Creating External Trusts May Succeed with Cached Password

ID: Q242770

The information in this article applies to:

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Server
Microsoft Windows NT Server versions 4.0 SP4, 4.0 SP5, 4.0 SP6

SYMPTOMS

When you create a trust relationship successfully, delete it, and re-create it with incorrect passwords, the trust may be (mistakenly) successfully re-created. This behavior can occur with down-level and external trusts, and can occur if you:

Create one direction of trust successfully.

Create a second direction of trust successfully.

Delete the second direction of trust.

Re-create the second direction of trust with an incorrect password. The trust is created successfully with the incorrect password.

NOTE: This is not a problem when you are resetting trust relationships. The correct password must be entered for the old password to be changed.

CAUSE

The Netlogon service caches old passwords for trusts. Until a trust is completely destroyed, old passwords are available to validate a trust created with an incorrect password.

RESOLUTION

To correct this, delete the trust from both sides of the trust relationship.

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

Additional query words:

Keywords : kbenv kbtool
Version : WINDOWS:2000; winnt:4.0 SP4,4.0 SP5,4.0 SP6
Platform : WINDOWS winnt
Issue type : kbprb