g., not disabled on the WINS tab of the IP
> properites) AND in a routed environment WINS servers
> are a practical requirement.
>
>> the Window NT domain can create a trust to the Active Directory domain
> with
>> out any problems. When we try to create the trust from the AD Domain I
>> get
>> the error
>
>
>> "The account is not authorized to login from this workstation"
>
> Perhaps the NetBIOS resolution is only working
> in one direction OR maybe you have another problem.
>
>> I can ping the WinNt domain controller by name and ip number. When I
> search
>> for the domain controller in network neighborhood it will find it but the
>> location is unknown.
>
> "Location is unknown"? If you mean you
> "see it" in Network Neighbood but when
> you click on it you get some type of 'not
> found error', then nothing has been "found"
> yet -- except the Master Browser.
>
> Name resolution only occurs after the user
> clicks a particular server to see the list of
> shares.
>
> And such name resolution MAY use DNS
> methods (either primarily or as a supplement
> to NetBIOS.)
>
>> When I do the same search from a workstation with windows 2000 server
>> installed but not AD it will return the pc name and domain name and allow
> me
>> to access the shared folders.
>
> NetBIOS name resolution is likely working
> in this direction.
>
> One reason for this might be that SOME of
> your servers are NOT "WINS clients". While
> others are (likely the NT xDCs are since people
> think NetBIOS is unnecessary for Win2000/2003.)
>
> That is incorrect -- practically all Windows domains
> require NetBIOS to work. If you have multiple
> subnets (i.e., routers) then this means WINS server.
>
> And ALL internal machines need to be WINS clients.
>
> [It is also possible that you have replicated the
> WINS database in one direction only -- but this
> is a less common problem.]
>
>> I don't see anything in the event logs that will give me a clue. I have
> use
>> dcdiag to see if the AD is having problems but no error is returned. DNS
>> seems to be working I tested it with ping and nslookup.
>>
>> Does anyone have any Ideas on what else I can look in to to resolve this
>> problem.
>
> Check the NetBIOS -- and the WINS server as well as
> the client SETTINGS for the WINS server.
>
> (Even the WINS server should be a WINS client.)
>
>> Thank you,
>>
>> John Hultgren
>> Network Administrator
>>
>
>


 
 
Herb





PostPosted: Thu Mar 10 00:34:12 PST 2005 Top

Directory >> Create Trust > Usually is an SMB signing incompatibility issue.
> Workstation service (client) talks to the server service (server).
> If workstation service requries SMB signing, then the server service on
the
> other side must have it enabled.

That makes sense.

NT machines and 9x should all have the
DSClient upgrade and latest service packs
which should allow them to participate in
SMB signing (rather than disabling it.)


 
 
JohnHultgren





PostPosted: Thu Mar 10 09:23:12 PST 2005 Top

Directory >> Create Trust Thanks for the information. I'll check in to what you have subjected.


Just for clarification on my part, I have two domains at different sites.
The first domain is a Windows 2000 with active directory local to me and the
second domain is Windows NT at a remote location. The Windows NT domain can
create a trust with the Windows 2000 domain, but I get the error
â??The account is not authorized to login from this workstationâ?? when I try to
create the trust from Windows 2000 domain to the Windows NT domain. The user
and password have been created on both sides.




> I â??m tiring to set up and external trust from a windows 2000 Domain with
> Active directory installed to a Windows NT Domain. We have setup users at on
> both sides.
> the Window NT domain can create a trust to the Active Directory domain with
> out any problems. When we try to create the trust from the AD Domain I get
> the error
>
> â??The account is not authorized to login from this workstationâ??
>
> I can ping the WinNt domain controller by name and ip number. When I search
> for the domain controller in network neighborhood it will find it but the
> location is unknown.
> When I do the same search from a workstation with windows 2000 server
> installed but not AD it will return the pc name and domain name and allow me
> to access the shared folders.
>
> I donâ??t see anything in the event logs that will give me a clue. I have use
> dcdiag to see if the AD is having problems but no error is returned. DNS
> seems to be working I tested it with ping and nslookup.
>
> Does anyone have any Ideas on what else I can look in to to resolve this
> problem.
>
> Thank you,
>
> John Hultgren
> Network Administrator
>