Hello,

We have several trusted domain in our company. Some of them are still
using Windows NT domain.
Every domain is trusted with the same Active Directory domain.

The trusts relationship are working correctly but we have a problem
with a specific trusted domain.

Indeed, when we are connected to a server member of this specific NT
domain, we cannot display users of our AD trusted domain.
We have an error "Cannot display objects from this location because of
the following error : The specified domain either does not exist or
could not be contacted"

And then if we open port 137/UDP and 138/UDP from the specific server
member of NT and the PDC EMULATOR of our AD domain, then it working.

I dont understand why in this specific situation I need to open those
ports as they are not needed for my other trusted NT domain.

Moreover this means I have to open those ports for every member server
to our PDC emulator which is not very clean in term of security.

Do you have any idea of the problem here ?
Is it a bad WINS configuration ? A computer browser specific
configuration ?

Thank you !

--
Eric

Hello Eric,

You need them.

See here for all needed ports in a trust:
http://support.microsoft.com/kb/179442/

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello,
>
> We have several trusted domain in our company. Some of them are still
> using Windows NT domain.
> Every domain is trusted with the same Active Directory domain.
> The trusts relationship are working correctly but we have a problem
> with a specific trusted domain.
>
> Indeed, when we are connected to a server member of this specific NT
> domain, we cannot display users of our AD trusted domain.
> We have an error "Cannot display objects from this location because of
> the following error : The specified domain either does not exist or
> could not be contacted"
> And then if we open port 137/UDP and 138/UDP from the specific server
> member of NT and the PDC EMULATOR of our AD domain, then it working.
>
> I dont understand why in this specific situation I need to open those
> ports as they are not needed for my other trusted NT domain.
>
> Moreover this means I have to open those ports for every member server
> to our PDC emulator which is not very clean in term of security.
>
> Do you have any idea of the problem here ?
> Is it a bad WINS configuration ? A computer browser specific
> configuration ?
> Thank you !
>

"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.f2997d9bbf75aaee.70874@nospam.hotmail.com...
> Hello,
>
> We have several trusted domain in our company. Some of them are still
> using Windows NT domain.
> Every domain is trusted with the same Active Directory domain.
>
> The trusts relationship are working correctly but we have a problem with a
> specific trusted domain.
>
> Indeed, when we are connected to a server member of this specific NT
> domain, we cannot display users of our AD trusted domain.
> We have an error "Cannot display objects from this location because of the
> following error : The specified domain either does not exist or could not
> be contacted"
>
> And then if we open port 137/UDP and 138/UDP from the specific server
> member of NT and the PDC EMULATOR of our AD domain, then it working.
>
> I dont understand why in this specific situation I need to open those
> ports as they are not needed for my other trusted NT domain.
>
> Moreover this means I have to open those ports for every member server to
> our PDC emulator which is not very clean in term of security.
>
> Do you have any idea of the problem here ?
> Is it a bad WINS configuration ? A computer browser specific configuration
> ?
>
> Thank you !
>
> --
> Eric
>
>


As Meinolf stated, that's an absolute requirement with NT4. NT4 is NetBIOS
based, unlike AD which is DNS based. Also, if your ports are that tightened
down, you may be blocking other necessary ports that are required for
communications.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Those are required as Meinolf pointed out. The NetBios piece is what is
biting you.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.f2997d9bbf75aaee.70874@nospam.hotmail.com...
> Hello,
>
> We have several trusted domain in our company. Some of them are still
> using Windows NT domain.
> Every domain is trusted with the same Active Directory domain.
>
> The trusts relationship are working correctly but we have a problem with a
> specific trusted domain.
>
> Indeed, when we are connected to a server member of this specific NT
> domain, we cannot display users of our AD trusted domain.
> We have an error "Cannot display objects from this location because of the
> following error : The specified domain either does not exist or could not
> be contacted"
>
> And then if we open port 137/UDP and 138/UDP from the specific server
> member of NT and the PDC EMULATOR of our AD domain, then it working.
>
> I dont understand why in this specific situation I need to open those
> ports as they are not needed for my other trusted NT domain.
>
> Moreover this means I have to open those ports for every member server to
> our PDC emulator which is not very clean in term of security.
>
> Do you have any idea of the problem here ?
> Is it a bad WINS configuration ? A computer browser specific configuration
> ?
>
> Thank you !
>
> --
> Eric
>
>

Hi,

thank you for your answer.

Are you agree that these port requirements are needed for MEMBER
Servers ?

When I read the KB, I understand that these ports needs to be opened
between PDC and DC but not between MEMBER servers and the PDC Emulator
of the trusted domain.

Thank you

> Hello Eric,
>
> You need them.
>
> See here for all needed ports in a trust:
> http://support.microsoft.com/kb/179442/
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> Hello,
>>
>> We have several trusted domain in our company. Some of them are still
>> using Windows NT domain.
>> Every domain is trusted with the same Active Directory domain.
>> The trusts relationship are working correctly but we have a problem
>> with a specific trusted domain.
>>
>> Indeed, when we are connected to a server member of this specific NT
>> domain, we cannot display users of our AD trusted domain.
>> We have an error "Cannot display objects from this location because of
>> the following error : The specified domain either does not exist or
>> could not be contacted"
>> And then if we open port 137/UDP and 138/UDP from the specific server
>> member of NT and the PDC EMULATOR of our AD domain, then it working.
>>
>> I dont understand why in this specific situation I need to open those
>> ports as they are not needed for my other trusted NT domain.
>>
>> Moreover this means I have to open those ports for every member server
>> to our PDC emulator which is not very clean in term of security.
>>
>> Do you have any idea of the problem here ?
>> Is it a bad WINS configuration ? A computer browser specific
>> configuration ?
>> Thank you !
>>

--
Eric

"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.f3727d9bfdb343a2.70874@nospam.hotmail.com...
> Hi,
>
> thank you for your answer.
>
> Are you agree that these port requirements are needed for MEMBER Servers ?
>
> When I read the KB, I understand that these ports needs to be opened
> between PDC and DC but not between MEMBER servers and the PDC Emulator of
> the trusted domain.
>
> Thank you
>
>> Hello Eric,

If any clients are to resolve and connect to the resources on the NT4
machine, they will need NetBIOS opened.

Ace

Actually they dont need to connect to the ressources on the NT4
machine.

I am using a Windows 2003 server member of a PDC NT4 domain.
The PDC NT4 domain is trusted (bidirectionnal trust) with an Active
Directory domain.

I want to list my AD domain users from my Windows 2003 server member of
my NT4 domain.

Perhaps I am wrong but in the KB quoted above, it seems that I need to
open only port 138/UDP.

Am I wrong ?

Thank you

> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
> news:mn.f3727d9bfdb343a2.70874@nospam.hotmail.com...
>> Hi,
>>
>> thank you for your answer.
>>
>> Are you agree that these port requirements are needed for MEMBER Servers ?
>>
>> When I read the KB, I understand that these ports needs to be opened
>> between PDC and DC but not between MEMBER servers and the PDC Emulator of
>> the trusted domain.
>>
>> Thank you
>>
>>> Hello Eric,
>
> If any clients are to resolve and connect to the resources on the NT4
> machine, they will need NetBIOS opened.
>
> Ace

--
Eric

"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.f3e57d9b81d673c0.70874@nospam.hotmail.com...
> Actually they dont need to connect to the ressources on the NT4 machine.
>
> I am using a Windows 2003 server member of a PDC NT4 domain.
> The PDC NT4 domain is trusted (bidirectionnal trust) with an Active
> Directory domain.
>
> I want to list my AD domain users from my Windows 2003 server member of my
> NT4 domain.
>
> Perhaps I am wrong but in the KB quoted above, it seems that I need to
> open only port 138/UDP.
>
> Am I wrong ?
>
> Thank you
>
>> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
>> news:mn.f3727d9bfdb343a2.70874@nospam.hotmail.com...
>>> Hi,
>>>
>>> thank you for your answer.
>>>
>>> Are you agree that these port requirements are needed for MEMBER Servers
>>> ?
>>>
>>> When I read the KB, I understand that these ports needs to be opened
>>> between PDC and DC but not between MEMBER servers and the PDC Emulator
>>> of the trusted domain.
>>>
>>> Thank you
>>>
>>>> Hello Eric,
>>
>> If any clients are to resolve and connect to the resources on the NT4
>> machine, they will need NetBIOS opened.
>>
>> Ace
>
> --
> Eric
>
>


You will also need 139 and all the UDP service response ports opened (also
known as emepheral ports: UDP 1024-5000 and if 2008 is involved, may as well
open the whole UDP range).

So what other ports have you not opened?

Also, can you elaborate on this sentence, please?
> I want to list my AD domain users from my Windows 2003 server member of my
> NT4 domain.

Where do you want to "list" the users on the NT4 side? In a resource (shared
permissions & security tab permissions or printer properties) or somewhere
else?

Ace