Re: Domain was in the wrong state to perform the security operation
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/01/04
- Next message: Steven L Umbach: "Re: email problems"
- Previous message: Steven L Umbach: "Re: Domain was in the wrong state to perform the security operation"
- In reply to: Steven L Umbach: "Re: Domain was in the wrong state to perform the security operation"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Domain was in the wrong state to perform the security operation"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Domain was in the wrong state to perform the security operation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 01 May 2004 01:23:03 GMT
I should add that changes to security policy will not take effect right away. At
minimum run " gpupdate /target:computer /force " on the W2003 server where you
configured changes and if possible also reboot it. -- Steve
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:WWCkc.1625$_41.70029@attbi_s02...
> Hmm. I have never set up a trust between NT4.0 and W2003. I do know that W2003 has
> security options that can cause problems with NT domains but first you need to make
> sure that netbios name resolution is working correctly between the domains and you
> can try having the wins servers in each domain be replication partners with each
> other being sure that the W2003 domain controllers are also wins clients so that
they
> register the domain controller records. Alternatively you could try to use lmhosts
on
> the domain controllers in each domain with entries for the domain controllers in
the
> other domain as described in the KB link below.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;180094
> http://support.microsoft.com/default.aspx?scid=kb;en-us;262655 lmhosts entries are
> case sensitive
>
> If that does not help then you may need to back down some of the security options
in
> the Domain Controller Security Policy. See the link below to the W2003/XP threats
and
> Countermeasures guide and read the comments on "potential impact". In particular
read
> the security options on "anonymous enumeration". I would suggest disabling both of
> those settings. You may also need to change "let everyone permissions apply to
> anonymous users" to disabled. In addition I would disable "network server:
digitally
> sign communications always until you resolve trust issue.
>
> http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch05.mspx
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- more info on
> incompatible settings.
>
> If none of that helps. I suggest you may also want to post in one of the
> Active_directory newsgroups including the win2000. one as there are a lot of
> experienced Active Directory people over there that know a lot about trust issues.
> Good luck. --- Steve
>
> "Lillian" <anonymous@discussions.microsoft.com> wrote in message
> news:6d5701c42ef9$bec655a0$a101280a@phx.gbl...
> > Steve:
> >
> > I try it select "domain-wide authentication" instead
> > of "selective authentication", and it work, but I try to
> > validate on NT2003 server, it say" verification of trust
> > between domain traing.gov and domain infoservices was
> > unsuccessful because there are current no logon servers
> > available to service the logon request, to repair a trust
> > a pre-windows 2000 domian you must remove and re-add the
> > trust on both sides.
> >
> > I created same user name: trust on NT2003 server and
> > NT4 server, on NT2003 has administrators, domain admins,
> > domain users previlege, on the NT4 server has
> > administrators, domain admins, domain users privilege,
> > same thing, but before I click validate, it say" need
> > have admin privelege on infoservice", which trust has, so
> > what is going on with this?
> >
> > Thanks for all the help.
> >
> > Lillian
> >
> > >-----Original Message-----
> > >I experienced that once in setting up external forest
> > trusts between two
> > >W2003 domains. The problem was I was trying to set up a
> > trust using
> > >"selective authentication" and the forest was not at the
> > proper forest
> > >funtional level which needed to be W2003 level I
> > believe. So you may want to
> > >try not using selective authentication option in
> > creating the trust which is
> > >probably only possible for a trust incoming into W2003.
> > Selective
> > >authentication allows a W2003 domain to only allow
> > trusted domain access to
> > >servers that have the "allowed to authenticate"
> > permission assigned in AD on
> > >the server object to domain users in the trusted
> > domain. --- Steve
> > >
> > >
> > >"llian" <anonymous@discussions.microsoft.com> wrote in
> > message
> > >news:6b5701c42ed8$ac8d46d0$a301280a@phx.gbl...
> > >> I have NT2003 AD server and NT4(PDC) server, I need to
> > >> created trust in between, when I following step by step
> > >> from the article from the microsoft.
> > >> NT2003 server, is "glc.training.gov".
> > >> NT4 server, the domain name is "infoservices".
> > >> http://support.microsoft.com/default.aspx?scid=kb;en-
> > >> us;325874
> > >> 1). From NT4 I created Trusted domains(Training)
> > >> 2). From NT2003 I created incoming trust
> > (infoservices).
> > >> 3). did the verify, successful.
> > >> 4). From the NT2003 server, I created outgoing trust
> > >> (infoservices), then cannot continue, it say" The trust
> > >> relationship cannot be created beduase the following
> > >> error occurred. The operation failed, the error is: the
> > >> domain was in the wrong state to perform the security
> > >> opertion", I have no idea what is that mean. need help.
> > >>
> > >> Thanks.
> > >>
> > >> Lillian
> > >
> > >
> > >.
> > >
>
>
- Next message: Steven L Umbach: "Re: email problems"
- Previous message: Steven L Umbach: "Re: Domain was in the wrong state to perform the security operation"
- In reply to: Steven L Umbach: "Re: Domain was in the wrong state to perform the security operation"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Domain was in the wrong state to perform the security operation"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Domain was in the wrong state to perform the security operation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
