Microsoft KB Archive/302597

= Netlogon 5730 Events on a Windows NT 4.0 Backup Domain Controller in a Windows 2000 Domain =

Article ID: 302597

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q302597



SYMPTOMS
In a Windows 2000 mixed-mode domain, NT 4.0 backup domain controllers (BDCs) do not replicate, and the following event is recorded in the System log:

Event Type: Error

Event Source: NETLOGON

Event ID: 5730

Description:

Replication of the SAM global group 0x201 from primary DC

failed with the following error:

Either the specified user account is already a member of the specified group, or the specified group cannot be deleted because it already contains a member.



CAUSE
This event is generated on a Windows NT 4.0 BDC if a Windows 2000 user object is explicitly a member of its Primary Group. In Windows 2000, the user is not explicitly listed as a member of the Primary Group, but the user is implicitly a member of the group instead. This behavior is necessary because Windows 2000 has a limit of 5000 users per group, and Domain Users is the default group for every user that is created in the domain, which can contain far more than 5000 users.

For additional information about the 5000 users per group limitation, click the article number below to view the article in the Microsoft Knowledge Base:

275523 Setting Primary Group Excludes User from Group Membership in Active Directory

If Active Directory includes the user in their Primary Group, the Windows NT 4.0 BDC interprets this to mean that the user account is a member of the group twice, which the Windows NT 4.0 BDC interprets as an error. To protect the integrity of its SAM database, the Windows NT 4.0 BDC stops replicating any changes from the Windows 2000 primary domain controller (PDC) operations master.

Note: The operations master is also known as flexible single-master operations, or FSMO.



RESOLUTION
To resolve this problem, you need to remove the user object from its Primary Group. To do so:  The event lists the Resource ID (RID) of the group that is holding up the replication. In most cases, the event text is identical to the event that is listed in the &quot;Symptoms&quot; section of the article, indicating that the problem group is Domain Users (0x201). To find a list of RIDs for other built-in objects, refer to the following article in the Microsoft Knowledge Base:

163846 SID Values For Default Windows NT Installations

For groups created by the administrator, you can use the Resource Kit utility Getsid.exe to match an RID with the group name. Check the Resource Kit Tools Help file for more information about the Getsid.exe utility. On the Windows 2000 PDC operations master, open Adisedit.msc, which is installed with the Windows 2000 Support Tool. Open the domain naming context, and find the group that is referenced in the Netlogon event. Right-click it, and then click Properties. View the optional properties of this group. Click the member property from the list of properties. In the Attribute Properties window, the Value(s) box lists all the user objects that are explicitly members of the group. Write these names down. Check the Primary Group of each user that is using Active Directory Users and Computers.</li> If one of the users that is listed as a member of the group that is indicated in the Netlogon event has that group set as its Primary Group, Windows NT 4.0 interprets that as an error and you need to remove this user from the group. To remove this user: <ol style="list-style-type: lower-alpha;"> Using Adisedit.msc, view the properties of the problem group again.</li> Display the values of the member attribute again.</li> Click the problem user, and then click Remove.</li> Click OK.</li></ol> </li> Be sure to check all of the users that are listed in the group.</li></ol>

The change, after it replicates to all domain controllers, should alleviate the symptoms of this problems.

<div class="status_section">

STATUS
This behavior is by design.

Keywords: kbnetwork kbprb KB302597

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.