Microsoft KB Archive/156359

= How to Fix Corrupted Built-In Accounts =

Article ID: 156359

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Server 3.5
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q156359



SYMPTOMS
The domain may get out of sync, causing logon and other account difficulties. When you examine the Event Logs on the backup domain controllers (BDCs), you may see something similar to the following:

Event 5730 Source Netlogon

Replication of the SAM Global Group rid: 0x200: from Primary

Domain Controller failed with the following error:

Cannot perform this operation on built-in accounts.

This may be accompanied by the following event:

Event 5716 Source Netlogon

The partial synchronization replication of SAM

database from the Primary Domain Controller

failed with the following error:

Cannot perform this operation on built-in accounts.

These messages may also specify replication problems with the LSA and BUILTIN databases.



CAUSE
The built-in accounts on the PDC are probably corrupted.



RESOLUTION
The procedure below often resolves this problem. If this fails to work, however, the only recourse is to restore from a tape backup or an Emergency Repair Disk created before the accounts became corrupted.
 * 1) Install a new BDC into the domain.

This must be a new installation on a computer that has never been a BDC.
 * 1) As soon as the installation is complete, immediately promote this BDC to PDC. This must be done immediately. If you wait too long, the accounts will already be replicated from the PDC to the BDC.

NOTE: YOU WILL HAVE THE OPTION TO SYCHRONIZE THE SAM DATABASE DURING PROMOTION. _DO NOT_ SYNCHRONIZE AT THIS TIME! If you do synchronize at this prompt, the corrupt SAM will be replicated to the new BDC.

(This promotion must be done immediately. If you wait too long, the accounts will already be replicated from the PDC to the BDC. The BDC requests security accounts manager (SAM) information as soon as the installation is completed. By immediately promoting this new BDC, you do not give it time to replicate SAM information from the PDC.)
 * 1) As soon as the BDC is promoted to PDC, synchronize the entire domain.

This will not harm the SAM database on the original PDC. The information it will replicate is appended to the SAM on the original PDC and overwrites only the built-in accounts.

At this point the corrupted built-in accounts should be repaired. The original PDC can be restored to its primary role by promoting it.

Additional query words: corrupt builtin built in

Keywords: kbprb KB156359

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.