Microsoft KB Archive/140329

= Trust Relationships Fail with Large Number of Trusted Domains =

Article ID: 140329

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows NT Server 3.51

-



This article was previously published under Q140329





SYMPTOMS
Windows NT Backup Domain Controllers do not list all trusted domains during logon when there are more than twenty trust relationships.

Trusted domain users from domains that do not show up in the Backup Domain Controller's list of domains during logon receive access denied errors when attempting to use resources on the Backup Domain Controller.



CAUSE
This occurs because the full list of trusted domains is not replicated to Backup Domain Controllers. Since the Backup Domain Controllers do not have a complete list of trusted domains, they do not setup a secure channel with Domain Controllers that exist in Domain accounts that did not replicate. This results in access denied errors on clients from trusted domains because there is no way for pass-through validation to occur.

The complete list of trusted domains does not replicate to Backup Domain Controllers because Netlogon does not indicate all the trusted domain accounts to replicate. Replication fails when Netlogon calls the LSA to get the complete list of domain accounts to replicate during a synchronization. Netlogon fails because it replicates domain names when it receives STATUS_SUCCESS back from the LSA, however with a large number of trusted domain names the LSA may return STATUS_MORE_ENTRIES instead of STATUS_SUCCESS. The LSA returns STATUS_MORE_ENTRIES if the default buffer supplied by Netlogon (1k in size) is too small to hold the complete list of domain names. As a result, if there are too many domains to fit in the 1k buffer, Netlogon ignores all but the last group of domain names returned by the LSA when STATUS_SUCCESS is received.



RESOLUTION
This problem has been corrected in the latest Service Pack for Windows NT version 3.51.



STATUS
Microsoft has confirmed this to be a problem in Windows NT version 3.51. This problem was corrected in the latest Windows NT 3.51 U.S. Service Pack. For information on obtaining the Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces):

S E R V P A C K

Additional query words: incomplete

Keywords: kbnetwork KB140329

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.