What happens if you receive partial synchronization errors and you see event ID 5716 listed in the event log? This problem has three possible causes: the specified PDC has gone down or is restarting, the system didn't update the \%systemroot%\netlogon.chg file on the PDC, or one of the Local Security Authority (LSA) secrets has become corrupt.
Possibility 1. By checking the PDC's status, you can determine whether the specified PDC has gone down or is restarting. When the PDC is back up and running, the error will clear.
Possibility 2. Netlogon.chg records changes to security databases. All domain controllers contain the netlogon.chg file, but only the PDC uses the file. If the system doesn't update the file, look for three potential causes. First, the file's attribute might be set to Read-Only. Second, the System account might not have sufficient permissions to the netlogon.chg file. In both cases, you can solve the problem by setting the file's permissions in the System account to at least RWXD.
The third possible cause is that the netlogon.chg file has become corrupt. In this case, you must either rename or delete the file. Because the system uses netlogon.chg continuously, you need to take the following steps to rename or delete the file from an NTFS partition:
- Set the System account permissions from Full Control on \%systemroot%\netlogon.chg to No Access.
- Restart the computer, and delete the netlogon.chg file.
- Before you reboot a second time, add the system object to the permissions on the \%systemroot% folder and grant the object Full Control. If you don't do so, the system can't create the netlogon.chg file, and partial synchronization errors will continue.
- Reboot once more. The system will create netlogon.chg at startup.
- Verify that the system created netlogon.chg, then delete the System object on the \%systemroot% folder so that the folder reverts to its original permissions.
To rename or delete the netlogon.chg file on a FAT partition, take the following steps:
- Use MS-DOS to start the computer.
- Delete the \%systemroot%\netlogon.chg file.
- Restart, and boot to Windows NT. The system will create netlogon.chg at startup.
Possibility 3. If one of the secrets in the LSA database is corrupt, event ID 5716 will appear on one or more BDCs as The partial synchronization replication of the SAM database from the primary domain controller controller name failed with the following error: Cannot perform this operation on built-in accounts. The system will pair event ID 5716 with event ID 5714: The full synchronization request from the server "BDC" failed with the following error: error text.
An LSA secret can become corrupt when the Registry becomes physically corrupt (e.g., as the result of a disk hardware failure). Another possible cause is that a transaction in the database didn't complete properly. You can resolve the problem by locating and deleting the corrupt secret in the Resource domain PDC's Registry.
Netlogon replicates only global secrets to BDCs, which makes it easier for you to find the LSA secrets. A G$ in the key name differentiates global secrets from other secret types; LSA secret subkeys come under the G$ keys.
By default, NT hides LSA secret objects from view. However, administrators can grant themselves additional access to the LSA subkeys when necessary. To grant this access and locate the corrupt LSA secret, take the following steps. (As always, back up the Registry and update the Emergency Repair Disk--ERD--before you make any changes to the Registry.)
- Start the Registry Editor (regedt32.exe) on the Resource domain PDC.
- Locate the HKEY_LOCAL_MACHINE\SECURITY key.
- Go to the Security menu, and click Permissions.
- Change the permissions on the SECURITY key and all its subkeys to Administrators: Full Control, and System: Full Control.
- Exit regedt32.exe, and restart the machine.
- Restart regedt32.exe, and examine each HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\G$trusted domain name key for the Resource domain.
LSA secrets usually have five subkeys: CupdTime, CurrVal, OldVal, OupdTime, and SecDesc. During a change or update to an LSA secret, the system deletes the five subkeys briefly and substitutes PolMod. If the transaction doesn't complete properly, PolMod can remain, resulting in a corrupt LSA secret. Therefore, you need to find all LSA secrets that contain only the PolMod subkeys. These are the corrupted secrets that you need to delete from the Registry. Delete corrupt LSA secrets locally at the Resource domain PDC, rather than across a slow link. Deleting LSA secrets over slow links can take hours. To delete corrupt LSA secrets, take the following steps:
- Follow steps 1 through 6 above to locate the key with the corrupt LSA secret.
- Use Edit menu commands to delete the key.
- Locate the HKEY_LOCAL_MACHINE\SECURITY key to reset permissions to LSA secrets.
- From the Security menu, click Permissions and change the permissions on this and all \SECURITY subkeys to Administrators: Special Access, Write DAC, and Read Control; and System: Full Control.
- Exit regedt32.exe and reboot.
- Reestablish the affected trust relationship.