Article ID: 293127
Article Last Modified on 2/28/2007
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows NT Server 4.0 Standard Edition
- Microsoft Windows NT Workstation 4.0 Developer Edition
This article was previously published under Q293127
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SYMPTOMS
In a Windows 2000 domain with an NT 4.0 backup domain controller (BDC), the Windows NT 4.0 BDC cannot perform the following functions:
- Find the Windows 2000 domain controller.
- Synchronize the Security Accounts Manager (SAM) database.
- Start the Net Logon service.
- Obtain a list of backup browsers.
When you restart the BDC, the following events are logged:
If you attempt to reset the secure channel of the BDC by using the netdom command, you receive the following error message:
If you attempt to reset the secure channel of the BDC by using the nltest command, you receive the following error message:
Also, Windows NT 4.0-based clients may not be able to log on to the Windows 2000 domain. They may receive the following error message:
CAUSE
This behavior can occur if you set the RestrictAnonymous registry value to 2, which can occur by editing the registry directly or by applying the Hisecdc.inf security template.
RESOLUTION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To resolve this behavior, change the setting for the RestrictAnonymous value from 2 to a 0 on the Windows 2000 domain controller that hosts the primary domain controller (PDC) emulator operations master role.
To determine who hosts the PDC emulator operations master role:
- Click Start, click Run, type dsa.msc, and then click OK.
- Right-click the domain name, and then click Operations Masters.
- Click the PDC tab to view the server that holds the PDC master role.
To change the value of RestrictAnonymous:
- Start Registry Editor (Regedt32.exe).
- Locate the RestrictAnonymous value under the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\restrictanonymous
- On the Edit menu, click DWORD, type 0 in the data field, and then click OK.
- Quit Registry Editor.
Restart the Windows 2000 domain controller.
MORE INFORMATION
RestrictAnonymous is used to prevent anonymous logon access to resources, excluding resources to which the anonymous user has explicitly been given access. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
246261 How to Use the RestrictAnonymous Registry Value in Windows 2000
Keywords: kbenv kberrmsg kbnetwork kbprb KB293127