Microsoft KB Archive/275221

= Trusts Are Unavailable on Backup Domain Controllers After Upgrading the Windows NT 4.0 Primary Domain Controller =

Article ID: 275221

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q275221



SYMPTOMS
After you join a forest during an upgrade of a primary domain controller (PDC), the trusts to other domains in the forest are not available on the backup domain controllers (BDC). After you add users and groups from the other domains, they are displayed as &quot;account unknown&quot; when you view the permissions. In addition, you may receive an &quot;access denied&quot; message when you attempt to access resources on the BDCs or any domain members that use the BDC for authentication.



CAUSE
When the PDC joins the forest, two-way transitive trusts are created. When you add trusts, they are not logged in the downlevel replication change log file (Netlogon.chg). This log is the mechanism that downlevel domain controllers use to determine what changes are required during a replication cycle. The newly created trust does not replicate to the downlevel domain controllers until a full synchronization is initiated.



RESOLUTION
To resolve this issue, use either of the following methods:  Run the following command to initiate a full synchronization on each downlevel domain controller (Windows NT 4.0 BDC):

net accounts /sync

-or-

 Delete the change log. A new change log is then created and this causes a full synchronization of all downlevel domain controllers.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

271998 Event 5718, Error Message Reports 'Full Synchronization of Database for the Domain Controller Failed'

-or-

 Use nltest locally or remotely to initiate a full sync on the BDC.

locally: nltest /sync

remotely: nltest /server:bdcname /sync



When you perform a synchronization with Server Manager, only a partial synchronization occurs, and the issue is not resolved. To confirm that the BDC has performed a full synchronization, check the event log for the following events:

Event ID: 5717

Source: NETLOGON

Description: The full synchronization replication of the SAM database from the primary domain controller  completed successfully.

Event ID: 5717

Source: NETLOGON

Description: The full synchronization replication of the BUILTIN database from the primary domain controller  completed successfully.

Event ID: 5717

Source: NETLOGON

Description: The full synchronization replication of the LSA database from the primary domain controller  completed successfully.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
The Net Logon service on the PDC records each change to the Netlogon.chg file. The Netlogon.chg file has three sections: SAM, Built-in, and LSA, and each section has its own serial number. Each time a change is recorded in the change log, serial numbers in the appropriate section are updated. Each BDC maintains a list of the three serial numbers from the last synchronization.

The Net Logon service manages this process. By default, if there are changes, the PDC sends a &quot;pulse&quot; message every 5 minutes to all BDCs. When a BDC receives a pulse message, it contacts the PDC, and then compares each of the serial numbers. If the serial numbers do not match, the BDC requests the changes that were made since the synchronization. This process is known as partial synchronization.

When synchronization is complete, the BDC sets its serial numbers to the same serial numbers as the PDC. If no changes are made, there are no pulses, and the BDC performs periodic checks to verify that the PDC is still available. Synchronization does not occur if the BDC determines that the serial numbers match.

If a change is made to any of the three databases, but it is not recorded in the change log, the change is not replicated to the BDCs. When a full synchronization is performed, the change log is not consulted and all three databases are replicated in their entirety.

You can view the changes in the Netlogon.chg file by using the nltest /list_deltas command. When a trust is created, the domain name should be added to the change log. The following example shows a trust that was successfully added to the change log. For this example, the log was cleared out before the trust was created to clearly display the deltas associated with trust creation. Normally, there would be more information in the change log.

In the LSA DATABASE section, the domain name &quot;Rootdomain&quot; is added to the log. When the BDCs perform a partial synchronization, they request this change. In an upgraded PDC scenario, no domain names are added to the change log.

FILE SIGNATURE : Windows NT Changelog 4

Deltas of SAM DATABASE

---

Deltas of BUILTIN DATABASE

---

Deltas of LSA DATABASE

Order: 1 DeltaType AddOrChangeLsaSecret (18) SerialNumber: 100 77bb

Immediately Name: 'G$$ROOTDOMAIN'

Order: 2 DeltaType AddOrChangeLsaSecret (18) SerialNumber: 100 77bc

Immediately Name: 'G$$ROOTDOMAIN'

Order: 3 DeltaType AddOrChangeLsaTDomain (14) SerialNumber: 100 77bd Rid:

0x6d2637de Sid: S-1-5-21-239443569-258070511-1831221214

---

VOID Deltas

--- The command completed successfully

Keywords: kbbug kbenv kbnofix kbsetup kbtrusts KB275221

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.