Microsoft KB Archive/830077

From BetaArchive Wiki
Knowledge Base


Replication errors occur when you use Active Directory Replication Monitor in Microsoft Windows 2000

PSS ID Number: 830077

Article Last Modified on 3/11/2004


The information in this article applies to:

  • Microsoft Windows 2000 Server



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry


SYMPTOMS

When you use Active Directory Replication Monitor in Microsoft Windows 2000 to manually replicate the domain, you receive the following error message:

Could not find the domain controller for this domain.

Additionally, the following actions may produce the corresponding error messages:

  • If you try to replicate domain controllers from different domains, you receive the following error message:

    The Active Directory Object could not be displayed. A referral was returned from the server.

  • When you use the Net Use command at a command prompt, you receive the following error message:

    There are currently no logon servers available to service the logon request.

  • When you use the Net Time or the Net View command at a command prompt, you receive the following error message:

    System error 5 has occurred. Access is denied.

  • When you run the nltest /sc_query:child.root.com command at a command prompt, you receive the following error message:

    Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS


CAUSE

This problem may occur when an incorrect configuration of your firewall truncates User Datagram Protocol (UDP) packets as they pass through the firewall.

RESOLUTION

To resolve this problem, modify the registry so that Kerberos uses Transmission Control Protocol (TCP) instead of UDP.

Important If you use UDP for Kerberos, your client computer may stop responding when you receive the following message: Loading your personal settings. By default, Windows 2000 and Microsoft Windows XP use UDP to carry data that fits into packets of less than 2,000 bytes. To carry packets that are greater than 2,000 bytes, Windows 2000 and Windows XP use TCP. You can configure this 2,000-byte value by modifying a registry value. To do this, follow these steps. Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  1. Start Registry Editor.
  2. Locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ Kerberos\Parameters

    If the Parameters key does not exist, you can create it now.
  3. On the Edit menu, click Add Value, and then add the following registry value:

    Value Name: MaxPacketSize
    Data Type: REG_DWORD
    Value: any integer value in the range 1 to 2000 (in bytes)

  4. Quit Registry Editor.
  5. Restart your computer.

For additional information about how to force Kerberos to use TCP, click the following article number to view the article in the Microsoft Knowledge Base:

244474 How to force Kerberos to use TCP instead of UDP


Keywords: kbSecurityServices kbwinservnetwork kbnetwork kbprb KB830077
Technology: kbwin2000Search kbwin2000Serv kbwin2000ServSearch



Send feedback to Microsoft

© 2004 Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/830077&oldid=200341
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki