The RestrictAnonymous value breaks the trust in a mixed-domain environment

Article translations Article translations
Article ID: 296403 - View products that this article applies to.
This article was previously published under Q296403
This article has been archived. It is offered "as is" and will no longer be updated.
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
Expand all | Collapse all

Symptoms

When you try to add users or global groups from a trusted Windows NT 4.0 domain with Active Directory Users and Computers on a Windows 2000 domain controller, the following error occurs when you click the trusted domain name in the Look In box of the object picker:
Cannot display objects from this location because of the following error:

The trust relationship between the primary domain and the trusted domain failed.
If you are doing a NLtest SC_QUERY, you may receive either or all of the following error messages:
Error_No_logon_server
The domain name domain cannot be contacted.

Cause

This problem occurs because the RestrictAnonymous value is set to level 2 on the Windows 2000 domain controller.

Resolution

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this problem, set the RestrictAnonymous value to 0 or 1 on the Windows 2000 domain controller:
  1. Open Registry Editor, and then navigate to the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
  2. Set the following values:
    Value: RestrictAnonymous
    Value Type: REG_DWORD
    Value Data: 0x1 or 0x0(Hex)
  3. Restart the domain controller.
  4. Break, and then re-establish the trust.

Status

Microsoft has confirmed that this is a problem in Windows 2000.

More information

This problem only occurs in an environment where there is a two-way trust between a Windows NT 4.0 and Windows 2000 domain. You should only use the level 2 setting for RestrictAnonymous in a pure Windows 2000 environment.

For more information about RestrictAnonymous in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
246261 How to Use the RestrictAnonymous Registry Value in Windows 2000

Properties

Article ID: 296403 - Last Review: October 26, 2013 - Revision: 2.0
Applies to
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Server 4.0 Standard Edition
Keywords: 
kbnosurvey kbarchive kbenv kbprb KB296403

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com