Window NT Domain Problems

Kenn's
Tech
Notes

19990101: Window NT Domain Problems

January/1999
Tech Note #1

The tip of the month is from Patrick L. Anyone who has managed an NT domain with more than one server is likely to have encountered at least some problems relating to domain synchronization. In some cases, these problems result from the fact that an essential step for installing Window NT Server has been omitted from our division standards, and in fact from most Microsoft documents. That step is this:

Create a computer account for the new server in the domain before installing Windows NT on the new server.

There are a variety of error messages that occur when a server is not properly synchronized with the primary domain controller. These messages - which may pop up in the user interface, or logon window, or the event log, include:

"Failed to authenticate with <computer name>, a Windows NT domain controller for domain <domain name>."

"Netlogon service terminated with the following error message: Access Denied."

"Failed to authenticate with \\DOMAINPDC, a Windows NT domain controller for domain DOMAIN."

"The session setup to the Windows NT Domain Controller \\DOMAINPDC for the domain DOMAIN failed because the Windows NT Domain Controller does not have an account for the computer DOMAINBDC."

"The session setup from the computer DOMAINBDC failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is DOMAINBDC$."

"The session setup from the computer DOMAINBDC failed to authenticate. The name of the account referenced in the security database is DOMAINBDC$. The following error occurred: Access is denied."

In the simplest case, all that has happened is that the domain password has changed. To resolve the problem, do the following:

1. Start the BDC, and open Server Manager
2. Select the BDC's name, and select Synchronize with Primary Domain Controller.

If this procedure is successful, you will get a message that the LSA Database has been updated and Netlogon will start automatically. No other action is necessary.

However, if synchronizing with the PDC does not work on the first attempt, try carrying out the same command again. Often, a second attempt will succeed. However, if the BDC will not synchronize and Netlogon fails to start after three attempts, you should create a new machine account for the BDC.

Here is Microsoft's recommended procedure:

1. Using Server Manager, create a new computer name.
2. Synchronize entire domain (check another BDC's event viewer to see if it synchronized).
3. At the problem BDC, use the Network tool in Control Panel to change the name to the new name created in Step 1.
4. Shut down the BDC, restart, and log on to Windows NT. Note any error messages. You must logon to the domain the BDC belongs to, not a trusted domain.
5. Using Server Manager, synchronize the entire domain.
6. From the PDC, delete the old computer name(use Server Manager).
7. Synchronize the entire domain, using Server Manager.
8. Make sure the old BDC name has been deleted in Server Manager before proceeding.
9. After the old BDC name is gone from Server Manager, re-create it.
10. Synchronize the entire domain, using Server Manager.
11. At the problem BDC, change computer name to the old name created in step 9, using the Network tool in Control Panel.
12. Shut down the BDC, restart, and log on to the domain. Note any error messages.
13. Synchronize entire domain.

At this point the BDC should be synchronized with the PDC, netlogon should be running, and the accounts database should be up to date.

This information is based on Microsoft Technical Articles Q137987, Q153719, Q150298, and Q131770. Please consult these articles if you require further details on this issue.

DISCLAIMER: This document is intended for the reference of computer support personnel within Winnipeg School Division No. 1. There is no warranty or liability if procedures recommended here have an adverse affect on any systems. Use them at your own risk. Any trademarks mentioned are the property of their owners, none of whom have certified any information provided here. Opinions expressed here are personal only and do not represent the policy of Winnipeg School Division No. 1 or any other organization anywhere.

Got a Tech Note to share? Submissions are most welcome! [Click here.]
To return to the Tech Notes home page, click here.
To download a copy of all the January/1999 Tech Notes in Rich Text Format, click here.

Click here to visit the Information "Super-Cul-De-Sac". This page was updated
2001 June 9

This page hosted by
Get your own Free Homepage
Check out my neighbours here in Silicon Valley Peaks by clicking here.