This article was previously published under Q293127
This article has been archived. It is offered "as is" and will no longer be updated.
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
In a Windows 2000 domain with an NT 4.0 backup domain controller (BDC), the Windows NT 4.0 BDC cannot perform the following functions:
Find the Windows 2000 domain controller.
Synchronize the Security Accounts Manager (SAM) database.
Start the Net Logon service.
Obtain a list of backup browsers.
When you restart the BDC, the following events are logged:
Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 3210 Description: Failed to authenticate with \\Wn2kDC, a Windows NT or Windows 2000 domain controller for domain <domain name>.
Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7023 Description: The Net Logon service terminated with the following error: Access is denied
Event Type: Error Event Source: BROWSER Event Category: None Event ID: 8032 Description: The browser service has failed to retrieve the backup list too many times on transport \Device\<devicename>. The backup browser is stopping.
If you attempt to reset the secure channel of the BDC by using the netdom command, you receive the following error message:
The interface is unknown.
If you attempt to reset the secure channel of the BDC by using the nltest command, you receive the following error message:
Also, Windows NT 4.0-based clients may not be able to log on to the Windows 2000 domain. They may receive the following error message:
System can not log you on to the domain because the systems computer account in its primary domain is missing or the password on that account is incorrect,
This behavior can occur if you set the RestrictAnonymous registry value to 2, which can occur by editing the registry directly or by applying the Hisecdc.inf security template.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To resolve this behavior, change the setting for the RestrictAnonymous value from 2 to a 0 on the Windows 2000 domain controller that hosts the primary domain controller (PDC) emulator operations master role.
To determine who hosts the PDC emulator operations master role:
Click Start, click Run, type dsa.msc, and then click OK.
Right-click the domain name, and then click Operations Masters.
Click the PDC tab to view the server that holds the PDC master role.
To change the value of RestrictAnonymous:
Start Registry Editor (Regedt32.exe).
Locate the RestrictAnonymous value under the following key in the registry:
On the Edit menu, click DWORD, type 0 in the data field, and then click OK.
Quit Registry Editor.
Restart the Windows 2000 domain controller.
RestrictAnonymous is used to prevent anonymous logon access to resources, excluding resources to which the anonymous user has explicitly been given access. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
246261 How to Use the RestrictAnonymous Registry Value in Windows 2000