NET USE Attempt Across Domains Fails Without Name Resolution

When you attempt to use either Net.exe USE or Net.exe VIEW from a client in a trusted domain to a domain controller in a trusting domain, you receive the following error:

This error may occur in environments where Windows Internet Name Service (WINS) is being used or where one or more LMHOSTS files are maintained on the clients and servers. Communications utilities such as Ping.exe and Tracert.exe will show that the interdomain communications are working properly and that name resolution activity from the client is performing as expected.

When a NET command to a remote system on another domain is initiated, the current credentials (user name, password, domain) are passed as part of the request. If the client is logged on to the trusted domain, those credentials are used in the pass-through authentication process from the domain controller in the trusting domain.

The domain controller in the trusting domain should be able to locate a domain controller in the trusted domain through some type of name resolution, normally from WINS or an LMHOSTS file. The failure in this instance is that the domain controller receiving the NET command cannot use pass-through authentication with the credentials provided to locate and authenticate the client back to the trusted domain. The above error will occur when one or more of the following conditions have been met:

• 00 (domain name), 1C, and 1B entries for the trusted domain are not properly replicated from a WINS server in the trusted domain to a WINS server used by the domain controller performing the pass-through authentication.
• 00 (domain name), 1C, and 1B entries for the trusted domain have been removed from, or are corrupted, in the WINS server database in the trusting domain.
• If WINS is not used and an LMHOSTS file is present on the domain controller performing the pass-through authentication, the necessary 00, 1C, and 1B entries are missing or are incorrectly entered in the file.
• If WINS is not used and an LMHOSTS file is NOT present on the domain controller performing the pass-through authentication, the authentication process will fail.

To allow cross-domain authentication, one or more domain controllers in the trusting domain must be able to locate a domain controller in the trusted domain. This capability can be provided by ensuring that the trusting domain controllers have access to some type of NetBIOS name resolution process that maintains the proper records (00 for domain name, 1B for domain master browser, and 1C for multiple domain controllers).

When using WINS in this instance, it will be necessary to verify that the domain controller or controllers in the trusting domain point to a WINS server that maintains the correct entries for the trusted domain that the client is logged on to. WINS replication between the two domains will be required to populate the requisite WINS database on the trusting domain from a WINS server in the trusted domain. If this replication cannot occur, or the entries in the trusting domain's WINS server are corrupted and name resolution is failing, the above-mentioned error will occur.

If WINS in not in use in the environment, an LMHOSTS file will be required and should be located in %Winnt_Root%\System32\Drivers\Etc.

For additional information, please see the following articles in the Microsoft Knowledge Base: