How to Fix Corrupted Built-In Accounts (156359)


The information in this article applies to:

  • Microsoft Windows NT Server 3.5
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0
This article was previously published under Q156359

SYMPTOMS

The domain may get out of sync, causing logon and other account difficulties. When you examine the Event Logs on the backup domain controllers (BDCs), you may see something similar to the following:
Event 5730 Source Netlogon
Replication of the SAM Global Group rid: 0x200: from Primary
Domain Controller <name> failed with the following error:

Cannot perform this operation on built-in accounts.
This may be accompanied by the following event:
Event 5716 Source Netlogon
The partial synchronization replication of SAM
database from the Primary Domain Controller <name>
failed with the following error:
Cannot perform this operation on built-in accounts.
These messages may also specify replication problems with the LSA and BUILTIN databases.

CAUSE

The built-in accounts on the PDC are probably corrupted.

RESOLUTION

The procedure below often resolves this problem. If this fails to work, however, the only recourse is to restore from a tape backup or an Emergency Repair Disk created before the accounts became corrupted.
  1. Install a new BDC into the domain.

    This must be a new installation on a computer that has never been a BDC.
  2. As soon as the installation is complete, immediately promote this BDC to PDC. This must be done immediately. If you wait too long, the accounts will already be replicated from the PDC to the BDC.

    NOTE: YOU WILL HAVE THE OPTION TO SYCHRONIZE THE SAM DATABASE DURING PROMOTION. _DO NOT_ SYNCHRONIZE AT THIS TIME! If you do synchronize at this prompt, the corrupt SAM will be replicated to the new BDC.

    (This promotion must be done immediately. If you wait too long, the accounts will already be replicated from the PDC to the BDC. The BDC requests security accounts manager (SAM) information as soon as the installation is completed. By immediately promoting this new BDC, you do not give it time to replicate SAM information from the PDC.)
  3. As soon as the BDC is promoted to PDC, synchronize the entire domain.

    This will not harm the SAM database on the original PDC. The information it will replicate is appended to the SAM on the original PDC and overwrites only the built-in accounts.
At this point the corrupted built-in accounts should be repaired. The original PDC can be restored to its primary role by promoting it.
Modification Type:MinorLast Reviewed:10/13/2004
Keywords:kbprb KB156359
©2004 Microsoft Corporation. All rights reserved.