When you upgrade your Windows NT 4.0 PDC, trusts to other domains in the forest do not become available to your downlevel BDCs?
When you add users and groups from other domains, you receive 'Access Denied' when they attempt to use resources on the BDCs. If you view permissions, these users and groups are displayed as 'account unknown'?
This problem is the result of the failure of Windows 2000 to log the added trusts in the downlevel replication log, Netlogon.chg. Since the newly created trusts are not logged, they are not replicated.
You can workaround this problem with either of the following:
Delete the Netlogon.chg file. This will cause a new log to be created and it will cause full synchronization of all downlevel domain controllers.
On each BDC, open a CMD prompt, or schedule a batch, that contains:
net accounts /sync