Managing and Configuring Windows 2000 Domain Controllers

Domain Controllers hold copies of the user database and authenticate users in a Windows NT and Windows 2000 Domain structure. In Windows NT, a domain contained a single Primary Domain Controller (PDC) and several Backup Domain Controllers (BDC). In Windows 2000 there are no official Primary Domain Controllers, only Domain Controllers (some of which can have special attributes). We've put together a few resources to help you manage all of your domain controllers and keep them healthy.

How the Local User Accounts Are Handled When a Server Is Promoted to a Domain Controller 
Microsoft Knowledge Base Article: 296561 - This article describes how local user accounts are handled when a server is promoted to a domain controller. 

How to Automate Windows 2000 Setup and Domain Controller Setup
Microsoft Knowledge Base Article: 224390 - In Microsoft Windows NT, you can automate the installation of a domain controller using unattended Setup, or while performing a normal, attended installation. In Windows 2000, domain controllers are created after setup, even if you are upgrading. 

How to Configure a Domain Controller for Membership in Multiple Sites
Microsoft Knowledge Base Article: 200498 - This article describes how to configure a domain controller for membership in multiple sites, or how to specify additional sites that the domain controller advertises its services to. 

How to Optimize the Location of a Domain Controller or Global Catalog That Resides Outside of a Client's Site 
Microsoft Knowledge Base Article: 306602 - The Domain controller locator mechanism in Windows 2000 always prefers a domain controller that resides in the site of the client that is searching for a domain controller, which is achieved by a domain controller that registers site-specific 

How to Prevent Overloading on the First Domain Controller During Domain Upgrade
Microsoft Knowledge Base Article: 298713 - This article describes the situation in which a domain controller can become overloaded, outlines a solution that prevents overloading, and offers recommendations about deploying the solution.

How to Rename a Windows 2000 Domain
Microsoft Knowledge Base Article: 292541 - Although you can rename a Windows 2000 domain in some situations that are described in this article, Microsoft highly recommends that you decide on the Fully Qualified Domain Name (FQDN) for DNS before you actually create a new domain or before you upgrade the domain from Windows NT 4.0 to Windows 2000. After you create the domain, you cannot rename a Windows 2000 domain controller.

How to Upgrade a Windows NT4.0-Based PDC to a Windows 2000-Based Domain Controller
Microsoft Knowledge Base Article: 296480 - This article describes methods you can use to upgrade a Microsoft Windows NT 4.0-based primary domain controller (PDC) to a Windows 2000-based domain controller. 

Migrating Domain Controllers to Windows 2000
Follow Microsoft's step-by-step guide to successfully migrate domain controllers to Win2K.

Promoting and Demoting Domain Controller to Member Server in Windows 2000
Microsoft Knowledge Base Article: 238369 This article describes how to promote or demote a domain controller to a stand-alone server in Windows 2000. Promoting a server to a domain controller is the process of installing Active Directory Services on that server.

Sizing Guidelines for Windows 2000 Domain Controller and Global Catalog Server
Information Technology (IT) administrators may not have the expertise or resources to adequately test Windows 2000 Servers to determine the hardware requirements for their environment. This white paper details the methodology used by one customer in conjunction with Microsoft Consulting Services. It also describes the test results, which could assist administrators in sizing their own infrastructure hardware correctly. Source: Microsoft.com (April 19, 2000)

Step by Step Guide to installing a Windows 2000 Server as a Domain Controller
This document explains how to build a common network infrastructure, beginning with the Windows© 2000 Server operating system configured as a domain controller. Administrators can evaluate Windows 2000 by building the infrastructure in their labs. Source: Microsoft.com (Jan 21,2000)

Step-by-Step Guide to Setting up Additional Domain Controllers
This guide describes how to create the first domain controller for a new child domain and how to configure an additional domain controller for that child domain using the Active Directory Installation wizard.

A List of the Windows 2000 Domain Controller Default Ports
Microsoft Knowledge Base Article: 289241 - This article describes the most common ports, protocols, and services that are opened on a Windows 2000-based server that is running Active Directory. The purpose of this article is to list the different services and their respective ports, 

Automatic Detection of Site Membership for Domain Controllers
Microsoft Knowledge Base Article: 214677 - During the promotion of a server to domain controller, DCPromo (the wizard used for the promotion process) determines the site the domain controller will become a member of. If the domain controller being created is the first in a new forest 

Client-to-Domain Controller and Domain Controller-to-Domain Controller IPSec Support
Microsoft Knowledge Base Article: 254949 - Using IP Security (IPSec) to protect traffic from a domain member to the domain controller is currently not supported in Windows 2000 because it is not possible for non-domain computers to get the initial IPSec policy from the domain controller once a domain controller (DC) requires IPSec to communicate, and because domain member computers cannot use Kerberos as the IPSec/IKE authentication method to authenticate IKE with their domain controller and with trusted domain controllers on the domain in all cases. 

Description of Dcpromo Permissions Choices
Microsoft Knowledge Base Article: 257988 - When you run Dcpromo.exe to promote a Windows 2000-based server to a domain controller, a dialog box appears prompting you for a permissions preference. This article describes the available options and the reversal of these choices. 

DNS Records Registered by Windows 2000 Domain Controllers
Microsoft Knowledge Base Article: 178169 - As a function of the Netlogon service, Windows 2000 domain controllers can register one or more DNS records. When you view the properties for records that are prefixed with "_ldap", note that these entries are Service Location (SRV) records

Group Policy Application Rules for Domain Controllers
Microsoft Knowledge Base Article: 259576 - Domain controllers pull some security settings only from group policy objects linked to the root of the domain. Because domain controllers share the same account database for the domain, certain security settings must be set uniformly on all domain controllers. This ensures that the members of the domain have a consistent experience regardless of which domain controller they use to log on. Windows 2000 accomplishes this task by allowing only certain setting in the group policy to be applied to domain controllers at the domain level. This group policy behavior is different for member server and workstations.

How Domain Controllers Are Located in Windows 2000
Microsoft Knowledge Base Article: 247811 - This article describes the mechanism used by Windows 2000 to locate a domain controller in a Windows 2000-based domain. This article details the process of locating a domain by its DNS-style name and its flat-style (NetBIOS) name. 

Requirements for Domain Controller Certificates from a Third-Party CA 
Microsoft Knowledge Base Article: 291010 - This article describes the requirements that you need to fulfill to issue a domain controller certificate from a third-party certification authority (CA). 

SAM Account Naming Standard Required by Dcpromo Tool 
Microsoft Knowledge Base Article: 230400 - When you are attempting to add a domain controller to an existing Windows 2000 domain, the Dcpromo.exe tool may prompt for credentials. The administrator can supply the network credentials in the format of a User Principal Name, or UPN (for example,  administrator@adomain.com). Dcpromo.exe allows this information until it tries to configure Active Directory, at which time the promotion process produces the following error message 

Windows 2000 Cluster Nodes as Domain Controllers 
Microsoft Knowledge Base Article: 281662 - The information in this article addresses a situation that you do not generally encounter in most Information Technology architectures. 

Assign "Log On locally" Rights to Windows 2000 Domain Controller
Microsoft Knowledge Base Article: 234237 - This article describes how to assign "Log on locally" rights for users and groups to Windows 2000-based domain controllers. 

Unattended Promotion and Demotion of Windows 2000 Domain Controllers 
Microsoft Knowledge Base Article: 223757 - Dcpromo.exe is the executable program (.exe) that promotes and demotes Windows 2000 domain controllers (DCs). You can use Dcpromo.exe to: 

Determining the Server GUID of a Domain Controller
Microsoft Knowledge Base Article: 224544 - The Server GUID (Globally Unique Identifier) is a reference point used in the Active Directory and DNS (Domain Name System) to locate a domain controller primarily for the purposes of replication. 

Distinguishing a Domain Controller from a Windows 2000 Member Server
Microsoft Knowledge Base Article: 221804 - You can use the following methods to identify Windows 2000 domain controllers. 

How to Enable Domain Controllers to Modify the Schema
Microsoft Knowledge Base Article: 229691. Active Directory enables you to modify the schema at any domain controller in the enterprise using the Schema management console. With Active Directory, schema updates occur at exactly one domain controller in the enterprise at any given time. 

How to Change the Recovery Console Administrator Password on a Domain Controller
Microsoft Knowledge Base Article: 239803 - When you promote a Windows 2000 Server-based computer to a domain controller, you are prompted to type a Directory Service Restore Mode Administrator password. This password is also used by Recovery Console, and is separate from the Administrator password that is stored in Active Directory after a completed promotion. 

How to Create User Shares for All Users in a Domain with ADSI
Microsoft Knowledge Base Article: 234746 This article contains a sample script that demonstrates how to create user folders and share them for each user in the domain in which you are logged on. 

How to Find FSMO Role Holders (Servers)
Microsoft Knowledge Base Article: 234790 - This article describe how to find the servers that hold the Flexible Single Master Operation (FSMO) roles in a forest.

How to Modify the Default Intra-Site Domain Controller Replication Interval
Microsoft Knowledge Base Article: 214678 - This article describes how to modify the default intra-site domain controller replication interval. 

How to Promote/Demote Domain Controllers in Windows 2000
Microsoft Knowledge Base Article: 238369 - This article describes how to promote or demote a domain controller to a stand-alone server in Windows 2000. Promoting a server to a domain controller is the process of installing Active Directory Services on that server. Demoting a domain controller removes Active Directory and switches to using a local User Accounts System (UAS). Before promoting a server to a domain controller, you must plan your structure to best suit your organizational needs and network topologies.

How to Prevent Domain Controllers from Dynamically Registering DNS Names
Microsoft Knowledge Base Article: 198767 - By default, the Netlogon service on a domain controller registers dynamic Domain Name Service (DNS) records to advertise Active Directory directory service services. This behavior can be disabled with a registry setting.

How to Recover a Deleted Domain Controller Computer Account
Microsoft Knowledge Base Article: 248132 - This article describes how to recover a domain controller computer account that has been inadvertently deleted. 

How to Recover from a Deleted Domain Controller Machine Account in Windows 2000
Microsoft Knowledge Base Article: 257288 - Describes how to repair a Windows 2000 domain controller whose machine account has been deleted. There are two known scenarios for this problem: 

How to Remove Data in the Active Directory After an Unsuccessful Domain Controller Demotion
Microsoft Knowledge Base Article: 216498 This article describes how to remove data in the Active Directory after an unsuccessful domain controller demotion. 

How to Remove Orphaned Domains from Active Directory Without Demoting the Domain Controllers
Microsoft Knowledge Base Article: 251307 - Describes how to remove an orphaned domain and its servers from Active Directory when there is no active domain controller for the domain. 

HOW TO: Remove and Reinstall TCP/IP on a Windows 2000 Domain Controller 
Microsoft Knowledge Base Article: 299451 - This article describes how to remove and reinstall Transmission Control Protocol/Internet Protocol (TCP/IP) on a Windows 2000 domain controller. 

How to Reset User Rights in the Default Domain Controllers Group Policy Object 
Microsoft Knowledge Base Article: 267553 - The Default Domain Controllers Group Policy object (GPO) contains many default user-rights settings. In some cases, changing the default settings may produce undesirable effects. This may result in a condition where unexpected restrictions exist on the user rights. If the changes are unexpected, or if the changes were not recorded so that it is unknown which changes were made, it may be necessary to reset these user-rights settings to their defaults.  

HOW TO: Restrict Users from Gaining Access to a Domain Controller by Using Telnet 
Microsoft Knowledge Base Article: 292536 - This article explains how to restrict users from gaining access to a Windows 2000-based domain controller when they use the Telnet service. 

How to Set and Maintain %DSDIT%, %DSLOG%, and %SYSVOL% Environment Variables
Microsoft Knowledge Base Article: 259395 - During the promotion process (Dcpromo.exe) on a domain controller, the %DSDIT%, %DSLOG%, and %SYSVOL% environment variables are set. These variables exist only during the promotion process; they are referenced in the Basicdc.inf security template 

How to Use the Online Dbdump Feature in Ldp.exe 
Microsoft Knowledge Base Article You can use the online dbdump feature in Ldp.exe to view the values that are stored in the database while a domain controller is running. You trigger the online dbdump feature by modifying the dumpDatabase attribute on the rootDSA.

How to Verify the Creation of SRV Records for a Domain Controller
Microsoft Knowledge Base Article: 241515 - This article describes how to verify SRV locator resource records for a domain controller after you install Active Directory. 

Installing DHCP and DDNS on a Domain Controller 
Microsoft Knowledge Base Article: 255134 - Installing Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) on the same computer may allow name "hijacking." Evaluate the information in this article to determine whether it applies to your environment. 

Lessons Learned: Tales of a PDC upgrade
A real world look at a large scale Windows NT to Windows 2000 Migration that includes some very important "lessons learned." Source: Swynk

Resetting Computer Accounts in Windows 2000
Microsoft Knowledge Base Article: 216393 For each Windows 2000 workstation or server that is a member of a domain, there is a discrete communication channel, known as the secure channel, with a domain controller. 

Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller
Microsoft Knowledge Base Article: 255504 - This article describes how to use the Ntdsutil.exe tool to seize or transfer Flexible Single Master Operations (FSMO) roles. 

Using Terminal Services for Remote Administration of Windows 2000 DCs in Directory Service Restore Mode 
Microsoft Knowledge Base Article: 256588 - Some low-level maintenance of the Windows 2000 Active Directory requires that Windows 2000 domain controllers (DCs) boot to Directory Service Restore mode. Configuring Windows 2000 domain controllers with Terminal Services in Remote Administration mode permits administrators to perform operations requiring Directory Service Restore mode without having to be present at the console of the server. This article describes the use of Terminal Services to transition a Windows 2000 domain controller between online and Directory Service Restore mode. 

8003 Browsing Errors with UDP Forwarding 
Microsoft Knowledge Base Article: 135464 - Event ID: 8003 error messages are added to your domain controller's system log (as seen with the Event Viewer) approximately every 12 minutes: 

"Access Denied" During Domain Controller Promotion 
Microsoft Knowledge Base Article: 232070 - When you are attempting to create a Replica domain controller, you may receive an "Access denied" error message in Dcpromo.exe. 

Administrator Cannot Recover the Domain Controller if a User Is Added to a Large Number of Groups 
Microsoft Knowledge Base Article: 306259 - When a Windows 2000 account belongs to a large number (over 1,000) of groups, the Security Account Manager (SAM) requires a large amount of time to do the group evaluation during account logon. During this time, the administrator cannot recover the domain controller because the administrator will have a token that has more than 1,024 security identifiers (SIDs), and Local Security Authority (LSA) will ultimately fail the logon because of too many SIDs. Also, the failure will take a long time to appear because of the increased SAM activity. 

Administrative Limit Exceeded When You Are Adding Users or Groups 
Microsoft Knowledge Base Article: 255013 - When you attempt to add users or groups on a domain controller, you may receive the following error message:

Auditing Does Not Report Security Event for Resetting Password on Domain Controller  
Microsoft Knowledge Base Article: 267556 - If you choose to audit success and failure with the "Audit account management" policy, the auditing does not report the expected success event in the Security log when an administrator resets the user password on a domain controller. 

Assigning Specific Network Address on the NWCompatible Tab Causes Snap-in to Quit 
Microsoft Knowledge Base Article: 258762 - On a domain controller that is running File and Print Services for NetWare (FPNW), the Active Directory Users and Computers snap-in may quit prematurely when you are attempting to assign a specific network address in the advanced settings on the NWCompatible tab. 

Backup Domain Controller Upgrade Is Unsuccessful During Demotion to Member Server 
Microsoft Knowledge Base Article: 259544 - During an upgrade of a Microsoft Windows NT 4.0 backup domain controller (BDC), you may receive the following error message after you first restart in Windows 2000 and begin the Dcpromo process 

Bad Password Attempts Are Repeatedly Forwarded from Domain Controllers to the PDC Operations Master 
Microsoft Knowledge Base Article: 272065 - When Netlogon processes an authentication request on a domain controller and the request does not work because there is a "bad" password, the request is repeated on the primary domain controller (PDC) operations master. 

Cannot Add Windows NT 4.0 BDC to a Windows 2000 Domain 
Microsoft Knowledge Base Article: 242432 - When you attempt to install a Windows NT 4.0-based backup domain controller (BDC) in a domain with a Windows 2000-based primary domain controller (PDC), you may receive an error message: 

Cannot Alter Down-Level Domain Name During Upgrade from Windows NT 4.0 to Windows 2000  
Microsoft Knowledge Base Article: 240156 - You cannot change the NetBIOS domain name when you are upgrading a Microsoft Windows NT 4.0-based primary domain controller to Windows 2000. You can specify the Domain Name System (DNS) domain name, but you cannot alter the automatically created down-level NetBIOS domain name. You can change this name only after the upgrade and Dcpromo.exe processes have finished, by demoting and repromoting the server 

Cannot Cancel Dcpromo.exe While Demoting a Domain Controller 
Microsoft Knowledge Base Article: 238117 - You should not cancel the Dcpromo.exe task when you are demoting a domain controller to a member server. Although there is no way to cancel the task in Dcpromo.exe, you could end the Dcpromo.exe task by using Task Manager. 

Cannot Change Computer Name of a Domain Controller 
Microsoft Knowledge Base Article: 195242 - The computer name of a Windows 2000 domain controller cannot be changed for this release of Windows 2000.

Cannot Find Active Directory Domain Controller When Upgrading Windows NT 4.0 PDC 
Microsoft Knowledge Base Article: 244030 - After you upgrade a Windows NT 4.0-based primary domain controller (PDC) to Windows 2000, Dcpromo.exe runs but configures the server as a member server. Dcpromo.exe does not default to a domain controller promotion.

Clients Unable to Log On to Domain in the Absence of Domain Controllers 
Microsoft Knowledge Base Article: 263108 - Using a Microsoft Windows 2000 client, you may be unable to log on to a domain with Microsoft Windows NT 4.0 domain controllers after the demotion of the last remaining Windows 2000 Active Directory domain controller. When you attempt to log on, you may receive the following error message: "The system cannot log you on to this domain because the system's machine account in its primary domain is missing or the password on that account is incorrect." 

Computer Name Does Not Match the Windows 2000 Domain Name After Upgrade 
Microsoft Knowledge Base Article: 262376 - The fully qualified domain name computer name does not match the Windows 2000 domain name because a Microsoft Windows NT 4.0 upgrade automatically clears the Change primary DNS suffix when domain membership changes check box. After the domain controller promotion process (Dcpromo.exe) is run on a domain controller, you are unable to change the computer name. 

Dcpromo Does Not Allow All-Numeric Label in a Domain Name
Microsoft Knowledge Base Article: 258101 - The Active Directory Installation Wizard (Dcpromo) may display the following error message: The syntax of the domain name 111.edu is incorrect. In general, acceptable naming conventions for domain names include the use of alphanumeric characters (the letters A through Z and numerals 0 through 9) and the hyphen (-). A period (.) in a domain name is always used to separate the discrete parts of a domain name commonly known as labels. Each domain label can be no longer than 63 bytes. The first label may not be a number. 

Dcpromo.exe Does Not Provide a Warning About Configuring a DNS Server Without a Static IP Address 
Microsoft Knowledge Base Article: 242189 - When you run Dcpromo.exe on a server, you may receive the option of installing a DNS server or using an existing DNS server. This problem does not occur if you manually install the DNS service. If the Windows 2000-based server does not have have a static IP address, Dcpromo.exe does not warn you that using a static IP address is recommended. However, if you choose to install the DNS server from Control Panel, you are warned that the DNS server should be configured with a static IP address. 

Dcpromo Does Not Work If Administrator Account Is Deleted or the Domain Guests Account Is Manually Created 
Microsoft Knowledge Base Article: 260941 - If NetWare Directory Services (NDS) for Windows NT is installed and the Administrator account is deleted before you upgrade to Windows 2000 Server, Windows 2000 may not deploy typically. 

Domain Controller Reboots When Large Number of Duplicate Connection Objects Exist
Microsoft Knowledge Base Article: 284003 - One or more domain controllers in a Windows 2000 domain or forest may reboot in a cyclic manner. When this occurs, you may receive the following error message: The system process LSASS.EXE terminated unexpectedly with status code -1073741571. The system will now shut down and restart  

The DC Promo Program Does Not Work When Using Network Address Translation 
Microsoft Knowledge Base Article: 270152 - When you attempt to promote or to demote Microsoft Windows 2000 Server with the DC Promo program, you may receive the following error message: Active Directory Installation Failed. The operation failed because: Failed to modify the necessary properties for the machine account Servername$ The specified server cannot perform the requested operation 

Default Tree and Context Settings Missing After Upgrading to Windows 2000
Microsoft Knowledge Base Article: 222024 - After you upgrade a Microsoft Windows NT 4.0 primary domain controller (PDC) running Gateway Services for NetWare (GSNW) Windows 2000 Server, the default tree and context settings may be missing.

Dial-on-Demand Connection Is Dialed When the Domain Controller Is Shut Down 
Microsoft Knowledge Base Article: 272990 - When you shut down a Windows 2000 domain controller that is also a global catalog server, wide area network (WAN) traffic may occur. If the WAN is across a dial-on-demand connection, the shutdown process may force the dial-on-demand connection to dial.

DNS Site Records Are Not Properly Removed After Dcpromo 
Microsoft Knowledge Base Article: 259435 - When you create a new site, you may have a situation where at the time you created the site it did not contain domain controllers. The following event is displayed in Event Viewer:

DNS Domain Setting Unchanged After Promotion to Domain Controller 
Microsoft Knowledge Base Article: 223347 - After upgrading a member server to a domain controller (DC) in a new domain, the original DNS zone set on the computer is unchanged and must be reset manually in the DNS properties for the adapter.

Domain Controller's Domain Name System Suffix Does Not Match Domain Name 
Microsoft Knowledge Base Article: 257623 - After you promote a domain controller (DC), the Domain Name System (DNS) suffix of your computer name may not match the domain name that the DC belongs to. After a server has been promoted to a DC, it is not possible to rename the computer.

Error Message: The Specified Domain Either Does Not Exist or Could Not Be Contacted 
Microsoft Knowledge Base Article: 283133 - When you attempt to run the Active Directory Installation wizard (Dcpromo.exe) for a new domain controller or you attempt to join a computer that is running Windows 2000 Server or Windows 2000 Professional to a domain, you may receive the following error message: The specified domain either does not exist or could not be contacted.

Event 5781 Occurs After DC Changes Domain 
Microsoft Knowledge Base Article: 311354 - After you have changed the domain that a Windows 2000 domain controller (DC) belongs to, you may frequently receive the following event 5781 in the System Event log:

Event ID 13507, 13552, and 13555 Messages Occur in the Domain Controller 
Microsoft Knowledge Base Article: 264607 - In a Microsoft Windows 2000 domain controller with Microsoft Terminal Services installed in application server mode, errors may be displayed in the System event log. Cause: When you install Citrix MetaFrame Server version 1.8 on a Windows 2000 domain controller, you are prompted to re-map the server's drive letters (C-M), so that clients do not confuse their drive C with the server's drive C. When the drive is remapped, File Replication service (FRS) does not work correctly; FRS looks for drive letters that no longer exist.

Information About Event 617 in the Security Event Log
Microsoft Knowledge Base Article: 272460 - When the "Audit policy change" policy is enabled for either success or failure in the Default Domain Policy or Default Domain Controllers Policy Group Policy objects (GPO), a success event, event 617, is logged in the Windows 2000 Security

Internal Error Running Dcpromo.exe
Microsoft Knowledge Base Article: 267887 - When you run Dcpromo.exe, it may not run successfully, and the following error message may be recorded in the Dcpromo log file: The replication system encountered an internal error (updated 9/27/2000)

Large Number of Alias Domains Causes 550 Error for Valid Domains
Microsoft Knowledge Base Article: 253284 - When the Simple Mail Transport Protocol (SMTP) service is configured with a very large number of alias domains, the following error message may be returned for some of the domains: 

Lsass.exe May Quit on Windows 2000 Domain Controller with Reverse Order Search
Microsoft Knowledge Base Article: 255897 - When you perform a Lightweight Directory Access Protocol (LDAP) search and you expect a large amount of data to be returned or the data is being sorted in reverse order using a binary sort key, the Lsass.exe process may quit abnormally on the Windows 2000-based server that responds to the query. 

Multihomed Primary Domain Controller Causes Browsing Problems   
Microsoft Knowledge Base Article: 244983 - When you use a multihomed primary domain controller (PDC), you may experience browsing problems and NetBIOS name resolution errors. 

NetBIOS Scope ID Causes Windows 2000 Domain Controller to Stop Responding on Boot
Microsoft Knowledge Base Article: 255195 - When a Windows 2000 domain controller has a NetBIOS scope ID defined, it may appear to stop responding (hang) during boot with a "Preparing Network Connections" message. If the computer is allowed to sit for two hours or longer, the boot process may finish.

Non-Paged Pool Memory Leak on Master Browser
Microsoft Knowledge Base Article: 262386 - A server that is acting as a master browser (commonly a primary domain controller in Windows NT 4.0) may leak non-paged pool memory.

Performance Problems on Domain Controller If Clients Use Integrated Logon
Microsoft Knowledge Base Article: 296970 - You may experience unusually long logon times and difficulty accessing directory services to locate users and resources.

Permissions Are Affected After You Demote a Domain Controller
Microsoft Knowledge Base Article: 320230 - After you demote a domain controller, domain local groups are not used to provide access to local resources. Note that this behavior only applies to domains that are in Mixed mode. The local group may still be displayed in the access control list.

Promoting a Windows NT-Based Server By Using the Dcpromo.exe Tool Generates an Error Message
Microsoft Knowledge Base Article: 254211 - When you run the Dcpromo.exe tool to promote a backup domain controller (BDC) or a member server running Windows NT 4.0 to a Windows 2000 domain controller (DC), it may not work, and may generate an error message: 

"Replication Access Was Denied" Error Message When Attempting to Synchronize Domain Controllers
Microsoft Knowledge Base Article: 262795 - When you use the Active Directory Sites and Services snap-in from a child domain to force replication from a parent domain or another child domain at the same level, you may receive the following error message: 

Replication Not Working Properly Between Domain Controllers After Deleting One from Sites and Services
Microsoft Knowledge Base Article: 262561 - A second domain controller may not appear in the first server's Active Directory Sites and Services tool. The second server may also not replicate some of the Sysvol shares properly, and may not add itself again to the first domain controller.

Replicated Object May Not Be Recognized by Domain Controller
Microsoft Knowledge Base Article: 258057 - If you create a trusted domain object (TDO) while a domain controller is not available and a replication attempt is made to that domain controller during startup, the replicated TDO cannot be seen by the Local Security Authority (LSA) 

Resetting Password on Domain Controller May Cause Incorrect Audit in Security Event Log
Microsoft Knowledge Base Article: 263190 - When you reset a password on domain controllers with certain password policy restrictions, an erroneous audit is logged in the Security event log. 

SRV Resource Records May Not Be Created on Domain Controller
Microsoft Knowledge Base Article: 239897 - When you attempt to upgrade a Windows NT-based primary domain controller (PDC) or backup domain controller (BDC) or you promote a Windows 2000 Server-based computer to a domain controller, you may receive the following error message: 

Startup Script Does Not Run on a Domain Controller
Microsoft Knowledge Base Article: 232300 - A startup script that you created with group policy to be run on a domain controller may not be run when you restart the domain controller. When this occurs, a message may appear in the system event log 

SYSVOL Directory Is Slow to Synchronize, Delays Creation of SYSVOL Share and Domain Controller Registration
Microsoft Knowledge Base Article: 250545 - Replica or backup Windows 2000 domain controllers may be slow to synchronize the contents of the system volume, which may delay the registration of a promoted computer as a domain controller.

The Windows NT 4.0 Domain Controllers That Are Upgraded to Windows 2000 May Hang During the Final Phase of Setup
Microsoft Knowledge Base Article: 273823 - When you upgrade your computer from Windows NT 4.0 to Windows 2000 and the Winnt32.exe program is being run, the Windows NT 4.0 domain controllers that have large-sized Security Accounts Manager (SAM) account databases may seem to hang for excessive periods of time during the "Performing final tasks" phase of the upgrade. Under extreme circumstances, the computer may hang for up to 2.5 hours. 

Troubleshooting Missing SYSVOL and NETLOGON Shares on Windows 2000 Domain Controllers
Microsoft Knowledge Base Article: 257338 - The File Replication Service (FRS) is a multi-threaded, multi-master replication engine that replaces the LMREPL service in Microsoft Windows NT 3.x and 4.0. Microsoft Windows 2000 domain controllers and servers use FRS to replicate system policy and login scripts for Windows 2000 and down-level clients. FRS can also replicate content between Windows 2000 servers hosting the same fault-tolerant DFS roots or child node replicas. This article describes troubleshooting steps to use on Windows 2000 domain controllers that are missing netlogon and sysvol shares. 

Unable to Obtain Home Directory Drive Connection in a Mixed Environment
Microsoft Knowledge Base Article: 262890 - When a user's environment is mixed with Microsoft Windows NT 4.0 BDCs and Windows 2000 DCs while the LmCompatibilityLevel registry entry is in use for higher security, the home directory drive connection may not appear on the Windows 2000 Professional client computer.

Unable to Recover Encrypted Files After the Domain Controller Is Demoted
Microsoft Knowledge Base Article: 276239 - When a Windows-based computer that is a domain controller is demoted to a member server by using the Active Directory Installation wizard (Dcpromo.exe), you are unable to recover Encrypting File System (EFS)-encrypted documents.

Unbinding File and Printer Sharing from Primary Network Adapter in Multihomed Domain Controller Causes Policy Problems on the Domain Controller
Microsoft Knowledge Base Article: 258296 - If the primary network adapter in a multihomed domain controller does not have File and Printer Sharing bound to it, multiple problems are logged or displayed when you attempt to work with Group Policy objects on the domain controller. 

Unnecessary LSA Replication Traffic Is Sent to Windows NT 4.0 and 3.5x Domain Controllers in a Mixed Domain
Microsoft Knowledge Base Article: 255295 - When you operate a Windows 2000-based mixed domain that contains backup domain controllers (BDCs) that are running Microsoft Windows NT version 3.51 or 4.0, unnecessary replication traffic may be directed at the down-level domain controller.

Users and Group Replication Is Not in Synchronization with LSA Changes 
Microsoft Knowledge Base Article: 272476 - When you revise users and group rights and set user rights assignments, and then replicate these changes, if you look at a different domain controller, the group policy updates are not registered at the target server even though the users and group rights changes have arrived at the target server.

Windows 2000-Based Clients Connect Only to First-Upgraded Domain Controller in Mixed-Mode Domain
Microsoft Knowledge Base Article: 284937 - After you upgrade the first of multiple Windows NT Server 4.0-based domain controllers to Windows 2000 Server, all of the domain's Windows 2000 Professional-based clients connect to that domain controller and to no other for authentication. 

Windows 2000-Based Domain Controller Generates a Netlogon Error Event ID 5774
Microsoft Knowledge Base Article: 284963 - On a Windows 2000-based domain controller that has Domain Name System (DNS) installed and integrated with Active Directory to allow secure dynamic updates, you may find that Event Viewer records the Netlogon error Event ID 5774 approximately every 70 seconds.

Windows 2000 Directory Service Agent Fails to Maintain Exclusive Control of Port 389
Microsoft Knowledge Base Article: 266657 - If you install an application on a Domain Controller (DC) that binds to port 389 with a listener, multiple failures are seen on the DCs. These include failures running dcpromo, startup failures with Inter-Site Messaging service, as well as NTFRS preventing a machine from becoming a DC. This can usually be detected by using Ldp.exe from the Support Tools to confirm that you are succeeding in connecting to the Active Directory on each DC. 

Windows 2000 Domain Controller Logs Event 1153 and Stops Replicating
Microsoft Knowledge Base Article: 268995 - A Windows 2000 domain controller may stop responding (hang) while replicating schema updates to other domain controllers in the domain and log event ID 1153. 

Windows 2000 Domain Controllers Restored with System State Backups Made Prior to SP2 May Not Boot 
Microsoft Knowledge Base Article: 295932 - This article discusses the following issues: 

Windows 2000 Selects Down-level Domain PDC to Enumerate User and Group Accounts
Microsoft Knowledge Base Article: 285074 - When Object Picker (Objsel.dll) enumerates users, groups, or machine accounts from a down-level domain, the PDC is contacted to provide the list of objects. This may result in poor performance as the list may be obtained over a WAN link and may put unnecessary load on the PDC computer. 

Windows 2000 May Send Unexpected DNS Request
Microsoft Knowledge Base Article: 263091 - A Microsoft Windows 2000-based domain controller may unexpectedly send Domain Name System (DNS) registration requests or queries for SRV records to an external DNS server. Other symptoms may include: 

Windows 2000 PDC Emulator's CPU Spikes When Large Number of KRB_AS_REQs Are Sent from the BDC
Microsoft Knowledge Base Article: 258068 - The primary domain controller (PDC) emulator's CPU(s) may show a sustained high usage. This may be caused by a large number of Kerberos Authentication Server requests (KRB_AS_REQs) that contain a bad password being sent from domain controllers 

Windows NT-Based BDCs No Longer Synchronize After a Windows 2000 Domain Is Switched to Native Mode
Microsoft Knowledge Base Article: 240305 - A Windows NT-based backup domain controller (BDC) may display the following error messages in Event Viewer:

You Cannot Start a Newly Promoted Domain Controller After You Remove Windows 2000 SP2 SRP1 
Microsoft Knowledge Base Article: 319783 - If you install Windows 2000 Service Pack 2 (SP2) Security Rollup Package (SRP1) on a computer that is not a domain controller, and then you promote that computer to a domain controller, you cannot start the newly promoted domain controller.