This article was previously published under Q260930
This article has been archived. It is offered "as is" and will no longer be updated.
Machine account logon attempts may not work between Windows 2000-based domain controllers. This behavior can occur if the machine account password is changed by the domain controller and enough unsuccessful attempts are made to log on to that account with the wrong password.
The machine account is much like a regular user account, but it is used by domain controllers to facilitate communication between other domain controllers and computers on the network. This account is usually in the form of computername$ and is not editable by the administrator.
If enough unsuccessful logon attempts are made by the server with the machine account, the account becomes disabled. Even after the correct password is finally used to log on to that account, the attempt does not succeed.
After this account has been disabled, there is no way in the Windows 2000 user interface to enable the account. It may also be difficult to tell if the account is actually disabled.
In the worst-case scenario, domain controllers could be prevented from replicating.
In Microsoft Windows NT 4.0, machine accounts are used only for secure channel setups, which ignore the lockout advisory. In Windows 2000, computers use Kereberos logons for the machine accounts, which do use the lockout settings.
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 1.