Article ID: 296732
Article Last Modified on 10/27/2006
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q296732
SYMPTOMS
If you give a built-in administrator account any rights such as "Deny logon as a batch job," "Deny logon as a service," "Deny Interactive logon," or "Deny Network logon," Windows 2000 replication with Microsoft Windows NT 4.0-based backup domain controllers does not work and the following error message appears in Event Viewer on the Windows NT 4.0-based backup domain controller:
Also, Windows 2000-based domain controllers try to replicate changes to the Windows NT 4.0-based backup domain controller forever, but cannot.
CAUSE
Windows 2000 has new rights such as "Deny logon as a batch job," "Deny logon as a service," "Deny Interactive logon," and "Deny Network logon" that are not available in Windows NT 4.0. S-1-5-32-544 is a well-known security identifier (SID) for the built-in administrator account. If you give an administrator account any of these rights, replication with Windows NT 4.0 does not work because these new rights set some attributes that Windows NT 4.0 does not recognize.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Keywords: kbbug kbenv kberrmsg kbfix KB296732
