Microsoft KB Archive/154398

= BDC Secure Channel May Fail If More Than 250 Computer Accounts =

Article ID: 154398

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q154398





SYMPTOMS
The NetLogon service fails to start on a backup domain controller (BDC) with NetLogon error 3210 or 5721, whereas, in the system event logs of the primary domain controller (PDC) the NetLogon service logs errors 5722 or 5723.

This problem appears to be random and may occur on several BDCs. If you remove the BDC computer account and synchronize the BDC with the PDC, the problem is solved until the NetLogon service is restarted on the PDC.



CAUSE
When NetLogon starts on PDC, it enumerates all computer accounts and for each BDC builds a structure that is used to establish the secure channel. NetLogon enumerates a maximum of 250 accounts on each call to the SAM, but due to a problem in NetLogon, NetLogon is missing one account between each set of 250. If that account is a workstation account, you do not experience any problems. However, if that account is a BDC account, you experience the problem mentioned above.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack



MORE INFORMATION
For each BDC, there is a discrete communication channel (the secure channel) with the PDC. The secure channel is used by the NetLogon service on the BDC and on the PDC in order to communicate.

When a BDC is part of a domain, a computer account is created (the computer account can be seen with Server Manager.) A default password is given to the computer account and the BDC stores the password in LSA secret storage $machine.acc.

Each BDC maintains such an LSA secret, which is used by the NetLogon service in order to establish a secure channel.

The problem described above is not related to the secure channel's password. The NetLogon service fails to start on the BDC even though the BDC computer's account password and BDC secret $machine.acc are synchronized. This can be checked with NETDOM utility provided with Windows NT 4.0 Resource Kit Supplement 2 by running the following command on the BDC:

  netdom bdc \\bdcname /query

The output looks similar to the following:

  NetDom 1.2 @1997. Querying domain information on computer \\BDCNAME ...  The computer \\BDCNAME is a domain controller of DOMAIN. Searching PDC for domain DOMAIN ... Found PDC \\PDCNAME Verifying secure channel on \\BDCNAME ...  Verifying the computer account on the PDC \\PDCNAME ...   Secure channel checked successfully.

NOTE: If you receive the error message below, please see the following article in the Microsoft Knowledge Base:

The computer account for \\BDCNAME doesn't exist or has an invalid password.

150518 NetLogon Service Fails when Secure Channel Not Functioning



STATUS
Microsoft has confirmed that this is a problem in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.

Additional query words: 4.00 prodnt

Keywords: kbhotfixserver kbqfe kbbug kbfix KB154398

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.