Domain Synchronization Fails With 5730 or 5731 and 5716

• Microsoft Windows NT Server versions 3.51 and 4.0

SYMPTOMS

When domain synchronization occurs at the automatic interval or when issued manually, you may encounter the following events:

5730 - Replication of the SAM Global group (RID:0x200) from primary domain controller <Domain name> failed with the following error: cannot perform this operation on built-in accounts.

5731 - Replication of the built-in local group (rid:0x220) from the primary domain controller failed with the following error: A new member could not be added to a local group because the member has the wrong account type.

5716 - The partial synchronization replication of the SAM database from the primary domain controller <name> failed with the following error: Cannot perform this operation on built-in accounts.

CAUSE

In order to ensure an administrator's ability to manage servers in a domain, Windows NT Server maintains a value called AdminCount. AdminCount is a one-byte field that is incremented for each instance that the administrator user account is directly added to the Administrators local group, or indirectly made a member of the Administrators local group via a global group.

Prior to Windows NT Server 3.51 Service Pack 4, the backup domain controller's (BDC) AdminCount field could sometimes get out of sync with the primary domain controller's (PDC) AdminCount field. Although this problem was fixed in Windows NT 3.51 Service Pack 4, the value was never recalculated for the BDCs in the domain.

BDCs analyze the AdminCount field prior to removing any instances of the Administrator from the Administrators group. If the BDC calculates that this field will be less then 1 after it commits changes from the PDC synchronization, then you will see 5730 or 5731 events in the Event Viewer.

RESOLUTION

If the administrator is already a member of both the Domain Administrators and the Administrators group, the following steps will increment the administrator count on each BDC.

1. Click the Start button, point to Programs, point to Administrative Tools, and click User Manager for Domains.

2. In User Manager for Domains, create a new global group by clicking New Global Group from the User menu. Type MakeAdmin for the Group Name and AdminCount Workaround for the Description.

3. Double-click the MakeAdmin global group icon located in the Groups/Description view pane.

4. Select the Administrator user, and then click Add in the global Group Properties dialog box.

5. Double-click the Administrators local group icon located in the Groups/Descriptions view pane.

6. Click Add in the Local Group Properties dialog box.

7. Select the MakeAdmin global group in the Add Users and Groups dialog box, click Add, and then click OK.

8. Click OK on the Local Group Properties dialog box.

9. Wait for domain synchronization to complete or force a full synchronization by running: NLTEST/SYNC.

STATUS

Microsoft has confirmed this to be a problem in Windows NT version 3.51 and 4.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.