DOCUMENT:Q197160 10-AUG-2001 [winnt] TITLE :NETDOM 1.7 Reports Access Denied with Windows NT 4.0 SP4 PRODUCT :Microsoft Windows NT PROD/VER:winnt:4.0 SP4 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0 SP4 ------------------------------------------------------------------------------- SYMPTOMS ======== When you use NETDOM version 1.7 (which is included in the Windows NT 4.0 Resource Kit Supplement 3) on a computer with Windows NT 4.0 Service Pack 4, you receive the following error message: Access Denied RESOLUTION ========== NETDOM 1.8 corrects this problem and is available on the following Microsoft FTP site: For Intel processors: ftp://ftp.microsoft.com/reskit/nt4/x86/ For Alpha-based processors: ftp://ftp.microsoft.com/reskit/nt4/alpha/ The new version of NETDOM has been modified so that it works with all computers running Windows NT 4.0 Service Pack 4. NETDOM 1.8 also provides the following new feature set: - Option to trigger partial synchronization from a backup domain controller (BDC) to a primary domain controller (PDC): NETDOM BDC \\BDCNAME /PARTIALSYNC - Option to trigger full synchronization from a BDC to a PDC NETDOM BDC \\BDCNAME /FULLSYNC Secure channels are no longer checked by comparing passwords on both sides of the secure channel. The new release of NETDOM relies on the NETLOGON service to query secure channels status (as NLTEST utility). If a secure channel is incorrect, NETDOM can reset it automatically. For more information, please see the following articles in the Microsoft Knowledge Base: Q150493 How to Join a Domain From the Command Line Q175024 Resetting Domain Member Secure Channel Q150518 NetLogon Service Fails when Secure Channel Not Functioning Q175025 How to Build and Reset a Trust Relationship from a Command Line Some changes have been made on Windows NT 4.0 Service Pack 4 so that computer account password changes are no longer replicated urgently (flag ANNOUNCE_IMMEDIATE). NETDOM 1.8 displays new warning messages stating that a possible cause of an incorrect member's secure channel is synchronization between the BDC, with which the member has established a secure channel, and the PDC. STATUS ====== Microsoft has confirmed this to be a problem in NETDOM version 1.7. MORE INFORMATION ================ For each member, there is a discrete communication channel (that is, the secure channel) with a domain controller. The secure channel is used by the Netlogon service on the member and on the domain controller to communicate. The password of the secure channel is stored on one hand on the member itself under an LSA secret entry and on the other hand on the PDC in the SAM (password of the computer account), which is then replicated to all BDCs. To check a secure channel remotely, NETDOM used to establish a connection with the PDC using the computer account and the password found in the LSA secret $MACHINE.ACC. With Service Pack 4, LSA secret values are no longer returned to clients over the network and it prevented NETDOM from working fine. For more information, please see the following article in the Microsoft Knowledge Base: Q184017 Administrators Can Display Contents of Service Account Passwords Additional query words: 4.00 rkit resource kit sp4 ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTS400sp4 kbWinNTS400search Version : winnt:4.0 SP4 Issue type : kbprb Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.