Article ID: 293127 - Last Review: February 28, 2007 - Revision: 2.2

The Net Logon Service of a Windows NT 4.0 BDC Does Not Function in a Windows 2000 Domain

View products that this article applies to.
This article was previously published under Q293127
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986  (http://support.microsoft.com/kb/256986/EN-US/ ) Description of the Microsoft Windows Registry
Expand all | Collapse all

SYMPTOMS

In a Windows 2000 domain with an NT 4.0 backup domain controller (BDC), the Windows NT 4.0 BDC cannot perform the following functions:
  • Find the Windows 2000 domain controller.
  • Synchronize the Security Accounts Manager (SAM) database.
  • Start the Net Logon service.
  • Obtain a list of backup browsers.
When you restart the BDC, the following events are logged:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 3210
Description:
Failed to authenticate with \\Wn2kDC, a Windows NT or Windows 2000
domain controller for domain <domain name>.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Description:
The Net Logon service terminated with the following error: Access
is denied

Event Type: Error
Event Source: BROWSER
Event Category: None
Event ID: 8032
Description:
The browser service has failed to retrieve the backup list too many
times on transport \Device\<devicename>.
The backup browser is stopping.
If you attempt to reset the secure channel of the BDC by using the netdom command, you receive the following error message:
The interface is unknown.
If you attempt to reset the secure channel of the BDC by using the nltest command, you receive the following error message:
RPC_S_Unknown_IF
Also, Windows NT 4.0-based clients may not be able to log on to the Windows 2000 domain. They may receive the following error message:
System can not log you on to the domain because the systems computer account in its primary domain is missing or the password on that account is incorrect,
Back to the top

CAUSE

This behavior can occur if you set the RestrictAnonymous registry value to 2, which can occur by editing the registry directly or by applying the Hisecdc.inf security template.
Back to the top

RESOLUTION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this behavior, change the setting for the RestrictAnonymous value from 2 to a 0 on the Windows 2000 domain controller that hosts the primary domain controller (PDC) emulator operations master role.

To determine who hosts the PDC emulator operations master role:
  1. Click Start, click Run, type dsa.msc, and then click OK.
  2. Right-click the domain name, and then click Operations Masters.
  3. Click the PDC tab to view the server that holds the PDC master role.
To change the value of RestrictAnonymous:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the RestrictAnonymous value under the following key in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\restrictanonymous
  3. On the Edit menu, click DWORD, type 0 in the data field, and then click OK.
  4. Quit Registry Editor.
Restart the Windows 2000 domain controller.
Back to the top

MORE INFORMATION

RestrictAnonymous is used to prevent anonymous logon access to resources, excluding resources to which the anonymous user has explicitly been given access. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
246261  (http://support.microsoft.com/kb/246261/EN-US/ ) How to Use the RestrictAnonymous Registry Value in Windows 2000
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
Back to the top
Keywords: 
kbenv kberrmsg kbnetwork kbprb KB293127
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers