A. You've encountered a known bug. The trust relationships created during a Win2K upgrade from a Windows NT 4.0 PDC domain don't replicate to existing NT 4.0 BDCs. When a machine joins a Win2K forest, the system automatically creates transitive trust relationships between this new domain and the other domains in the forest. The bug causes these new trust relationships to not replicate to the BDCs because the system doesn't update the change log (netlogon.chg) with the change. You can work around this bug two ways.
Workaround 1
On each BDC, initiate a full synchronization with the following command:
C:\> net accounts /syncTo ensure that the full synchronization occurred, check the event log for the following events:
Event ID: 5717 Source: NETLOGON Description: The full synchronization replication of the SAM database from the primary domain controllerWhen a full synchronization occurs, the system doesn't use the change log, so all trusts replicate.completed successfully. Event ID: 5717 Source: NETLOGON Description: The full synchronization replication of the BUILTIN database from the primary domain controller completed successfully. Event ID: 5717 Source: NETLOGON Description: The full synchronization replication of the LSA database from the primary domain controller completed successfully.
Workaround 2
On the Win2K PDC Flexible Single-Master Operation roles (FSMO), delete the change log (%systemroot%\netlogon.chg), which causes the system to create a new file and initiate a full synchronization to all down-level BDCs.