Establish trust relationships between Windows NT Domain and Windows 2000 domain
Wednesday, April 2 2003 2:21 PM
When you create a Windows 2000 domain, you usually find one or more Windows NT domains already exist in the system, which needs to interact with new Windows 2000 domains. System information sharing can be conveniently implemented by establishing trust relationships between two different domains, without having to migrate to Windows 2000. This article describes how to establish trust relationships in NT 4 and Windows 2000 domains.
Some considerations
To establish a domain trust relationship between NT and Windows 2000 networks, it is necessary to ensure that the two networks are in a physical connection, or at least by a high-speed link. This is mainly to take into account security and the type of information passed between two domains.
If the two networks are not in the same location, you need to perform one of the following two processing methods: ● Directly connect to the dedicated line ● Create a VPN connection (via the Internet)
This is due to the need to use the remote method call (RPC) during the communication process of the trust domain. RPC cannot pass through the Internet. Even if it is able to pass the Internet, you do not want to deliver such information in an unsafe connection.
If you don't use WINS in your Windows 2000 network, it is now best to enable it. Windows 2000 does not necessarily require WINS; however, when I establish a domain trust relationship between NT 4 network and Windows 2000 network, I would like to have this Microsoft. Microsoft's answer is WINS in this case. If you don't have WINS when you install Windows 2000, you need to install it now.
Similarly, if your NT 4 network does not use WINS, you want to enable it before preparing to build a domain trust relationship. In short: Start WINS service on the PDC. Alternatively, start the WINS service on the BDC, enter the IP address of the BDC in the WINS server item of the PDC's TCP / IP Properties window.
Establish a domain trust relationship from Windows 2000
Open the command line on the Windows 2000 server. Ping To establish a NT 4 server for trust relationships. (This method can quickly check if the communication link between the two domains is smooth. If you can't ping the NT 4 server, you must first solve the link problem.)
After verifying the communication link, click Start | Programs | Administrative Tools | Active Directory Domains and Trusts. Click on the domain where Windows 2000 server is located. Right to click the domain name and select the Properties menu item.
In the domain properties window (in Windows 2000, it is similar to YourDomain.local), click the Trush tab, then click the Add button. Enter the name of the NT 4 domain to establish a trust relationship in the Trusted Domain INPUT field. Enter a password in the Domain Trust Password field. (You can set your password according to your own habit, just ensure that the same password is also used in the NT 4 domain.) Enter the same password in the Confirm Password field, click OK. If you can't find other controllers, there may be WINS issues. This problem needs to be resolved before proceeding. If everything is normal, click OK button. At this point, the trust domain will be displayed in the TRUSTS tag of the domain property window.
Click the Add button next to the Domains That Trust this Domain option. Enter the NT 4 domain name filled in the Trusting Domain field. Enter the domain trust password in the Password and Confirm Password fields. Click the OK button. At this point, the domain properties window will display the domain trust relationship you created. After Windows 2000 is set, the same process is repeated on NT 4.
Use WINS check effects
After the trust relationship is established on both sides, you want to start the WINS replication process from a network to another network - but you don't have to create two-way replication. To do this, start the WINS manager on the Windows 2000 side. Select the server name from the pane on the left. Select Start Pull Replication from the Actions menu, which means WINS information from the Windows NT server. Conversely, you can also choose PUSH Replication. After the execution (this process is 10 minutes, it is a few hours, which mainly depends on the network size), click Active Registrations in the Windows 2000 WINS Manager. Select Find by Name from the Actions menu. Enter the first letter of any server name in two networks in the Find Names Beginning With field, you can view information about the server for the server. However, if you don't show anything on the screen in a short time, don't be surprised. Because the display information may take hours, it depends mainly on the activities on the network and the bandwidth between the network.
Add an item in your regular maintenance task list (or a list of preventive maintenance tasks), regularly check the availability of domain trust relationships. To do two ends, the Active Directory Domains and TRUST program for creating domain trust relationships is used in Windows 2000 networks, using server manager in NT 4 network. Unfortunately, there is virtually no tool for repairing a domain failure, so once problems, the domain trust settings are cleared from both ends of the network, and then recreate.
in conclusion
Obviously, it is not difficult to establish a domain trust relationship. However, it takes enough time and energy. Remember, before starting configuration, ensure that WINS is running in both networks, which avoids many problems that may occur when establishing domain trust relationships.
