Microsoft KB Archive/272348

= Windows 2000 Member Computers Always Authenticate with PDC in NT 4.0 Domain =

PSS ID Number: 272348

Article Last Modified on 11/20/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional

-



This article was previously published under Q272348



SYMPTOMS
Windows 2000-based host computers that are joined to a Microsoft Windows NT 4.0-based domain may always establish a secure channel with the primary domain controller (PDC).



CAUSE
This problem can occur because when a Windows 2000-based computer is joined to a domain, the join process caches the domain controller (DC) that was used to join the domain. When the computer restarts for the first time after it joins the domain, the computer reads the cached information from the registry, and then uses that DC to set up a secure channel. This is done to make sure that the computer is communicating with the DC that has the correct account information. However, this cached information is not removed unless Kerberos authentication is used. Because of this, a Windows 2000-based host always uses the cached information to establish a secure channel with the PDC.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:

  File Name      Size     Time   Date       Version         Platform --  Netlogon.dll   366,352  09:12  2/8/2001   5.0.2195.2865   i386 Ntdsa.dll     910,608  09:12  2/8/2001   5.0.2195.2864   i386 Samsrv.dll    362,256  09:12  2/8/2001   5.0.2195.2864   i386 Instlsa5.dll  521,488  09:11  2/8/2001   5.0.2195.2867   i386 Kdcsvc.dll    140,560  09:12  2/8/2001   5.0.2195.2862   i386 Kerberos.dll  198,928  18:19  1/29/2001  5.0.2195.2862   i386 Ksecdd.sys     69,456  19:15  1/26/2001  5.0.2195.2862   i386 lsasvr.dll    503,568  09:12  2/8/2001   5.0.2195.2867   i386 Lsass.exe      33,552  18:04  1/30/2001  5.0.2195.2867   i386 Msv1_0.dll    108,816  18:19  1/29/2001  5.0.2195.2862   i386 Netapi32.dll  311,056  09:12  2/8/2001   5.0.2195.2808   i386 Adsldpc.dll   130,320  09:12  2/8/2001   5.0.2195.2842   i386 Dnsapi.dll    133,904  09:12  2/8/2001   5.0.2195.2785   i386 Dnsrslvr.dll   90,896  09:12  2/8/2001   5.0.2195.2778   i386



WORKAROUND
To work around this problem, note that if the Netlogon service is stopped on the PDC before the Windows 2000 host starts, the host attempts to authenticate with the PDC, and then attempts authentication with a backup domain controller (BDC). After this occurs, the computer uses expected behavior to find a DC for authentication rather than using the cached information.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.



MORE INFORMATION
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Keywords: kbbug kbenv kbfix kbnetwork kbWin2000PreSP2Fix KB272348

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.