BDC Secure Channel May Fail if More Than 250 Computer Accounts

Last reviewed: October 10, 1997
Article ID: Q154398
The information in this article applies to:
  • Microsoft Windows NT Server version 4.0

SYMPTOMS

The NetLogon service fails to start on a backup domain controller (BDC) with NetLogon error 3210 or 5721, whereas, in the system event logs of the primary domain controller (PDC) the NetLogon service logs errors 5722 or 5723.

This problem appears to be random and may occur on several BDCs. If you remove the BDC computer account and synchronize the BDC with the PDC, the problem is solved until the NetLogon service is restarted on the PDC.

CAUSE

When NetLogon starts on PDC, it enumerates all computer accounts and for each BDC builds a structure that is used to establish the secure channel. NetLogon enumerates a maximum of 250 accounts on each call to the SAM, but due to a problem in NetLogon, NetLogon is missing one account between each set of 250. If that account is a workstation account, you do not experience any problems. However, if that account is a BDC account, you experience the problem mentioned above.

RESOLUTION

To resolve this problem, obtain the hotfix below, or wait for the next service pack.

MORE INFORMATION

For each BDC, there is a discrete communication channel (the secure channel) with the PDC. The secure channel is used by the NetLogon service on the BDC and on the PDC in order to communicate.

When a BDC is part of a domain, a computer account is created (the computer account can be seen with Server Manager.) A default password is given to the computer account and the BDC stores the password in LSA secret storage $machine.acc.

Each BDC maintains such an LSA secret, which is used by the NetLogon service in order to establish a secure channel.

The problem described above is not related to the secure channel's password. The NetLogon service fails to start on the BDC even though the BDC computer's account password and BDC secret $machine.acc are synchronized. This can be checked with NETDOM utility provided with Windows NT 4.0 Resource Kit Supplement 2 by running the following command on the BDC:

   netdom bdc \\bdcname /query

The output looks similar to the following:

   NetDom 1.2 @1997.
   Querying domain information on computer \\BDCNAME ...
   The computer \\BDCNAME is a domain controller of DOMAIN.
   Searching PDC for domain DOMAIN ...
   Found PDC \\PDCNAME
   Verifying secure channel on \\BDCNAME ...
   Verifying the computer account on the PDC \\PDCNAME ...
   Secure channel checked successfully.

NOTE: If you receive the error message below, please see the following article in the Microsoft Knowledge Base:

   The computer account for \\BDCNAME doesn't exist or has an invalid
   password.

   ARTICLE-ID: Q150518
   TITLE     : NetLogon Service Fails when Secure Channel Not Functioning

STATUS

Microsoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.


Additional query words: 4.00 prodnt
Keywords : kbbug4.00 kbfix4.00 NTSrv ntutil kbtool
Version : WinNT:4.0
Platform : winnt


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: October 10, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.