BDC Secure Channel May Fail If More Than 250 Computer Accounts

ID: Q154398

The information in this article applies to:

Microsoft Windows NT Server version 4.0
Microsoft Windows NT Server version 4.0, Terminal Server Edition

SYMPTOMS

The NetLogon service fails to start on a backup domain controller (BDC) with NetLogon error 3210 or 5721, whereas, in the system event logs of the primary domain controller (PDC) the NetLogon service logs errors 5722 or 5723.

This problem appears to be random and may occur on several BDCs. If you remove the BDC computer account and synchronize the BDC with the PDC, the problem is solved until the NetLogon service is restarted on the PDC.

CAUSE

When NetLogon starts on PDC, it enumerates all computer accounts and for each BDC builds a structure that is used to establish the secure channel. NetLogon enumerates a maximum of 250 accounts on each call to the SAM, but due to a problem in NetLogon, NetLogon is missing one account between each set of 250. If that account is a workstation account, you do not experience any problems. However, if that account is a BDC account, you experience the problem mentioned above.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, please see the following article in the Microsoft Knowledge Base:

Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack

MORE INFORMATION

For each BDC, there is a discrete communication channel (the secure channel) with the PDC. The secure channel is used by the NetLogon service on the BDC and on the PDC in order to communicate.

When a BDC is part of a domain, a computer account is created (the computer account can be seen with Server Manager.) A default password is given to the computer account and the BDC stores the password in LSA secret storage $machine.acc.

Each BDC maintains such an LSA secret, which is used by the NetLogon service in order to establish a secure channel.

The problem described above is not related to the secure channel's password. The NetLogon service fails to start on the BDC even though the BDC computer's account password and BDC secret $machine.acc are synchronized. This can be checked with NETDOM utility provided with Windows NT 4.0 Resource Kit Supplement 2 by running the following command on the BDC:


   netdom bdc \\bdcname /query

The output looks similar to the following:


   NetDom 1.2 @1997.
   Querying domain information on computer \\BDCNAME ...
   The computer \\BDCNAME is a domain controller of DOMAIN.
   Searching PDC for domain DOMAIN ...
   Found PDC \\PDCNAME
   Verifying secure channel on \\BDCNAME ...
   Verifying the computer account on the PDC \\PDCNAME ...
   Secure channel checked successfully.

NOTE: If you receive the error message below, please see the following article in the Microsoft Knowledge Base:

The computer account for \\BDCNAME doesn't exist or has an invalid password.

Q150518 NetLogon Service Fails when Secure Channel Not Functioning

STATUS

Microsoft has confirmed this to be a problem in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.

Additional query words: 4.00 prodnt


Keywords          : kbtool NT4SP4Fix kbbug4.00 kbfix4.00.sp4 NTSrv ntutil 
Version           : WinNT:4.0
Platform          : winnt 
Issue type        : kbbug

Last Reviewed: April 10, 1999