DOCUMENT:Q271288 06-AUG-2002 [winnt] TITLE :Domain Trusts May Not Work with Password Sync Service PRODUCT :Microsoft Windows NT PROD/VER::4.0,4.0 SP4,4.0 SP5,4.0 SP6 OPER/SYS: KEYWORDS:kb3rdparty kbenv kbnetwork ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server versions 4.0, 4.0 SP4, 4.0 SP5, 4.0 SP6 ------------------------------------------------------------------------------- SYMPTOMS ======== Domain trust relationships may be periodically unsuccessful, often at one week intervals, and must be continually re-established. The System event log may also record the following error message: Event ID: 3210 Source: Netlogon Type: Error Description: Failed to authenticate with , a Windows NT domain controller for domain . Data word: c0000022 CAUSE ===== This behavior may occur if third-party programs are used for password synchronization. MORE INFORMATION ================ Third-party products can be used to synchronize passwords for accounts that use different platforms. Some of these products run as a service on the domain's primary domain controller (PDC). When a trust is established between two domains, an interdomain trust account is created. This account is configured with an initial password when the trust is created. This password is changed at certain intervals during the life of the trust. The default interval is seven days. When you make a password change to an interdomain trust account, the password synchronization service may mistakenly detect the change and replicate it to other domain controllers that run the service and with whom there is a trust relationship with the same domain. Here is an example to illustrate the preceding information: DOMA (Domain A) ----TRUSTS---> DOMB (Domain B) The interdomain trust account DOMA$ resides in DOMB. NOTE: The type of account is interdomain trust account, not a normal user account. By default, every seven days, the PDC in DOMA generates a new password for the DOMA$ interdomain trust account which resides in DOMB and attempts to set a new secure channel password for that account. If successful, the PDC in DOMA stores the new password and uses it the next time it wants to set up a secure channel. If, for any reason, the password change is unsuccessful, the PDC in DOMA retains the password it has been using, and discards the new password. If the password for the DOMA$ account residing in DOMB is changed by a third-party process, then the password stored by the PDC in DOMA that uses this account goes out of synchronization. The next time the PDC in DOMA attempts to set up a secure channel with DOMB using the password it has stored, it is unsuccessful in establishing a secure channel. At this point the trust relationship is broken. If NetLogon debugging is enabled, the NetLogon.log file can record the following message: 07/12 20:30:03 [CRITICAL] NlSessionSetup: DOMA Session setup: cannot I_NetServerAuthenticate 0xc0000022 07/12 20:30:03 [CRITICAL] NlSessionSetup: DOMA new password is bad. Old password is same as new password. Additional query words: Blockade Trust ====================================================================== Keywords : kb3rdparty kbenv kbnetwork Technology : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTS400sp6 kbWinNTS400sp5 kbWinNTS400sp4 kbWinNTS400search kbWinNTS400 Version : :4.0,4.0 SP4,4.0 SP5,4.0 SP6 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.