Microsoft KB Archive/275221

From BetaArchive Wiki
Knowledge Base


Trusts Are Unavailable on Backup Domain Controllers After Upgrading the Windows NT 4.0 Primary Domain Controller

Article ID: 275221

Article Last Modified on 2/28/2007


APPLIES TO

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows NT Server 4.0 Standard Edition


This article was previously published under Q275221

SYMPTOMS

After you join a forest during an upgrade of a primary domain controller (PDC), the trusts to other domains in the forest are not available on the backup domain controllers (BDC). After you add users and groups from the other domains, they are displayed as "account unknown" when you view the permissions. In addition, you may receive an "access denied" message when you attempt to access resources on the BDCs or any domain members that use the BDC for authentication.

CAUSE

When the PDC joins the forest, two-way transitive trusts are created. When you add trusts, they are not logged in the downlevel replication change log file (Netlogon.chg). This log is the mechanism that downlevel domain controllers use to determine what changes are required during a replication cycle. The newly created trust does not replicate to the downlevel domain controllers until a full synchronization is initiated.

RESOLUTION

To resolve this issue, use either of the following methods:

  1. Run the following command to initiate a full synchronization on each downlevel domain controller (Windows NT 4.0 BDC):

    net accounts /sync

    -or-

  2. Delete the change log. A new change log is then created and this causes a full synchronization of all downlevel domain controllers.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

    271998 Event 5718, Error Message Reports 'Full Synchronization of Database for the Domain Controller Failed'

    -or-

  3. Use nltest locally or remotely to initiate a full sync on the BDC.

    locally: nltest /sync
    remotely: nltest /server:bdcname /sync

When you perform a synchronization with Server Manager, only a partial synchronization occurs, and the issue is not resolved. To confirm that the BDC has performed a full synchronization, check the event log for the following events:

Event ID: 5717
Source: NETLOGON
Description: The full synchronization replication of the SAM database from the primary domain controller PDCname completed successfully.

Event ID: 5717
Source: NETLOGON
Description: The full synchronization replication of the BUILTIN database from the primary domain controller PDCname completed successfully.

Event ID: 5717
Source: NETLOGON
Description: The full synchronization replication of the LSA database from the primary domain controller PDCname completed successfully.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

The Net Logon service on the PDC records each change to the Netlogon.chg file. The Netlogon.chg file has three sections: SAM, Built-in, and LSA, and each section has its own serial number. Each time a change is recorded in the change log, serial numbers in the appropriate section are updated. Each BDC maintains a list of the three serial numbers from the last synchronization.

The Net Logon service manages this process. By default, if there are changes, the PDC sends a "pulse" message every 5 minutes to all BDCs. When a BDC receives a pulse message, it contacts the PDC, and then compares each of the serial numbers. If the serial numbers do not match, the BDC requests the changes that were made since the synchronization. This process is known as partial synchronization.

When synchronization is complete, the BDC sets its serial numbers to the same serial numbers as the PDC. If no changes are made, there are no pulses, and the BDC performs periodic checks to verify that the PDC is still available. Synchronization does not occur if the BDC determines that the serial numbers match.

If a change is made to any of the three databases, but it is not recorded in the change log, the change is not replicated to the BDCs. When a full synchronization is performed, the change log is not consulted and all three databases are replicated in their entirety.

You can view the changes in the Netlogon.chg file by using the nltest /list_deltas command. When a trust is created, the domain name should be added to the change log. The following example shows a trust that was successfully added to the change log. For this example, the log was cleared out before the trust was created to clearly display the deltas associated with trust creation. Normally, there would be more information in the change log.

In the LSA DATABASE section, the domain name "Rootdomain" is added to the log. When the BDCs perform a partial synchronization, they request this change. In an upgraded PDC scenario, no domain names are added to the change log.

FILE SIGNATURE : Windows NT Changelog 4

Deltas of SAM DATABASE


Deltas of BUILTIN DATABASE


Deltas of LSA DATABASE

Order: 1 DeltaType AddOrChangeLsaSecret (18) SerialNumber: 100 77bb
Immediately Name: 'G$$ROOTDOMAIN'
Order: 2 DeltaType AddOrChangeLsaSecret (18) SerialNumber: 100 77bc
Immediately Name: 'G$$ROOTDOMAIN'
Order: 3 DeltaType AddOrChangeLsaTDomain (14) SerialNumber: 100 77bd Rid:
0x6d2637de Sid: S-1-5-21-239443569-258070511-1831221214


VOID Deltas

The command completed successfully


Keywords: kbbug kbenv kbnofix kbsetup kbtrusts KB275221



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/275221&oldid=151121
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki