Article ID: 197160 - Last Review: November 1, 2006 - Revision: 1.2

NETDOM 1.7 reports access denied with Windows NT 4.0 SP4

View products that this article applies to.
This article was previously published under Q197160
Expand all | Collapse all

SYMPTOMS

When you use NETDOM version 1.7 (which is included in the Windows NT 4.0 Resource Kit Supplement 3) on a computer with Windows NT 4.0 Service Pack 4, you receive the following error message:
Access Denied
Back to the top

RESOLUTION

NETDOM 1.8 corrects this problem and is available on the following Microsoft FTP site: For Intel processors:
ftp://ftp.microsoft.com/reskit/nt4/x86/
For Alpha-based processors:
ftp://ftp.microsoft.com/reskit/nt4/alpha/

The new version of NETDOM has been modified so that it works with all computers running Windows NT 4.0 Service Pack 4. NETDOM 1.8 also provides the following new feature set:
  • Option to trigger partial synchronization from a backup domain controller (BDC) to a primary domain controller (PDC):

    NETDOM BDC \\BDCNAME /PARTIALSYNC
  • Option to trigger full synchronization from a BDC to a PDC

    NETDOM BDC \\BDCNAME /FULLSYNC
Secure channels are no longer checked by comparing passwords on both sides of the secure channel. The new release of NETDOM relies on the NETLOGON service to query secure channels status (as NLTEST utility). If a secure channel is incorrect, NETDOM can reset it automatically. For more information, please see the following articles in the Microsoft Knowledge Base:
150493  (http://support.microsoft.com/kb/150493/EN-US/ ) How to join a domain from the command line

175024  (http://support.microsoft.com/kb/175024/EN-US/ ) Resetting domain member secure channel

150518  (http://support.microsoft.com/kb/150518/EN-US/ ) NetLogon service fails when secure channel not functioning

175025  (http://support.microsoft.com/kb/175025/EN-US/ ) How to build and reset a trust relationship from a command line
Some changes have been made on Windows NT 4.0 Service Pack 4 so that computer account password changes are no longer replicated urgently (flag ANNOUNCE_IMMEDIATE). NETDOM 1.8 displays new warning messages stating that a possible cause of an incorrect member's secure channel is synchronization between the BDC, with which the member has established a secure channel, and the PDC.
Back to the top

STATUS

Microsoft has confirmed this to be a problem in NETDOM version 1.7.
Back to the top

MORE INFORMATION

For each member, there is a discrete communication channel (that is, the secure channel) with a domain controller. The secure channel is used by the Netlogon service on the member and on the domain controller to communicate. The password of the secure channel is stored on one hand on the member itself under an LSA secret entry and on the other hand on the PDC in the SAM (password of the computer account), which is then replicated to all BDCs.

To check a secure channel remotely, NETDOM used to establish a connection with the PDC using the computer account and the password found in the LSA secret $MACHINE.ACC. With Service Pack 4, LSA secret values are no longer returned to clients over the network and it prevented NETDOM from working fine.

For more information, please see the following article in the Microsoft Knowledge Base:

184017  (http://support.microsoft.com/kb/184017/EN-US/ ) Administrators Can Display Contents of Service Account Passwords
Back to the top
APPLIES TO
  • Microsoft Windows NT 4.0 Service Pack 4
Back to the top
Keywords: 
kbfix kbprb KB197160
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations