Regardless of the protocols being used, when you try to
establish a trust, you may receive the following error message:
Could not find domain controller for this domain.
may receive this error message even though LMHOSTS files and the WINS database
are correct and there are nNo connectivity problems on the
network. Also, you may see the following information in a network trace:
SMB R session setup & X - NT error, System, Error, Code = (109) STATUS_LOGON_FAILURE
Windows NT 4.0 Service Pack 3 and in a hotfix for Windows
NT 3.51 have a registry setting that permits administrators to restrict the
ability for anonymous logon users (also known as NULL session connections) to
list account names and enumerate share names. This registry setting also
restricts a trusting domain from establishing a connection to the trusted
primary domain controller to establish a trust relationship.
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
Set the RestrictAnonymous
value to 0 in
the registry, or remove the value to establish the trust.
- Open Registry Editor.
- Locate the following key in the registry:
- Click to select the following value:
- On the Edit menu, click
DWORD, and then change the data (value) to 0, as indicated in
the following information:
Value Name: RestrictAnonymous
Data Type: REG_DWORD
- Exit Registry Editor, and then restart the computer for the
change to take effect.
has confirmed that this is a problem in the Microsoft products that are listed
at the beginning of this article.
Microsoft is researching this problem and will post more information in this
article when the information becomes available.
The registry value configures the local system policy to
determine whether users must authenticate to perform common enumeration
functions. Requiring authentication to obtain the account name list is an
optional feature. When the RestrictAnonymous
value is set to 1, users who make anonymous connections from the
Graphical User Interface tools for security management receive an "access
denied" error message when they try to obtain the list of account names. When
value is set to 0, or the value is not defined, anonymous
connections can list account names and enumerate share names. However, although
you set the value of RestrictAnonymous
to 1, the user interface tools with the computer does not list
the account names. However, there are Win32 programming interfaces that support
individual name lookup and do not restrict anonymous connections.
Windows NT networks using a multiple domain model can restrict anonymous
connections without loss of functionality. To disable anonymous connections,
administrators in resource domains must add members of trusted account domains
to specific local groups before they change the value for the
registry entry. Users who log on by using accounts from trusted account domains
continue to use authenticated connections to obtain the list of account names.
This helps to manage security access control.