Built-in Administrator Account Has Attributes That Do Not Replicate to Windows NT 4.0 Backup Domain Controllers (296732)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Advanced Server SP1
This article was previously published under Q296732 SYMPTOMS
If you give a built-in administrator account any rights such as "Deny logon as a batch job," "Deny logon as a service," "Deny Interactive logon," or "Deny Network logon," Windows 2000 replication with Microsoft Windows NT 4.0-based backup domain controllers does not work and the following error message appears in Event Viewer on the Windows NT 4.0-based backup domain controller:
Replication of the LSA Account Object S-1-5-32-544
from primary domain controller failed with following error:
The parameter is incorrect
Also, Windows 2000-based domain controllers try to replicate changes to the Windows NT 4.0-based backup domain controller forever, but cannot.
CAUSE
Windows 2000 has new rights such as "Deny logon as a batch job," "Deny logon as a service," "Deny Interactive logon," and "Deny Network logon"
that are not available in Windows NT 4.0. S-1-5-32-544 is a well-known security identifier (SID) for the built-in administrator account. If you give an administrator account any of these rights, replication with Windows NT 4.0 does not work because these new rights set some attributes that Windows NT 4.0 does not recognize.
RESOLUTIONTo resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
| Modification Type: | Major | Last Reviewed: | 10/31/2003 |
|---|
| Keywords: | kbbug kbenv kberrmsg kbfix KB296732 |
|---|
|