BDC Secure Channel May Fail if More Than 250 Computer AccountsLast reviewed: October 10, 1997Article ID: Q154398 |
The information in this article applies to:
SYMPTOMSThe NetLogon service fails to start on a backup domain controller (BDC) with NetLogon error 3210 or 5721, whereas, in the system event logs of the primary domain controller (PDC) the NetLogon service logs errors 5722 or 5723. This problem appears to be random and may occur on several BDCs. If you remove the BDC computer account and synchronize the BDC with the PDC, the problem is solved until the NetLogon service is restarted on the PDC.
CAUSEWhen NetLogon starts on PDC, it enumerates all computer accounts and for each BDC builds a structure that is used to establish the secure channel. NetLogon enumerates a maximum of 250 accounts on each call to the SAM, but due to a problem in NetLogon, NetLogon is missing one account between each set of 250. If that account is a workstation account, you do not experience any problems. However, if that account is a BDC account, you experience the problem mentioned above.
RESOLUTIONTo resolve this problem, obtain the hotfix below, or wait for the next service pack.
MORE INFORMATIONFor each BDC, there is a discrete communication channel (the secure channel) with the PDC. The secure channel is used by the NetLogon service on the BDC and on the PDC in order to communicate. When a BDC is part of a domain, a computer account is created (the computer account can be seen with Server Manager.) A default password is given to the computer account and the BDC stores the password in LSA secret storage $machine.acc. Each BDC maintains such an LSA secret, which is used by the NetLogon service in order to establish a secure channel. The problem described above is not related to the secure channel's password. The NetLogon service fails to start on the BDC even though the BDC computer's account password and BDC secret $machine.acc are synchronized. This can be checked with NETDOM utility provided with Windows NT 4.0 Resource Kit Supplement 2 by running the following command on the BDC:
netdom bdc \\bdcname /queryThe output looks similar to the following:
NetDom 1.2 @1997. Querying domain information on computer \\BDCNAME ... The computer \\BDCNAME is a domain controller of DOMAIN. Searching PDC for domain DOMAIN ... Found PDC \\PDCNAME Verifying secure channel on \\BDCNAME ... Verifying the computer account on the PDC \\PDCNAME ... Secure channel checked successfully.NOTE: If you receive the error message below, please see the following article in the Microsoft Knowledge Base:
The computer account for \\BDCNAME doesn't exist or has an invalid password. ARTICLE-ID: Q150518 TITLE : NetLogon Service Fails when Secure Channel Not Functioning STATUSMicrosoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.
|
Additional query words: 4.00 prodnt
© 1998 Microsoft Corporation. All rights reserved. Terms of Use. |