JSI Tip 8781. You receive NETLOGON event 5730 on a Windows NT 4.0 BDC in a Windows 2000 domain?

In your Windows 2000 mixed-mode domain, Windows NT 4.0 BDCs don't replicate. The BDC's System event log records:

Event Type: Error
Event Source: NETLOGON
Event ID: 5730
Description: Replication of the SAM global group 0x201 from primary DC PDCName failed with the following error:
Either the specified user account is already a member of the specified group, or the specified group cannot be deleted because it already contains a member.

This behavior will occur if a Windows 2000 user account is explicitly a member of its Primary Group, since in Windows 2000, a user is NOT explicitly a member of their Primary Group.

NOTE: See A user's Member attribute is NOT populated with the Primary Group?

If a user is explicitly added to their Primary Group in Active Directory, the Windows NT 4.0 BDC thinks that the user account is a member of the group twice, which generates the error, and stops the BDC from replicating changes.

To workaround this behavior, you must remove the user account from its' Primary Group:

1. Convert the RID (0x201) in the event message to decimal (513).

2. Find the build-in group. If the group was created, use Getsid.exe to match a RID with the group name.

3. Remove the explicit addition of a user from their Primary Group.

To find users who are explicitly a member of their Primary Group, I have scripted XPGM.bat.

NOTE: XPGM.bat uses primaryGroupID.bat, which must be located in a folder that is in your path.

XPGM.bat, which requires no parameters, contains:

@echo offsetlocalfor /f "Tokens=*" %%a in ('dsquery group') do ( for /f "Tokens=*" %%b in ('dsget group %%a -members') do ( call :ispg %%a %%b ))endlocalgoto :EOF:ispgset group=%1set user=%2set usr=%user:"=%set qry=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(distinguishedName=%usr%))" -attr primaryGroupIDfor /f "Tokens=*" %%c in ('%qry%') do ( set pgi=%%c)set pgi=%pgi:  =%set pgi=%pgi: =%call primaryGroupID %pgi% pgidnif /i %group% NEQ %pgidn% goto :EOF@echo %group% %user% %pgidn%

NOTE: For a Microsoft Knowledge Base Article solution, see Netlogon 5730 Events on a Windows NT 4.0 Backup Domain Controller in a Windows 2000 Domain.