Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The Lsass.exe process may stop responding if you have many external trusts on an Active Directory domain controller


View products that this article applies to.

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry

↑ Back to the top


Symptoms

On a domain controller that is running Microsoft Windows Server 2003, the Local Security Authentication Server (Lsass.exe) process may stop responding if the following conditions are true:
  • You have many external trusts and many simultaneous logon requests.
  • These logon requests do not specify the domain name.
Additional symptoms may be slow or delayed authentication for users requesting legacy authentication (NTLM). In addition, if monitoring the Netlogon performance object, the Average Semaphore Hold Time performance counter may show delays to users from other domains.

↑ Back to the top


Cause

This problem occurs because the Lsass.exe process runs out of resources if the number of simultaneous logons multiplied by the number of trusts is more than 1,000.

↑ Back to the top


Resolution

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this problem, apply the latest service pack for Windows Server 2003 or the following hotfix. Then, enable the NeverPing setting.

Important This setting may cause unwanted side effects if you have clients that do not specify domain names in the logon requests. These clients may include Microsoft Windows 98 clients and Outlook Web Access. These clients work correctly if the user accounts that the logon requests use are in the Windows Server 2003 domain or in the global catalog. Problems occur only if a user account is in an external domain.

To enable the NeverPing setting, follow these steps:
  1. Click Start, click Run, type Regedit, and then click OK.
  2. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  3. Right-click this subkey, point to New, and then click DWORD Value.
  4. Type NeverPing as the registry entry name, and then press ENTER.
  5. Double-click NeverPing, type 1 in the Value data text box, and then click OK.
  6. Exit Registry Editor.

Service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

No prerequisites are required.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2003, x86-based versions
File nameFile versionFile sizeDateTimePlatform
Netlogon.dll5.2.3790.573419,32808-Aug-200613:01x86
Windows Server 2003, Itanium-based versions
File nameFile versionFile sizeDateTimePlatformService branch
Netlogon.dll5.2.3790.573959,48807-Aug-200621:58IA-64RTMQFE
Wnetlogon.dll5.2.3790.573419,32807-Aug-200622:01x86WOW

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Server 2003 Service Pack 2.

↑ Back to the top


More Information

This issue occurs when applications use legacy NTLM authentication and do not submit the domain the user is associated with when submitting an authentication request. When legacy behavior is required by the client the domain controllers must use legacy methods to locate the user's proper domain so that the authoritative domain for that user can provide verification of the user's credentials. The legacy behavior is a sequential network communication with each domain the domain controller trusts. This issue worsens when there are greater numbers of domains and numbers of authentication requests missing the domain portion of the users credentials.


This concern can be identified in Netlogon service debug logs on the domain controllers by looking for SamLogon entries which display "<nulll>\username". Simply searching the logs for "<null>\" will reveal if the issue is occuring at all.

This concern can worsen legacy authentication performance bottlenecks. For more information on that refer to the Knowledge Base article:

975363You are intermittently prompted for credentials or experience time-outs when you connect to Authenticated Services

For more information about a similar problem in Microsoft Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

825107 The Lsass.exe process may stop responding if you have many external trusts on a Windows 2000 Server-based domain controller

In some situations, performance issues may still be seen even after configuring the Neverping setting. In those cases the MaxConcurrentApi setting should be set to a higher value. More information on how to estimate the best MaxConcurrentApi setting can be found in the Knowledge Base article below.

2688798 How to do performance tuning for NTLM authentication by using the MaxConcurrentApi setting

↑ Back to the top


Keywords: kb, kbautohotfix, kbwinserv2003sp2fix, kbwinserv2003sp1fix, kbexpertiseinter, kbbug, kbfix, kbhotfixserver, kbqfe, kbpubtypekc

↑ Back to the top

Article Info
Article ID : 923241
Revision : 1
Created on : 1/7/2017
Published on : 3/30/2012
Exists online : False
Views : 545