You are currently offline, waiting for your internet to reconnect

How to Re-Sync PDC/BDC Trust After Event IDs 3210 and 7023

This article was previously published under Q153719
SYMPTOMS
After a Windows NT backup domain controller (BDC) has been offline forsome time, it may fall out of synchronization with the primary domaincontroller (PDC). When you attempt to bring the BDC back online, you mayget the following errors in the BDC's Event Viewer:

   Event ID: 3210   Source: Netlogon   Type: Error   Description: Failed to authenticate with <computer name>, a Windows NT   domain controller for domain <domain name>.   Data word: c0000022   Event ID: 7023   Source: Service Control Manager   Type: Error   Description: Netlogon service terminated with the following error   message: Access Denied.				


This is very likely to occur if a BDC is restored from a backup that ismore than a few days old or if the BDC is offline for more than a fewdays.
CAUSE
Domain controllers maintain a password-protected channel between eachother. When a BDC is brought into a domain, the PDC gives the BDC thecurrent password to use when connecting to the PDC for authentication,account database replication, and other system activities. This passwordchanges automatically on a regular basis. If the BDC is offline when thepassword changes, or if a BDC is restored from a backup that has an oldpassword, the BDC will not be able to authenticate with the PDC, andNetlogon will fail.
RESOLUTION
In the simplest case, all that has happened is that the domain passwordhas changed. To resolve the behavior, do the following:
  1. Start the BDC, and open Server Manager
  2. Select the BDC's name, and select Synchronize with Primary Domain Controller.
If this procedure is successful, you will get a message that the LSADatabase has been updated and Netlogon will start automatically. No otheraction is necessary.

However, if synchronizing with the PDC does not work on the first attempt,try carrying out the same command again. Often, a second attempt willsucceed. However, if the BDC will not synchronize and Netlogon fails tostart after three attempts, you should create a new machine account forthe BDC. These instructions are taken from a related article, 137987:
  1. Using Server Manager, create a new computer name.
  2. Synchronize entire domain (check another BDC's event viewer to see if it synchronized).
  3. At the problem BDC, use the Network tool in Control Panel to change the name to the new name created in Step 1.
  4. Shut down the BDC, restart, and log on to Windows NT. Note any error messages. You must logon to the domain the BDC belongs to, not a trusted domain.
  5. Using Server Manager, synchronize the entire domain.
  6. From the PDC, delete the old computer name(use Server Manager).
  7. Synchronize the entire domain, using Server Manager.
  8. Make sure the old BDC name has been deleted in Server Manager before proceeding.
  9. After the old BDC name is gone from Server Manager, re-create it.
  10. Synchronize the entire domain, using Server Manager.
  11. At the problem BDC, change computer name to the old name created in step 9, using the Network tool in Control Panel.
  12. Shut down the BDC, restart, and log on to the domain. Note any error messages.
  13. Synchronize entire domain.
At this point the BDC should be synchronized with the PDC, netlogon shouldbe running, and the accounts database should be up to date.

Related Articles:

For additional information on authentication issues specific to NWLink,please see the following article in the Microsoft Knowledge Base:

126752DCs Fail to Synchronize or Validate Users Over NWLINK

For additional information on authentication issues when trying to netview, please see the following article in the Microsoft Knowledge Base:

137987NET VIEW May Cause Semaphore Time Out and Event ID 3210

For additional information on authentication from the PDC's point of view,please see the following article in the Microsoft Knowledge Base:

142869Event ID 3210 & 3722 Appear When Synchronizing EntireDomain

resync resynchronization failure
Properties

Article ID: 153719 - Last Review: 11/01/2006 07:29:16 - Revision: 3.1

  • Microsoft Windows NT Server 3.5
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition
  • KB153719
Feedback