Troubleshooting trusts

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting Trusts

What problem are you having?

• Clients are unable to access resources in a domain outside of the forest.

• Trust errors between servers or workstations.

• Trust errors between Windows NT 4.0 and Active Directory domains.

• After upgrading a Windows NT 4.0 domain with existing trusts to Active Directory domains, you encounter various trust-related problems.

• Cannot connect to a domain controller running Windows 2000.

Clients are unable to access resources in a domain outside of the forest.

Cause:  A failure has occurred on the external trust between the domains.

Solution:  Reset and verify the trust between the domains. The PDC emulator master must be available for a trust to be successfully reset.

See also:  Verify a trust; Operations master roles; When to create an external trust

Trust errors between servers or workstations.

Cause:  Incorrect time synchronization between domain controllers or workstations, the server could be down, or the trust relationship could be broken.

Solution:  Run Netdom to verify, reset, or establish the trust between computers. This command-line tool performs batch management of trusts, verifies trusts and secures channels between computers, and can join computers to domains.

See also: Install Windows Support Tools

Trust errors between Windows NT 4.0 and Active Directory domains.

Cause:  Automatic trust password resets for the trust may not reach the PDC emulator master role holder.

Solution:  Run Netdom to verify, reset, or establish trust between computers. This command-line tool performs batch management of trusts, verifies trusts and secures channels between computers, and can join computers to domains. If this does not help solve the issue, see article Q317178, "Windows NT 4.0 Domain Updates Trust Account Password on Non-PDC," in the Microsoft Knowledge Base.

After upgrading a Windows NT 4.0 domain with existing trusts to Active Directory domains, you encounter various trust-related problems.

Cause:  When the domain has been upgraded, the existing trusts to Active Directory domains remain Windows NT 4.0 trusts. Internet Protocol Security (IPSec) cannot work over a Windows NT 4.0 trust. Or, trusts to other domains in the forest are no longer available.

Solution:  After upgrading a Windows NT 4.0 domain to an Active Directory domain, it is recommended that you delete and recreate all previously existing trusts with Active Directory domains. If this does not solve the issue, see article Q275221, "Trusts Unavailable on Backup Domain Controllers After Upgrading the Windows NT Primary Domain Controller," in the Microsoft Knowledge Base.

See also: Install Windows Support Tools; Upgrading from a Windows NT domain

Cannot connect to a domain controller running Windows 2000.

Cause:  You are trying to connect to a domain controller running Windows 2000 that does not have Service Pack 3 or later installed.

Solution:  Upgrade domain controllers running Windows 2000 to Service Pack 3 or later.

See also: Connecting to domain controllers running Windows 2000