Solved

NT4 Backup Domain Controller Trust Failure

Posted on 1999-01-01
3
344 Views
Last Modified: 2013-12-28
We built 40 NT4 (SP4) backup domain controllers and then downed them for 30 plus days, when we tried to bring them back up into the domain they were built in they would not come back up as working backup domain controllers, complaining that the trust was broken.

Is there a period after which they will be unable to join the domain and more importantly is there a way to bypass this problem and get them back up and running correctly in the domain.
0
Comment
Question by:eetris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 2

Accepted Solution

by:
livni earned 150 total points
ID: 1796712
SYMPTOMS

After a Windows NT backup domain controller (BDC) has been offline for some time, it may fall out of synchronization with the primary domain controller (PDC). When you attempt to bring the BDC back online, you may get the following errors in the BDC's Event Viewer:



   Event ID: 3210
   Source: Netlogon
   Type: Error
   Description: Failed to authenticate with <computer name>, a Windows NT
   domain controller for domain <domain name>.
   Data word: c0000022

   Event ID: 7023
   Source: Service Control Manager
   Type: Error
   Description: Netlogon service terminated with the following error
   message: Access Denied.




This is very likely to occur if a BDC is restored from a backup that is more than a few days old or if the BDC is offline for more than a few days.





CAUSE

Domain controllers maintain a password-protected channel between each other. When a BDC is brought into a domain, the PDC gives the BDC the current password to use when connecting to the PDC for authentication, account database replication, and other system activities. This password changes automatically on a regular basis. If the BDC is offline when the password changes, or if a BDC is restored from a backup that has an old password, the BDC will not be able to authenticate with the PDC, and Netlogon will fail.





RESOLUTION

In the simplest case, all that has happened is that the domain password has changed. To reslove the problem, do the following:



1.Start the BDC, and open Server Manager

2.Select the BDC's name, and select Synchronize with Primary Domain Controller.



If this procedure is successful, you will get a message that the LSA Database has been updated and Netlogon will start automatically. No other action is necessary.



However, if synchronizing with the PDC does not work on the first attempt, try carrying out the same command again. Often, a second attempt will succeed. However, if the BDC will not synchronize and Netlogon fails to start after three attempts, you should create a new machine account for the BDC. These instructions are taken from a related article, Q137987:



1.Using Server Manager, create a new computer name.

2.Synchronize entire domain (check another BDC's event viewer to see if it synchronized).

3.At the problem BDC, use the Network tool in Control Panel to change the name to the new name created in Step 1.

4.Shut down the BDC, restart, and log on to Windows NT. Note any error messages. You must logon to the domain the BDC belongs to, not a trusted domain.

5.Using Server Manager, synchronize the entire domain.

6.From the PDC, delete the old computer name(use Server Manager).

7.Synchronize the entire domain, using Server Manager.

8.Make sure the old BDC name has been deleted in Server Manager before proceeding.

9.After the old BDC name is gone from Server Manager, re-create it.

10.Synchronize the entire domain, using Server Manager.

11.At the problem BDC, change computer name to the old name created in step 9, using the Network tool in Control Panel.

12.Shut down the BDC, restart, and log on to the domain. Note any error messages.

13.Synchronize entire domain.



At this point the BDC should be synchronized with the PDC, netlogon should be running, and the accounts database should be up to date.



Related Articles:

For additional information on authentication issues specific to NWLink, please see the following article in the Microsoft Knowledge Base:



   ARTICLE-ID: Q126752
   TITLE     : DCs Fail to Synchronize or Validate Users Over NWLINK




For additional information on authentication issues when trying to net view, please see the following article in the Microsoft Knowledge Base:



   ARTICLE-ID: Q137987
   TITLE     : NET VIEW May Cause Semaphore Time Out and Event ID 3210




For additional information on authentication from the PDC's point of view, please see the following article in the Microsoft Knowledge Base:



   ARTICLE-ID: Q142869
   TITLE     : Event ID 3210 & 3722 Appear When Synchronizing Entire
               Domain
0
 
LVL 5

Expert Comment

by:carmine
ID: 1796713
The default is for the PDC to change the trust password every seven days.
0
 

Author Comment

by:eetris
ID: 1796714
Thanks lots for your very timely reply!!

Apparently we also found out today (this was my first day back to try your proposed solution which in retrospect seems so obvious=) there is also a dos based reskit utility for resetting the password called netdom.exe, whether this is effective or not remains to be seen.

Finally (Carmine - thanks for replying also) we were aware of the 7 day reset, just not the disabling feature, which in itself is pretty awful, and somewhat worrying when first encountered, especially with 40 boxes all showing the same sympton <shudder>.

Tris Long

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question