Trust Relationships with Previous Versions of Windows

There is a subtle migration issue you need to avoid related to how trusts are handled in Windows NT 4.0 and how this relates to Windows 2000 upgrades.

Suppose you have a Windows 2000 domain controller (call it A) with a previous version trust relationship to a Windows NT 4.0 domain controller (call it B). You upgrade B to Windows 2000 and then link an organizational unit managed by A to a Group Policy object stored in B's domain. A user in the organizational unit logs on to A expecting to receive policy from the Group Policy object stored in B's domain — but it doesn't work. The reason is that the upgrade of the domain controller does not automatically upgrade the trust relationship, and the user won't have access to the Sysvol share on B.

To solve this problem, you need to break the trust after upgrading B to Windows 2000. Then create a new Windows 2000–style trust and the user receives Group Policy as expected.