Recovering from Minor LSA Corruption

ID: Q199071

The information in this article applies to:
  • Microsoft Windows NT Server version 4.0

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SYMPTOMS

You might see event ID 5714

The full synchronization request from the server "bdc" failed with the following error: error text
on the primary domain controller (PDC), or event ID 5716
The partial synchronization replication of the SAM database from the primary domain controller name failed with the following error: Cannot perform this operation on built-in accounts
on one or more backup domain controllers (BDCs), indicating that replication of the LSA database failed.


CAUSE

This problem occurs because one of the secrets in the LSA database is corrupted. This can happen when the registry is physically corrupted (as in a disk system hardware failure) or when a transaction to the LSA database does not complete and is left in a partially completed state (as in a power failure during a transaction).

If you examine the LSA secrets in the registry, you will see at least one secret that has only one subkey, PolMod. Normal secrets have five subkeys.


RESOLUTION

To resolve this problem, locate and delete the corrupted secret in the registry on the PDC.

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

If you examine each secret in the registry, you can locate the corrupted secret manually and no reboot will be required.

You can also find the corrupted secret by installing a checked build of Netlogon.dll and examining the logs that are generated. A Netlogon.log file of this problem will have lines (wrapped for readability) that look like:

12/08 18:11:41 [SYNC] Packing Secret Object: G$$TRUSTEDDOMAIN
12/08 18:11:41 [CRITICAL] NlSyncLsaDatabase: returning unsuccessful (c0000034).
12/08 18:11:41 [MISC] Eventlog: 5714 (2) "PDC" "%%2" c0000034
12/08 18:11:41 [SYNC] NetrDatabaseSync: LSA returning (0xc0000034) to PDC Context: 0x0.
From this log, you can see that the LSA secret named G$$TRUSTEDDOMAIN is corrupted.

For more information on obtaining, installing and configuring the checked build of Netlogon.dll, contact Microsoft Product Support Services.

After the corrupted secret is located, delete it.

NOTE: Performing the following procedure across a slow WAN link could be extremely time-consuming (hours). Microsoft recommends that you perform this procedure locally on the PDC.

  1. Start Registry Editor (Regedt32.exe).


  2. Locate the following key in the registry:
    HKEY_LOCAL_MACHINE\Security


  3. On the Security menu, click Permissions.


  4. Change the permissions on this key and all subkeys to:

    Administrators: Full Control
    System: Full Control
    NOTE: You can safely ignore any errors while applying permissions.


  5. Locate the following key in the registry:
    HKEY_LOCAL_MACHINE\Security\Policy\Secrets\secretname


  6. On the Edit menu, click Delete.


  7. Locate the following key in the registry:
    HKEY_LOCAL_MACHINE\Security


  8. On the Security menu, click Permissions.


  9. Change the permissions on this key and all subkeys to:

    Administrators: Special... (only Read Control and Write DAC)
    System: Full Control
    NOTE: You can safely ignore any errors while applying permissions.


  10. Quit Registry Editor.


In this example, the corrupted key corresponds to an outgoing trust. You would need to re-establish the trust to TRUSTEDDOMAIN using User Manager for Domains to delete and re-create each end of the trust.

Here is a short list of secrets you might see:
Secret Name Type of Information
G$$DOMAINNAME Trust to domain DOMAINNAME
G$<other name> Other global secret
$MACHINE.ACC Machine account password for this computer
NL$xx Cached logon credentials
*ServiceName* Information stored by that service
Problems of this sort occur only in global secrets because other secrets are not replicated to BDCs by Netlogon. Thus, it is only necessary to inspect secrets beginning with G$.


MORE INFORMATION

LSA secrets are stored in the registry under the following registry key:

HKEY_LOCAL_MACHINE\Security\Policy\Secrets
Each LSA secret key will normally have five subkeys: 

   CupdTime
   CurrVal
   OldVal
   OupdTime
   SecDesc

When a secret changes, the values of each of these keys must be looked up and replicated by Netlogon as part of the normal domain accounts database replication process.

The 5714/5716 event pair is generated when one or more of these values is missing.

During a change to an LSA secret, there is an intermediate state where these five subkeys have been deleted and a temporary key, PolMod, is present. If the transaction is not completed atomically, this key could persist, resulting in a corrupted and non-replicatable LSA secret.

Additional query words:

Keywords : kberrmsg kbnetwork ntdomain
Version : winnt:4.0
Platform : winnt
Issue type : kbprb


Last Reviewed: March 12, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.