DOCUMENT:Q140329 08-AUG-2001 [winnt] TITLE :Trust Relationships Fail with Large Number of Trusted Domains PRODUCT :Microsoft Windows NT PROD/VER:winnt:3.51 OPER/SYS: KEYWORDS:kbnetwork ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 3.51 ------------------------------------------------------------------------------- SYMPTOMS ======== Windows NT Backup Domain Controllers do not list all trusted domains during logon when there are more than twenty trust relationships. Trusted domain users from domains that do not show up in the Backup Domain Controller's list of domains during logon receive access denied errors when attempting to use resources on the Backup Domain Controller. CAUSE ===== This occurs because the full list of trusted domains is not replicated to Backup Domain Controllers. Since the Backup Domain Controllers do not have a complete list of trusted domains, they do not setup a secure channel with Domain Controllers that exist in Domain accounts that did not replicate. This results in access denied errors on clients from trusted domains because there is no way for pass-through validation to occur. The complete list of trusted domains does not replicate to Backup Domain Controllers because Netlogon does not indicate all the trusted domain accounts to replicate. Replication fails when Netlogon calls the LSA to get the complete list of domain accounts to replicate during a synchronization. Netlogon fails because it replicates domain names when it receives STATUS_SUCCESS back from the LSA, however with a large number of trusted domain names the LSA may return STATUS_MORE_ENTRIES instead of STATUS_SUCCESS. The LSA returns STATUS_MORE_ENTRIES if the default buffer supplied by Netlogon (1k in size) is too small to hold the complete list of domain names. As a result, if there are too many domains to fit in the 1k buffer, Netlogon ignores all but the last group of domain names returned by the LSA when STATUS_SUCCESS is received. RESOLUTION ========== This problem has been corrected in the latest Service Pack for Windows NT version 3.51. STATUS ====== Microsoft has confirmed this to be a problem in Windows NT version 3.51. This problem was corrected in the latest Windows NT 3.51 U.S. Service Pack. For information on obtaining the Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces): S E R V P A C K Additional query words: incomplete ====================================================================== Keywords : kbnetwork Technology : kbWinNTsearch kbWinNT351search kbWinNTSsearch kbWinNTS351 kbWinNTS351search Version : winnt:3.51 ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.