8/8/2019 Troubleshooting AD Trusts

1/2

Troubleshooting trusts

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server2003 with SP2

Troubleshooting Trusts

What problem are you having?

y Clients are unable to access resources in a domain outside of the forest.y Trust errors between servers or workstations.y Trust errors between Windows NT 4.0 and Active Directory domains.y After upgrading a Windows NT 4.0 domain with existing trusts to Active Directory domains, you encounter

various trust-related problems.

y Cannot connect to a domain controller running Windows 2000.Clients are unable to access resources in a domain outside of the forest.

Cause: A failure has occurred on the external trust between the domains.

Solution: Reset and verify the trust between the domains. The PDC emulator master must be available for a trust

to be successfully reset.

See also: Verify a trust; Operations master roles; When to create an external trust

Trust errors between servers or workstations.

Cause: Incorrect time synchronization between domain controllers or workstations, the server could be down, or

the trust relationship could be broken.

Solution: Run Netdom to verify, reset, or establish the trust between computers. This command-line tool

performs batch management of trusts, verifies trusts and secures channels between computers, and can joincomputers to domains.

See also:Install Windows Support Tools

Trust errors between Windows NT 4.0 and Active Directory domains.

Cause: Automatic trust password resets for the trust may not reach the PDC emulator master role holder.

Solution: Run Netdom to verify, reset, or establish trust between computers. This command-line tool performs

batch management of trusts, verifies trusts and secures channels between computers, and can join computers todomains. If this does not help solve the issue, see article Q317178, "Windows NT 4.0 Domain Updates Trust

Account Password on Non-PDC," in the Microsoft Knowledge Base.

After upgrading a Windows NT 4.0 domain with existing trusts to Active Directory domains, you

encounter various trust-related problems.

Cause: When the domain has been upgraded, the existing trusts to Active Directory domains remain

Windows NT 4.0 trusts. Internet Protocol Security (IPSec) cannot work over a Windows NT 4.0 trust. Or, trusts to

other domains in the forest are no longer available.

Solution: After upgrading a Windows NT 4.0 domain to an Active Directory domain, it is recommended that youdelete and recreate all previously existing trusts with Active Directory domains. If this does not solve the issue, see

8/8/2019 Troubleshooting AD Trusts

2/2

article Q275221, "Trusts Unavailable on Backup Domain Controllers After Upgrading the Windows NT Primary

Domain Controller," in the Microsoft Knowledge Base.

See also:Install Windows Support Tools; Upgrading from a Windows NT domain

Cannot connect to a domain controller running Windows 2000.

Cause: You are trying to connect to a domain controller running Windows 2000 that does not have Service Pack 3

or later installed.

Solution: Upgrade domain controllers running Windows 2000 to Service Pack 3 or later.

See also:Connecting to domain controllers running Windows 2000