NT4 machines cannot see another domain in forest

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Hey... got a strange situation with NT4 machines connecting to a Win2k3 forest.

We have a test.company.com and ad.company.com domain. Our NT4 machines are in the test.company.com domian.

There is a transitive two-way trust set up between test and ad, and all machines are joined to the test domain. At the login screen we can select ad.company.com as a domain for our XP and Windows 2000 workstations. But... we can only log in to the TEST domain from the NT4 machines.

the TEST.company.com also has trusts set up with our legacy NT4 domains. All workstations can log into these, including the NT4 workstations. (So all machines have access to all domains when joined to test.company.com, except that NT4 cannot connect to the AD.company.com domain).

My thinking is that we might have something wrong with the way we installed the dsclient tools on the NT4 workstations, but I'm not sure.

If anyone has any idea how to resolve this, that would be absolutely awesome.

Thanks!
1 answer Last reply
More about machines domain forest
  1. Archived from groups: microsoft.public.windowsnt.domain (More info?)

    OK... I think I found it...

    There isn't a way to resolve it... Two way transitive trusts in "peer" domains in a forest require the use of Kerberos for authentication.

    The DSClient for NT4 does not include the addition of Kerberos, so the workstations are still using NTLM for authentication.

    That's why it doesn't work!

    Anyone know of a Kerberos add-in for NT4?

    "Tojam" wrote:

    > Hey... got a strange situation with NT4 machines connecting to a Win2k3 forest.
    >
    > We have a test.company.com and ad.company.com domain. Our NT4 machines are in the test.company.com domian.
    >
    > There is a transitive two-way trust set up between test and ad, and all machines are joined to the test domain. At the login screen we can select ad.company.com as a domain for our XP and Windows 2000 workstations. But... we can only log in to the TEST domain from the NT4 machines.
    >
    > the TEST.company.com also has trusts set up with our legacy NT4 domains. All workstations can log into these, including the NT4 workstations. (So all machines have access to all domains when joined to test.company.com, except that NT4 cannot connect to the AD.company.com domain).
    >
    > My thinking is that we might have something wrong with the way we installed the dsclient tools on the NT4 workstations, but I'm not sure.
    >
    > If anyone has any idea how to resolve this, that would be absolutely awesome.
    >
    > Thanks!
Ask a new question

Read More

Domain Workstations Windows