Link to home
Start Free TrialLog in
Avatar of dlauten
dlauten

asked on

Netlogon does not start automaticly. Causes chain reaction of services not starting

Hello,

I have exchange 2003 loaded on win server 2003 r2 sp2. This morning after both pushing End Point client and applying microsofts updates and restarting, exchange would not come back up.

I've uninstalled symantic endpoint and mail security from the server

The point i am at now Is netlogon will not start automaticly when the server boots causing every service that depends on it to also not start. I CAN start it manually but I cannot start all my exchange services from that point. (Exchange System Atendend will not stay started.)

First error code after reboot is event id 40960

Thanks for Reading.
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

Avatar of dlauten
dlauten

ASKER

Yes I have. The servers are less than 1 min apart in time.

It is failing to the local DCs not just the blackholes

No administrators have changed there passwords reciently. Both DCs have been rebooted.

Like i said i CAN start the service manuelly. Once the service is started i can brouse the network. If you know what bginfo is, when i first logon the fields for logon domain and logon server are blank. However once i manuelly start the service and re exicute bginfo the fields are populated normally.
Check in Administrative Tools->Services and make sure the service is set to run Automatically.
Avatar of dlauten

ASKER

It is. I've also tried setting it to manuel, restarting, and setting it back to automatic.
Avatar of dlauten

ASKER

Looking at the timeline in the event log it looks like netlogon is trying to start but is timeing out waiting on workstation. Workstation is also set to automatic and has no trouble kicking on when manuelly starting netlogon.
Netlogon is dependent of the WORKSTATION service. In your case It is probably dependant of the Server Service applet.

I am not setting at my servers right now, but I think the othter dependancies of this server applet will include RPC, Browser, Netlogon, Alerter and messanger. Though it may look like a domino effect, it is actually just one service that isn't started and all of these other services are dependencies of the one not starting. Can you trace back to the root of the service that isn't starting. You can look at who is dependent on what service by looking at the service applet's properties. Once you find the root service, we can try to debugg that one.

Also the event logs may give you an idea of what services are not working.

One last thing. I also know that the Browser and Netlogon service requires netbios over TCP/IP to work. Maybe check your network bindings and make sure that is selected.
Avatar of dlauten

ASKER

Yes like i said workstation is not starting up automaticly as it is supposed to either. Neither is RPC. I am actually buring a call to Microsoft for this one. I've been on the phone with them for close to 4 hours. At a 3rd tear of tech support, so at least i know i'm not a moron.

I'll keep posting and post resolution if it gets resolved.

One question though that he can't/won't answer. What is the deal with NT Authority\NetworkService? Can someone explain to me what it is?
At on point during the troubleshooting he had me change the RPC service to use system login instead of this. When i restarted over Half of the services came back up. Then he had me change is back and they all failed again.
ASKER CERTIFIED SOLUTION
Avatar of ChiefIT
ChiefIT
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Control\Lsa\lmcompatibilitylevel (REG_DWORD),

What is this registry key set to?
Avatar of dlauten

ASKER

I don't think I can begin to explain what all MS did to fix this problem. I will post as much of the report as I can when I get it.

It took the 6 hours, 3 departments and 5 techs.
Avatar of dlauten

ASKER

Here is the solution MS provided to me

It was my pleasure to assist you during your Unable to start workstation service automatically issue. I hope that you were delighted with the service provided to you.  I am providing you with a summary of the key points of the case for your records. If you have any questions please feel free to call me. You can reach me using the contact information below and referencing the case ID.

 

PROBLEM: Unable to start workstation service automatically

 

RESOLUTION:

-- Unable to start workstation service automatically

-- Informed that was able to start the service manually

-- Tried restarting the server in safe mode with networking but this did not helped

-- Checked for any key DependOnService / DependOnGroup for lanmanworkstation but they were not listed

-- Tried uninstalling client for Microsoft network and restarted the server and reinstalled the service but got the issue back after reboot

-- Checked the permission for registry key lanmanworkstation and it listed a lot of SID's

-- Removed the SID's and added service account with full control permission and rebooted the server but this did not helped

-- Tried changing the RPC service logon type to local system from network and restart the server and now everything came up fine

-- Changed the registry for RPC service to Network Service and restarted the server and again got the issue

-- Checked the event viewer

 

Event Type:         Error

Event Source:      EventLog

Event Category:  None

Event ID:              6015

Date:                      3/8/2008

Time:                     11:51:12 PM

User:                      N/A

Computer:           RPC-EXCHANGE

Description:

The custom security descriptor for the event log Application is invalid. Please ask an administrator to correct the CustomSD value in registry for this event log.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

Event Type:         Warning

Event Source:      LSASRV

Event Category:  SPNEGO (Negotiator)

Event ID:              40960

Date:                      3/8/2008

Time:                     11:51:22 PM

User:                      N/A

Computer:           RPC-EXCHANGE

Description:

The Security System detected an authentication error for the server LDAP/rpc-dc01.norpc.org/norpc.org@NORPC.ORG.  The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.

 (0xc0000192)".

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 92 01 00 c0               ?..À    

 

 

Event Type:         Error

Event Source:      Service Control Manager

Event Category:  None

Event ID:              7009

Date:                      3/8/2008

Time:                     11:51:47 PM

User:                      N/A

Computer:           RPC-EXCHANGE

Description:

Timeout (30000 milliseconds) waiting for the Workstation service to connect.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

Event Type:         Error

Event Source:      Service Control Manager

Event Category:  None

Event ID:              7000

Date:                      3/8/2008

Time:                     11:51:47 PM

User:                      N/A

Computer:           RPC-EXCHANGE

Description:

The Workstation service failed to start due to the following error:

The service did not respond to the start or control request in a timely fashion.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

-- Tried running SFC /Scannow on the server but this also did not helped

-- Tried importing lanmanworkstation from a working machine and rebooted but still the same

-- Checked HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application has the CustomSD value which seemed to be invalid we found this value:

O:BAG:EAD:(D;;CCDCLCSDRCWDWO;;;AN)(D;;CCDCLCSDRCWDWO;;;BG)(A;;CCDCLCSDRCWDWO;;;SY)(A;;CCDCLC;;;BA)(A;;CCDCLC;;;SO)(A;;CCDC;;;IU)(A;;CCDC;;;SU)(A;;CCDC;;;S-1-5-3)(A;;CC;

;;S-1-5-21-690115048-1955020988-654838779-7525)(A;;CC;;;S-1-5-21-690115048-1955020988-654838779-7526)

 

whereas HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System had the correct value O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)

 

-- Found that all the services that were to load after the event log service were not starting up the following key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application has the CustomSD value which seemed to be invalid

-- Loaded the system file from repair hives and then exported the HKEY_LOCAL_MACHINE\<test>\Services\Eventlog key to the desktop

-- Edited the saved registry file with notepad and replaced <test>\Services\ by SYSTEM\CurrentControlSet\Services\

-- Merged the registry file and rebooted the machine

 

-- This also did not helped and still the registry key showed the same old value

-- found article http://support.microsoft.com/?id=323076 

 

Modify Your Local Policy to Permit Customization of the Security of Your Event Logs

1. Back up the %WinDir%\Inf\Sceregvl.inf file to a known location.

 

2. Open %WinDir%\Inf\Sceregvl.inf in Notepad.

 

3. Scroll to the middle of file, and then put the pointer immediately before [Strings].

 

4. Insert the following lines:

MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppLogSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysLogSD%,2

 

5. Scroll to the end of the file, and then insert the following lines:

AppLogSD="Event log: Specify the security of the application log in Security Descriptor Definition Language (SDDL) syntax"

SysLogSD="Event log: Specify the security of the System log in Security Descriptor Definition Language (SDDL) syntax"

 

6. Save and then close the file.

 

7. Click Start, click Run, type regsvr32 scecli.dll in the Open box, and then press ENTER.

 

8. In the DllRegisterServer in scecli.dll succeeded dialog box, click OK.

 

Use the Computer's Local Group Policy to Set Your Application and System Log Security

1. Click Start, click Run, type gpedit.msc, and then click OK.

2. In the Group Policy editor, expand Windows Setting, expand Security Settings, expand Local Policies, and then expand Security Options.

3. Double-click Event log: Application log SDDL, type the SDDL string that you want for the log security, and then click OK.

4. Double-click Event log: System log SDDL, type the SDDL string that you want for the log security, and then click OK.

 

-- Restarted the server and was unable to login to the domain

-- Able to login locally on the server

-- Checked the services and all the services started fine this time

-- Checked the event viewer and this time did not showed any error message for service not started

-- Only got

 

Event Type:         Warning

Event Source:      LSASRV

Event Category:  SPNEGO (Negotiator)

Event ID:              40960

Date:                      3/9/2008

Time:                     12:15:57 AM

User:                      N/A

Computer:           RPC-EXCHANGE

Description:

The Security System detected an authentication error for the server LDAP/rpc-dc01.norpc.org/norpc.org@NORPC.ORG.  The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username or authentication information.

 (0xc000006d)".

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 6d 00 00 c0               m..À

-- Checked accessing domain controller with \\dcname.domain.com from the server and this worked

-- Also tried accessing with \\domain.com and this also worked

-- Did RDP on Domain controller and then accessed exchange server with \\exchangeserver this failed

-- Rejoined the exchange server with its domain NetBIOS name and it joined successfully

-- Rebooted the server and now able to login to the domain

-- All the exchange services started fine and was able to see emails

-- Rebooted the server once again and everything came up fine

Hope this may help someone in the future.
Avatar of dlauten

ASKER

Even though what you said was not the complete answer to the issue, and i swear it was endpoint that origionally caused this problem, you were on the right track so points are yours.