Microsoft KB Archive/293127

= The Net Logon Service of a Windows NT 4.0 BDC Does Not Function in a Windows 2000 Domain =

Article ID: 293127

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



This article was previously published under Q293127



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
In a Windows 2000 domain with an NT 4.0 backup domain controller (BDC), the Windows NT 4.0 BDC cannot perform the following functions:
 * Find the Windows 2000 domain controller.
 * Synchronize the Security Accounts Manager (SAM) database.
 * Start the Net Logon service.
 * Obtain a list of backup browsers.

When you restart the BDC, the following events are logged:

Event Type: Error

Event Source: NETLOGON

Event Category: None

Event ID: 3210

Description:

Failed to authenticate with \\Wn2kDC, a Windows NT or Windows 2000

domain controller for domain.

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7023

Description:

The Net Logon service terminated with the following error: Access

is denied

Event Type: Error

Event Source: BROWSER

Event Category: None

Event ID: 8032

Description:

The browser service has failed to retrieve the backup list too many

times on transport \Device\.

The backup browser is stopping.

If you attempt to reset the secure channel of the BDC by using the netdom command, you receive the following error message:

The interface is unknown.

If you attempt to reset the secure channel of the BDC by using the nltest command, you receive the following error message:

RPC_S_Unknown_IF

Also, Windows NT 4.0-based clients may not be able to log on to the Windows 2000 domain. They may receive the following error message:

System can not log you on to the domain because the systems computer account in its primary domain is missing or the password on that account is incorrect,



CAUSE
This behavior can occur if you set the RestrictAnonymous registry value to 2, which can occur by editing the registry directly or by applying the Hisecdc.inf security template.



RESOLUTION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this behavior, change the setting for the RestrictAnonymous value from 2 to a 0 on the Windows 2000 domain controller that hosts the primary domain controller (PDC) emulator operations master role.

To determine who hosts the PDC emulator operations master role:
 * 1) Click Start, click Run, type dsa.msc, and then click OK.
 * 2) Right-click the domain name, and then click Operations Masters.
 * 3) Click the PDC tab to view the server that holds the PDC master role.

To change the value of RestrictAnonymous:  Start Registry Editor (Regedt32.exe). Locate the RestrictAnonymous value under the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\restrictanonymous

 On the Edit menu, click DWORD, type 0 in the data field, and then click OK. Quit Registry Editor.

Restart the Windows 2000 domain controller.



MORE INFORMATION
RestrictAnonymous is used to prevent anonymous logon access to resources, excluding resources to which the anonymous user has explicitly been given access. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

246261 How to Use the RestrictAnonymous Registry Value in Windows 2000

Keywords: kbenv kberrmsg kbnetwork kbprb KB293127

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.