Why don't trusts created on my Windows 2000 PDC replicate to the BDCs?

A. You've encountered a known bug. The trust relationships created during a Win2K upgrade from a Windows NT 4.0 PDC domain don't replicate to existing NT 4.0 BDCs. When a machine joins a Win2K forest, the system automatically creates transitive trust relationships between this new domain and the other domains in the forest. The bug causes these new trust relationships to not replicate to the BDCs because the system doesn't update the change log (netlogon.chg) with the change. You can work around this bug two ways.

Workaround 1
On each BDC, initiate a full synchronization with the following command:

C:\> net accounts /sync
To ensure that the full synchronization occurred, check the event log for the following events:
Event ID: 5717
Source: NETLOGON
Description: The full synchronization replication of the SAM 
database from the primary domain controller  completed 
successfully. 

Event ID: 5717
Source: NETLOGON
Description: The full synchronization replication of the BUILTIN 
database from the primary domain controller  completed 
successfully. 

Event ID: 5717
Source: NETLOGON
Description: The full synchronization replication of the LSA 
database from the primary domain controller  completed 
successfully. 

When a full synchronization occurs, the system doesn't use the change log, so all trusts replicate.

Workaround 2
On the Win2K PDC Flexible Single-Master Operation roles (FSMO), delete the change log (%systemroot%\netlogon.chg), which causes the system to create a new file and initiate a full synchronization to all down-level BDCs.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish