8003 Browsing Errors with UDP Forwarding
Microsoft Knowledge Base Article: 135464 - Event ID: 8003 error messages are added to your domain controller's system log (as seen with the Event Viewer) approximately every 12 minutes:
"Access Denied" During Domain Controller Promotion
Microsoft Knowledge Base Article: 232070 - When you are attempting to create a Replica domain controller, you may receive an "Access denied" error message in
Administrator Cannot Recover the Domain Controller if a User Is Added to a Large Number of Groups
Microsoft Knowledge Base Article: 306259 - When a Windows 2000 account belongs to a large number (over 1,000) of groups, the Security Account Manager (SAM) requires a large amount of time to do the group evaluation during account logon. During this time, the administrator cannot
recover the domain controller because the administrator will
have a token that has more than 1,024 security identifiers (SIDs),
and Local Security Authority (LSA) will ultimately fail the
logon because of too many SIDs. Also, the failure will take a
long time to appear because of the increased SAM activity.
Administrative Limit Exceeded When You Are Adding Users or Groups
Microsoft Knowledge Base Article: 255013 - When you attempt to add users or groups on a domain controller, you may receive the following error message:
Auditing Does Not Report Security Event for Resetting Password on Domain Controller
Microsoft Knowledge Base Article: 267556 - If you choose to audit success and failure with the "Audit account management" policy, the auditing does not report the expected success event in the Security log when an administrator resets the user password on a domain
Assigning Specific Network Address on the NWCompatible Tab Causes Snap-in to Quit
Microsoft Knowledge Base Article: 258762 - On a domain controller that is running File and Print Services for NetWare (FPNW), the Active Directory Users and Computers snap-in may quit prematurely when you are attempting to assign a specific network address in the advanced settings on
the NWCompatible tab.
Backup Domain Controller Upgrade Is Unsuccessful During Demotion to Member Server
Microsoft Knowledge Base Article: 259544 - During an upgrade of a Microsoft Windows NT 4.0 backup domain controller (BDC), you may receive the following error message after you first restart in Windows 2000 and begin the Dcpromo process
Bad Password Attempts Are Repeatedly Forwarded from Domain Controllers to the PDC Operations Master
Microsoft Knowledge Base Article: 272065 - When Netlogon processes an authentication request on a domain controller and the request does not work because there is a "bad" password, the request is repeated on the primary domain controller (PDC) operations
Cannot Add Windows NT 4.0 BDC to a Windows 2000 Domain
Microsoft Knowledge Base Article: 242432 - When you attempt to install a Windows NT 4.0-based backup domain controller (BDC) in a domain with a Windows 2000-based primary domain controller (PDC), you may receive an error message:
Cannot Alter Down-Level Domain Name During Upgrade from Windows NT 4.0 to Windows 2000
Microsoft Knowledge Base Article: 240156 - You cannot change the NetBIOS domain name when you are upgrading a Microsoft Windows NT 4.0-based primary domain controller to Windows 2000. You can specify the Domain Name System (DNS) domain name, but you cannot alter the automatically
created down-level NetBIOS domain name. You can change this name
only after the upgrade and Dcpromo.exe processes have finished,
by demoting and repromoting the server
Cannot Cancel Dcpromo.exe While Demoting a Domain Controller
Microsoft Knowledge Base Article: 238117 - You should not cancel the Dcpromo.exe task when you are demoting a domain controller to a member server. Although there is no way to cancel the task in Dcpromo.exe, you could end the Dcpromo.exe task by using Task Manager.
Cannot Change Computer Name of a Domain Controller
Microsoft Knowledge Base Article: 195242 - The computer name of a Windows 2000 domain controller cannot be changed for this release of Windows
Cannot Find Active Directory Domain Controller When Upgrading Windows NT 4.0 PDC
Microsoft Knowledge Base Article: 244030 - After you upgrade a Windows NT 4.0-based primary domain controller (PDC) to Windows 2000, Dcpromo.exe runs but configures the server as a member server. Dcpromo.exe does not default to a domain controller
Clients Unable to Log On to Domain in the Absence of Domain Controllers
Microsoft Knowledge Base Article: 263108 - Using a Microsoft Windows 2000 client, you may be unable to log on to a domain with Microsoft Windows NT 4.0 domain controllers after the demotion of the last remaining Windows 2000 Active Directory domain controller. When you attempt to log
on, you may receive the following error message: "The system cannot log you on to this domain because the system's machine account in its primary domain is missing or the password on that account is incorrect."
Computer Name Does Not Match the Windows 2000 Domain Name After Upgrade
Microsoft Knowledge Base Article: 262376 - The fully qualified domain name computer name does not match the Windows 2000 domain name because a Microsoft Windows NT 4.0 upgrade automatically clears the Change primary DNS suffix when domain membership changes check box. After the domain controller promotion process (Dcpromo.exe) is run on a domain controller, you are unable to change the computer name.
Dcpromo Does Not Allow All-Numeric Label in a Domain Name
Microsoft Knowledge Base Article: 258101 - The Active Directory Installation Wizard (Dcpromo) may display the following error message:
The syntax of the domain name 111.edu is incorrect. In general, acceptable naming conventions for domain names include the use
of alphanumeric characters (the letters A through Z and numerals 0 through 9) and the hyphen (-). A period (.) in a domain name is always used to separate the discrete parts of a domain name commonly known as labels. Each domain label can be no longer than 63 bytes. The first label
may not be a number.
Dcpromo.exe Does Not Provide a Warning About Configuring a DNS Server Without a Static IP Address
Microsoft Knowledge Base Article: 242189 - When you run Dcpromo.exe on a server, you may receive the option of installing a DNS server or using an existing DNS server. This problem does not occur if you manually install the DNS service. If the Windows 2000-based server does not
have have a static IP address, Dcpromo.exe does not warn you
that using a static IP address is recommended. However, if you
choose to install the DNS server from Control Panel, you are
warned that the DNS server should be configured with a static IP
Dcpromo Does Not Work If Administrator Account Is Deleted or the Domain Guests Account Is Manually Created
Microsoft Knowledge Base Article: 260941 - If NetWare Directory Services (NDS) for Windows NT is installed and the Administrator account is deleted before you upgrade to Windows 2000 Server, Windows 2000 may not deploy typically.
Domain Controller Reboots When Large Number of Duplicate Connection Objects Exist
Microsoft Knowledge Base Article: 284003 - One or more domain controllers in a Windows 2000 domain or forest may reboot in a cyclic manner. When this occurs, you may receive the following error
message: The system process LSASS.EXE
terminated unexpectedly with status code -1073741571. The system
will now shut down and restart
The DC Promo Program Does Not Work When Using Network Address Translation
Microsoft Knowledge Base Article: 270152 - When you attempt to promote or to demote Microsoft Windows 2000 Server with the DC Promo program, you may receive the following error
message: Active Directory Installation Failed. The operation failed because: Failed to modify the
necessary properties for the machine account Servername$ The specified server cannot perform the requested operation
Default Tree and Context Settings Missing After Upgrading to Windows 2000
Microsoft Knowledge Base Article: 222024 - After you upgrade a Microsoft Windows NT 4.0 primary domain controller (PDC) running Gateway Services for NetWare (GSNW)
Windows 2000 Server, the default tree and context settings may
Dial-on-Demand Connection Is Dialed When the Domain Controller Is Shut Down
Microsoft Knowledge Base Article: 272990 - When you shut down a
Windows 2000 domain controller that is also a global catalog
server, wide area network (WAN) traffic may occur. If the WAN is
across a dial-on-demand connection, the shutdown process may
force the dial-on-demand connection to dial.
DNS Site Records Are Not Properly Removed After Dcpromo
Microsoft Knowledge Base Article: 259435 - When you create a new
site, you may have a situation where at the time you created the
site it did not contain domain controllers. The following event
is displayed in Event Viewer:
DNS Domain Setting Unchanged After Promotion to Domain Controller
Microsoft Knowledge Base Article: 223347 - After upgrading a
member server to a domain controller (DC) in a new domain, the
original DNS zone set on the computer is unchanged and must be
reset manually in the DNS properties for the adapter.
Domain Controller's Domain Name System Suffix Does Not Match Domain Name
Microsoft Knowledge Base Article: 257623 - After you promote a
domain controller (DC), the Domain Name System (DNS) suffix of
your computer name may not match the domain name that the DC
belongs to. After a server has been promoted to a DC, it is not
possible to rename the computer.
Error Message: The Specified Domain Either Does Not Exist or Could Not Be Contacted
Microsoft Knowledge Base Article: 283133 -
When you attempt to run the Active Directory Installation wizard (Dcpromo.exe)
for a new domain controller or you attempt to join a computer
that is running Windows 2000 Server or Windows 2000 Professional
to a domain, you may receive the following error message: The
specified domain either does not exist or could not be
Event 5781 Occurs After DC Changes Domain
Microsoft Knowledge Base Article: 311354 - After you have
changed the domain that a Windows 2000 domain controller (DC)
belongs to, you may frequently receive the following event 5781
in the System Event log:
Event ID 13507, 13552, and 13555 Messages Occur in the Domain Controller
Microsoft Knowledge Base Article: 264607 - In a Microsoft Windows 2000 domain controller with Microsoft Terminal Services installed in application server mode, errors may be displayed in the System event log. Cause: When you install Citrix MetaFrame
Server version 1.8 on a Windows 2000 domain controller, you are
prompted to re-map the server's drive letters (C-M), so that
clients do not confuse their drive C with the server's drive C.
When the drive is remapped, File Replication service (FRS) does
not work correctly; FRS looks for drive letters that no longer
Information About Event 617 in the Security Event Log
Microsoft Knowledge Base Article: 272460 - When the "Audit
policy change" policy is enabled for either success or failure
in the Default Domain Policy or Default Domain Controllers
Policy Group Policy objects (GPO), a success event, event 617,
is logged in the Windows 2000 Security
Internal Error Running Dcpromo.exe
Microsoft Knowledge Base Article: 267887 - When you run Dcpromo.exe, it may not run successfully, and the following error message may be recorded in the Dcpromo log file:
The replication system encountered an internal error (updated 9/27/2000)
Large Number of Alias Domains Causes 550 Error for Valid Domains
Microsoft Knowledge Base Article: 253284 - When the Simple Mail Transport Protocol (SMTP) service is configured with a very large number of alias domains, the following error message may be returned for some of the domains:
May Quit on Windows 2000 Domain Controller with Reverse Order
Microsoft Knowledge Base Article: 255897 - When you perform a
Lightweight Directory Access Protocol (LDAP) search and you
expect a large amount of data to be returned or the data is
being sorted in reverse order using a binary sort key, the
Lsass.exe process may quit abnormally on the Windows 2000-based
server that responds to the query.
Multihomed Primary Domain Controller Causes Browsing Problems
Microsoft Knowledge Base Article: 244983 - When you use a multihomed primary domain controller (PDC), you may experience browsing problems and NetBIOS name resolution errors.
NetBIOS Scope ID Causes Windows 2000 Domain Controller to Stop Responding on Boot
Microsoft Knowledge Base Article: 255195 - When a Windows 2000 domain controller has a NetBIOS scope ID defined, it may appear to stop responding (hang) during boot with a "Preparing Network Connections" message. If the computer is allowed to sit for two hours or longer,
the boot process may finish.
Non-Paged Pool Memory Leak on Master Browser
Microsoft Knowledge Base Article: 262386 - A server that is
acting as a master browser (commonly a primary domain controller
in Windows NT 4.0) may leak non-paged pool memory.
Performance Problems on Domain Controller If Clients Use Integrated Logon
Microsoft Knowledge Base Article: 296970 - You may experience
unusually long logon times and difficulty accessing directory
services to locate users and resources.
Permissions Are Affected After You Demote a Domain Controller
Microsoft Knowledge Base Article: 320230 - After you demote a
domain controller, domain local groups are not used to provide
access to local resources. Note that this behavior only applies
to domains that are in Mixed mode. The local group may still be
displayed in the access control list.
Promoting a Windows NT-Based Server By Using the Dcpromo.exe Tool Generates an Error Message
Microsoft Knowledge Base Article: 254211 - When you run the Dcpromo.exe tool to promote a backup domain controller (BDC) or a member server running Windows NT 4.0 to a Windows 2000 domain controller (DC), it may not work, and may generate an error message:
"Replication Access Was Denied" Error Message When Attempting to Synchronize Domain Controllers
Microsoft Knowledge Base Article: 262795 - When you use the Active Directory Sites and Services snap-in from a child domain to force replication from a parent domain or another child domain at the same level, you may receive the following error message:
Replication Not Working Properly Between Domain Controllers After Deleting One from Sites and Services
Microsoft Knowledge Base Article: 262561 - A second domain controller may not appear in the first server's Active Directory Sites and Services tool. The second server may also not replicate some of the Sysvol shares properly, and may not add itself again to the first domain
Replicated Object May Not Be Recognized by Domain Controller
Microsoft Knowledge Base Article: 258057 - If you create a trusted domain object (TDO) while a domain controller is not available and a replication attempt is made to that domain controller during startup, the replicated TDO cannot be seen
by the Local Security Authority (LSA)
Resetting Password on Domain Controller May Cause Incorrect Audit in Security Event Log
Microsoft Knowledge Base Article: 263190 - When you reset a password on domain controllers with certain password policy restrictions, an erroneous audit is logged in the Security event log.
SRV Resource Records May Not Be Created on Domain Controller
Microsoft Knowledge Base Article: 239897 - When you attempt to upgrade a Windows NT-based primary domain controller (PDC) or backup domain controller (BDC) or you promote a Windows 2000 Server-based computer to a domain controller, you may receive the following error message:
Startup Script Does Not Run on a Domain Controller
Microsoft Knowledge Base Article: 232300 - A startup script that you created with group policy to be run on a domain controller may not be run when you restart the domain controller. When this occurs, a message may appear in the system event log
SYSVOL Directory Is Slow to Synchronize, Delays Creation of SYSVOL Share and Domain Controller Registration
Microsoft Knowledge Base Article: 250545 - Replica or backup Windows 2000 domain controllers may be slow to synchronize the contents of the system volume, which may delay the registration of a promoted computer as a domain controller.
The Windows NT 4.0 Domain Controllers That Are Upgraded to Windows 2000 May Hang During the Final Phase of Setup
Microsoft Knowledge Base Article: 273823 - When you upgrade your computer from Windows NT 4.0 to Windows 2000 and the Winnt32.exe program is being run, the Windows NT 4.0 domain controllers that have large-sized Security Accounts Manager (SAM) account databases may seem to hang for
excessive periods of time during the "Performing final
tasks" phase of the upgrade. Under extreme circumstances,
the computer may hang for up to 2.5 hours.
Troubleshooting Missing SYSVOL and NETLOGON Shares on Windows 2000 Domain Controllers
Microsoft Knowledge Base Article: 257338 - The File Replication Service (FRS) is a multi-threaded, multi-master replication engine that replaces the LMREPL service in Microsoft Windows NT 3.x and 4.0. Microsoft Windows 2000 domain controllers and servers use FRS to replicate system
policy and login scripts for Windows 2000 and down-level
clients. FRS can also replicate content between Windows 2000
servers hosting the same fault-tolerant DFS roots or child node
replicas. This article describes troubleshooting steps to use on
Windows 2000 domain controllers that are missing netlogon and
Unable to Obtain Home Directory Drive Connection in a Mixed Environment
Microsoft Knowledge Base Article: 262890 - When a user's environment is mixed with Microsoft Windows NT 4.0 BDCs and Windows 2000 DCs while the LmCompatibilityLevel registry entry is in use for higher security, the home directory drive connection may not appear on the Windows 2000
Professional client computer.
Unable to Recover Encrypted Files After the Domain Controller Is
Microsoft Knowledge Base Article: 276239 - When a Windows-based
computer that is a domain controller is demoted to a member
server by using the Active Directory Installation wizard (Dcpromo.exe),
you are unable to recover Encrypting File System (EFS)-encrypted
Unbinding File and Printer Sharing from Primary Network Adapter in Multihomed Domain Controller Causes Policy Problems on the Domain Controller
Microsoft Knowledge Base Article: 258296 - If the primary network adapter in a multihomed domain controller does not have File and Printer Sharing bound to it, multiple problems are logged or displayed when you attempt to work with Group Policy objects on the domain controller.
Unnecessary LSA Replication Traffic Is Sent to Windows NT 4.0 and 3.5x Domain Controllers in a Mixed Domain
Microsoft Knowledge Base Article: 255295 - When you operate a Windows 2000-based mixed domain that contains backup domain controllers (BDCs) that are running Microsoft Windows NT version 3.51 or 4.0, unnecessary replication traffic may be directed at the down-level domain
Users and Group Replication Is Not in Synchronization with LSA Changes
Microsoft Knowledge Base Article: 272476 - When you revise users and group rights and set user rights assignments, and then replicate these changes, if you look at a different domain controller, the group policy updates are not registered at the target server even though the users
and group rights changes have arrived at the target server.
Windows 2000-Based Clients Connect Only to First-Upgraded Domain Controller in Mixed-Mode Domain
Microsoft Knowledge Base Article: 284937 - After you upgrade the first of multiple Windows NT Server 4.0-based domain controllers to Windows 2000 Server, all of the domain's Windows 2000 Professional-based clients connect to that domain controller and to no other for authentication.
Windows 2000-Based Domain Controller Generates a Netlogon Error Event ID 5774
Microsoft Knowledge Base Article: 284963 -
On a Windows 2000-based domain controller that has Domain Name System (DNS) installed and integrated with Active Directory to allow secure dynamic updates, you may find that Event Viewer records the Netlogon error Event ID 5774 approximately
every 70 seconds.
Windows 2000 Directory Service Agent Fails to Maintain Exclusive Control of Port 389
Microsoft Knowledge Base Article: 266657 - If you install an application on a Domain Controller (DC) that binds to port 389 with a listener, multiple failures are seen on the DCs. These include failures running dcpromo, startup failures with Inter-Site Messaging service, as well as
NTFRS preventing a machine from becoming a DC. This can usually be detected by using Ldp.exe from the Support Tools to confirm that you are succeeding in connecting to the Active Directory on each DC.
Windows 2000 Domain Controller Logs Event 1153 and Stops Replicating
Microsoft Knowledge Base Article: 268995 - A Windows 2000 domain controller may stop responding (hang) while replicating schema updates to other domain controllers in the domain and log event ID 1153.
Windows 2000 Domain Controllers Restored with System State Backups Made Prior to SP2 May Not Boot
Microsoft Knowledge Base Article: 295932 - This article discusses the following
Windows 2000 Selects Down-level Domain PDC to Enumerate User and Group Accounts
Microsoft Knowledge Base Article: 285074 - When Object Picker (Objsel.dll) enumerates users, groups, or machine accounts from a down-level domain, the PDC is contacted to provide the list of objects. This may result in poor performance as the list may be obtained over a WAN link and
may put unnecessary load on the PDC computer.
Windows 2000 May Send Unexpected DNS Request
Microsoft Knowledge Base Article: 263091 - A Microsoft Windows 2000-based domain controller may unexpectedly send Domain Name System (DNS) registration requests or queries for SRV records to an external DNS server. Other symptoms may
Windows 2000 PDC Emulator's CPU Spikes When Large Number of KRB_AS_REQs Are Sent from the BDC
Microsoft Knowledge Base Article: 258068 - The primary domain controller (PDC) emulator's CPU(s) may show a sustained high usage. This may be caused by a large number of Kerberos Authentication Server requests (KRB_AS_REQs) that contain a bad password being sent from domain
Windows NT-Based BDCs No Longer Synchronize After a Windows 2000 Domain Is Switched to Native Mode
Microsoft Knowledge Base Article: 240305 - A Windows NT-based backup domain controller (BDC) may display the following error messages in Event Viewer:
You Cannot Start a Newly Promoted Domain Controller After You Remove Windows 2000 SP2 SRP1
Microsoft Knowledge Base Article: 319783 - If you install Windows 2000 Service Pack 2 (SP2) Security Rollup Package (SRP1) on a computer that is not a domain controller, and then you promote that computer to a domain controller, you cannot start the newly promoted domain