Author: NetworkAdminKB.com
Created: 2011-06-02
Modified: 2011-07-11
Information:
For purely academic reasons I decided to test what everyone takes for granted, that two domains with the same NetBIOS names cannot establish a trust. For this test, I created two domains with the same Domain NetBIOS names and different Domain DNS names and placed them on separate subnets so NetBIOS Broadcasts would be eliminated as a form of communication, and I did not configure any WINS addresses on these servers. Here is the basic information about my test configuration.
|
DC Name
|
Domain NetBIOS Name
|
Domain DNS name
|
IP Address
|
WINS
|
NetBIOS
Enabled
|
|
Testdc1
|
ABC1
|
testdomain1.net
|
192.168.101.130
|
None
|
See tests
|
|
Testdc2
|
ABC1
|
testdomain2.net
|
192.168.1.150
|
None
|
See tests
|
The follow are screen shots from the initial domain installation for each domain.
After the domains were installed I raised the Domain and Forest Functional Levels to Windows 2003.
Notes: A new DNS server was installed on each of the TESTDCs.
Then I configured DNS Forwarding
Test #1
Attempted to setup Trusts with NetBIOS Enabled on the TCPIP Settings, of the TESTDC1 and TESTDC2
From the testdc2.testdomain2.net I attempted to created a two-way trust as shown in the following screen shots
Result:
Cannot Continue
The operation failed. The error is: This operation cannot be performed on the current domain.
Test #2
Attempted to setup a trust with NetBIOS Disabled on the TCPIP Settings, of the TESTDC1 and TESTDC2
Attempted to create a Two-Way Trust by creating each side separately.
The following error was returned:
Cannot Continue
The operation failed. The error is: This operation can not be performed on the current domain.
Obviously, the duplicated NetBIOS name is causing each DC to look to establish a trust with itself.
Test #3-9
In the end I attempted all the following
- Forest Trusts with Domain wide and Selective Authentication
- Both two-way and one-way trusts
- External Trusts with Domain wide and Selective Authentication
- Both two-way and one-way trusts
None of these worked, they all failed with the same error message.
Test #10
I disabled the NetBIOS over Tcpip driver (nbt.sys).
The computer needs to be rebooted for this change to take effect
The following message appeared on each DC respectively.
Event ID: 40960
Source: LSASRV
Description:
The security system detected an authentication error for the server ldap/testdc2.testdomain2.net. The failure code from authentication protocol Kerberos was “There are currently no logon servers available to service the logon request. (0xc000005e).”
The attempt to create the trust failed after only second screen with the following error.
Cannot Continue:
The Local Security Authority is unable to obtain an RPC connection to the domain controller testdc1.testdomain1.net. Please check that the name can be resolved and that the server is available.
Summary:
Obviously Microsoft is correct you can not create a trust between two domains with the same NetBIOS name because NetBIOS is still being used. Simply disabling NetBIOS on the TCP/IP properties page does not remove NetBIOS dependencies, and my attempt to remove NetBIOS totally by disabling the NetBIOS over Tcpip driver causes immediate issues for Active Directory.
More Information:
Direct hosting of SMB over TCP/IP
How to: Disable NetBIOS over TCP/IP
Article ID: 430, Created On: 10/6/2011, Modified: 10/6/2011