PSS ID Number: 272348
Article Last Modified on 11/20/2003
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
This article was previously published under Q272348
SYMPTOMS
Windows 2000-based host computers that are joined to a Microsoft Windows NT 4.0-based domain may always establish a secure channel with the primary domain controller (PDC).
CAUSE
This problem can occur because when a Windows 2000-based computer is joined to a domain, the join process caches the domain controller (DC) that was used to join the domain. When the computer restarts for the first time after it joins the domain, the computer reads the cached information from the registry, and then uses that DC to set up a secure channel. This is done to make sure that the computer is communicating with the DC that has the correct account information. However, this cached information is not removed unless Kerberos authentication is used. Because of this, a Windows 2000-based host always uses the cached information to establish a secure channel with the PDC.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
File Name Size Time Date Version Platform ------------------------------------------------------------------ Netlogon.dll 366,352 09:12 2/8/2001 5.0.2195.2865 i386 Ntdsa.dll 910,608 09:12 2/8/2001 5.0.2195.2864 i386 Samsrv.dll 362,256 09:12 2/8/2001 5.0.2195.2864 i386 Instlsa5.dll 521,488 09:11 2/8/2001 5.0.2195.2867 i386 Kdcsvc.dll 140,560 09:12 2/8/2001 5.0.2195.2862 i386 Kerberos.dll 198,928 18:19 1/29/2001 5.0.2195.2862 i386 Ksecdd.sys 69,456 19:15 1/26/2001 5.0.2195.2862 i386 lsasvr.dll 503,568 09:12 2/8/2001 5.0.2195.2867 i386 Lsass.exe 33,552 18:04 1/30/2001 5.0.2195.2867 i386 Msv1_0.dll 108,816 18:19 1/29/2001 5.0.2195.2862 i386 Netapi32.dll 311,056 09:12 2/8/2001 5.0.2195.2808 i386 Adsldpc.dll 130,320 09:12 2/8/2001 5.0.2195.2842 i386 Dnsapi.dll 133,904 09:12 2/8/2001 5.0.2195.2785 i386 Dnsrslvr.dll 90,896 09:12 2/8/2001 5.0.2195.2778 i386
WORKAROUND
To work around this problem, note that if the Netlogon service is stopped on the PDC before the Windows 2000 host starts, the host attempts to authenticate with the PDC, and then attempts authentication with a backup domain controller (BDC). After this occurs, the computer uses expected behavior to find a DC for authentication rather than using the cached information.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.
MORE INFORMATION
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Keywords: kbbug kbenv kbfix kbnetwork kbWin2000PreSP2Fix KB272348
Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch