In the Trenches: Can't Add BDC to Windows 2000 Domain

In the Trenches: Can't Add BDC to Windows 2000 Domain

May 14, 2002

Thomas Shinder

We ran into a sticky situation the other day at a client site. We had installed a Windows 2000 Server and run the dcpromo.exe program to upgrade the machine to a Domain Controller. The Active Directory wizard did its job and everything worked fine. The next step was to create a Windows NT 4.0 BDC in the Active Directory domain.

A Windows NT BDC in a Windows 2000 Domain?

Why a Windows NT 4.0 BDC? Why not just install another Windows 2000 Server machine and promote that one to a Domain Controller? That would certainly be the best option, but the client already had several Windows NT 4.0 Server licenses. He didn't want to purchase any more Windows 2000 licenses until he felt sure Windows 2000 was stable and reliable enough to warrant the cost. I could understand the client's concern, but Windows 2000 has proved so rock-solid that the client made the decision against my recommendations.

Yes, its true. You can add Windows NT 4.0 BDCs to a Windows 2000 domain. This is because Windows 2000 domains are fully backward compatible. The Windows 2000 Domain Controller will expose the "flat" information store that is required for replication to the downlevel NT BDC. The Windows 2000 PDC Emulator looks just like an NT PDC to downlevel clients, and any new user, group or computer account you create in the Windows 2000 domain will be replicated to the BDC. This is a Windows 2000 "mixed mode" domain configuration.

Rollback to Windows NT Domains

If the Windows 2000 Domain Controller should go belly up, or if the customer decides its time to go back to NT, the Windows 2000 machine can be taken offline and the Windows NT 4.0 BDC can be promoted to a PDC in the NT domain. In fact, we were able to make the sale for the Windows 2000 upgrade because the client felt more comfortable knowing he could quickly and easily return to his Windows NT 4.0 domain.

Cryptic Error Message

When we tried to install Windows NT 4.0 and make the server a Backup Domain Controller, we got the following message:

The Machine Account for This Computer either does not exist or is inaccessible.

We thought this was sort of odd, given that we expected the computer account would  be created based on the credentials we provided during installation. However, the same error message kept coming up. We halted the install, and went to the Windows 2000 Domain Controller and manually added the machine account. When we retried the Windows NT 4.0 BDC setup, the same error message appeared.

When a Computer is a User

After some gnashing of teeth, we decided to research the problem and found that indeed we weren't the first in the world to suffer from this problem. Apparently, when an NT computer tries to create an account for itself, its considered a user class object. Windows 2000 doesn't want its computer accounts to be users, and therefore rejects the attempt to register a "user" as a computer.

The fix is almost poetic. In order to add the computer account for the would-be BDC, you must go to the PDC emulator and use the Server Manager application! It works the way it always does. However, you'll need to find it first. Use the Find command and search for srvmgr and then open the program from the Find dialog box.

When you run the Server Manager, you'll add a PDC, like that seen in the pic below.

After adding the machine account using the Server Manager, the BDC installed and joined the domain, and the rest of the roll out went without a hitch.

For More Information:

If you would like more information on this issue, check out Q242432 in the Microsoft Knowledge Base.