Q172302: Domain Synchronization Fails With 5730 or 5731 and 5716
Article: Q172302
Product(s): Microsoft Windows NT
Version(s): WinNT:3.51,4.0
Operating System(s):
Keyword(s):
Last Modified: 09-AUG-2001
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Windows NT Server versions 3.51, 4.0
-------------------------------------------------------------------------------
SYMPTOMS
========
When domain synchronization occurs at the automatic interval or when issued
manually, you may encounter the following events:
5730 - Replication of the SAM Global group (RID:0x200) from primary domain
controller <Domain name> failed with the following error: cannot perform
this operation on built-in accounts.
5731 - Replication of the built-in local group (rid:0x220) from the primary
domain controller failed with the following error: A new member could not be
added to a local group because the member has the wrong account type.
5716 - The partial synchronization replication of the SAM database from the
primary domain controller <name> failed with the following error: Cannot
perform this operation on built-in accounts.
CAUSE
=====
In order to ensure an administrator's ability to manage servers in a domain,
Windows NT Server maintains a value called AdminCount. AdminCount is a one-byte
field that is incremented for each instance that the administrator user account
is directly added to the Administrators local group, or indirectly made a member
of the Administrators local group via a global group.
Prior to Windows NT Server 3.51 Service Pack 4, the backup domain controller's
(BDC) AdminCount field could sometimes get out of sync with the primary domain
controller's (PDC) AdminCount field. Although this problem was fixed in Windows
NT 3.51 Service Pack 4, the value was never recalculated for the BDCs in the
domain.
BDCs analyze the AdminCount field prior to removing any instances of the
Administrator from the Administrators group. If the BDC calculates that this
field will be less then 1 after it commits changes from the PDC synchronization,
then you will see 5730 or 5731 events in the Event Viewer.
RESOLUTION
==========
If the administrator is already a member of both the Domain Administrators and
the Administrators group, the following steps will increment the administrator
count on each BDC.
1. Click the Start button, point to Programs, point to Administrative Tools, and
click User Manager for Domains.
2. In User Manager for Domains, create a new global group by clicking New Global
Group from the User menu. Type MakeAdmin for the Group Name and AdminCount
Workaround for the Description.
3. Double-click the MakeAdmin global group icon located in the
Groups/Description view pane.
4. Select the Administrator user, and then click Add in the global Group
Properties dialog box.
5. Double-click the Administrators local group icon located in the
Groups/Descriptions view pane.
6. Click Add in the Local Group Properties dialog box.
7. Select the MakeAdmin global group in the Add Users and Groups dialog box,
click Add, and then click OK.
8. Click OK on the Local Group Properties dialog box.
9. Wait for domain synchronization to complete or force a full synchronization
by running: NLTEST/SYNC.
NOTE: The MakeAdmin Global Group must be left added to the local Administrators
group indefinitely. If the MakeAdmin group is removed from the local
Administrator's group, the original symptoms will resume.
NOTE: If you run NLTEST /SYNC, the full synchronization can take several minutes.
Run NLTEST /BDC_QUERY:<Domain Name> to check the status of the
synchronization. NLTEST can be found on the Windows NT 4.0 Resource Kit CD.
STATUS
======
Microsoft has confirmed this to be a problem in Windows NT version 3.51 and 4.0.
We are researching this problem and will post new information here in the
Microsoft Knowledge Base as it becomes available.
Additional query words: prodnt usrmgr
======================================================================
Keywords :
Technology : kbWinNTsearch kbWinNT351search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS351search
Version : WinNT:3.51,4.0
Hardware : x86
Issue type : kbbug
=============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.