When patch MS04-011 (KB835732) was applied on the Active Directory DCs, all communications with NT trust relationship (NT servers) went down. The problem was verified when some users tried to access the DEVSAP server machine (NT 4 Server running SP5 and a lot of patches to be applied, running Development SAP environment). The AD administrators were receiving a lot of messages from those NT servers over branch offices. We made the roll-out, but without success. The problem still remains. After a lot of unsuccessful tries, we found information on the Internet about lost trust between domains.
What was made to correct the problem? It was flagged the "Restricted Anonymous" settings on all Domain Controllers. After we set it, we just restarted all Domain Controllers, and the communication and trust was up once again.
The following error message appeared when we tried to logon in NT server:
"The system cannot log you on this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect."
Would you have some hints about what we can do in this case for resolving this problem? We continue with the necessity of applying the patches in DCs, but we need to make it secure (doesn't stop the logon in NT servers).
This was first published in August 2004