You cannot log on or you experience a long delay on a domain controller or on a member computer that is running Windows 2000, Windows XP, or Windows Server 2003 (883268)



The information in this article applies to:

  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows XP Professional

SYMPTOMS

You may experience one or more of the following symptoms on a domain controller or on a member computer that is running Microsoft Windows 2000, Microsoft Windows XP, or Microsoft Windows Server 2003:
  • The following error message is logged in the system event log: Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7000
    User: N/A
    Description: The Service Name service failed to start due to the following error:
    The service did not respond to the start or control request in a timely fashion. Note In this error message, Service Name is one of the services that are listed in the "More Information" section.
  • The following error message is logged in the system event log:Event Type: Error
    Event Source: Kerberos
    Event Category: None
    Event ID: 7
    User: N/A
    Description: The Kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client <computer name> in realm <AD DNS domain name> had a PAC which failed to verify or was modified. Contact your system administrator.
    Data: 0000: c0000192
  • After the Log on dialog box appears, you receive the following error message:
    lsass.exe - System Error
    Object Name not found.
    After you click OK on the Log on dialog box, the computer may restart.
  • The computer automatically restarts before the Log on dialog box appears.
  • When the computer restarts, you experience a long delay before the Log on dialog box appears. When you try to log on by using a domain account, you cannot log on or you experience a long delay. Also, you may experience a long delay when you try to browse through the domain list on the Log on dialog box.
  • On a computer that is running Windows XP or Windows Server 2003, you receive notification that the computer hardware significantly changed after the last activation. This notification may also indicate that reactivation is required.
  • When you start Device Manager, no devices appear in the hardware list. You do not receive an error message. If you click Device Manager in the Computer Management snap-in, the results window remains empty.
  • The computer starts and then displays the Log on dialog box. However, the wait pointer does not change. The computer does not respond to the CTRL+ALT+DEL keyboard shortcut.
  • After the computer starts and the Applying Computer Settings part of the startup process occurs, you receive the following error message:
    lsass.exe - System Error

    Object Name already exists.
    When you click OK, the computer starts. Next, the computer reports that a service could not be started. If the computer is a domain controller, some functionality may not work as before. Additional error messages may appear in tools such as Dcdiag.exe.
  • If you try to manually start a service, you receive the following error message and then the computer restarts:
    lsass.exe - System Error

    Object Name already exists.

CAUSE

This problem may occur if one or more services that run in the Lsass.exe process or in the Services.exe process are no longer configured to run as shared service processes. By default, services that run in these processes are configured to run as shared service processes.

RESOLUTION

If you have not successfully logged on after the problem first occurred, press the F8 key when the operating system selection page is displayed or before the computer starts Windows. Select the Last Known Good Configuration option.

If you still experience the problem, follow these steps to log on to the computer and to run Sc.exe.

Windows 2000 and Windows XP
  1. Restart the computer.
  2. Press the F8 key before the Windows logo page is displayed.
  3. Press the F8 key to select Advanced Startup Options when the operating system selection page is displayed.
  4. Use the arrow keys to select Safe Mode with Command Prompt, and then press ENTER.
Windows Server 2003
  1. Restart the computer.
  2. Press the F8 key before the Windows logo page is displayed.
  3. Use the arrow keys to select Safe Mode with Command Prompt, and then press ENTER.
You can use the Sc.exe tool to determine what service is incorrectly configured. To do this, follow these steps.

Note Sc.exe is included with Windows XP and with Windows Server 2003. Sc.exe is also available in the Windows 2000 Server resource kit.
  1. Click Start, click Run, type cmd, and then click OK.
  2. Type the following commands. Press ENTER after you type each command:
    • Sc query HTTPFilter
    • Sc query KDC
    • Sc query Netlogon
    • Sc query NTLMssp
    • Sc query PolicyAgent
    • Sc query ProtectedStorage
    • Sc query SamSs
    • Sc query Eventlog
    • Sc query PlugPlay
The TYPE value must be 20 WIN32_SHARE_PROCESS for the services that are listed in the "More Information" section to be correctly configured. This value configures the services to run in shared service processes.

For example, if you type SC query Netlogon, you receive output that is similar to the following:
C:\>sc query Netlogon

SERVICE_NAME: Netlogon
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
Note Services that are configured to run in separate memory processes have a TYPE value of 10 WIN32_OWN_PROCESS.

After you determine what services are incorrectly configured, follow these steps to change the TYPE value:
  1. Click Start, click Run, type cmd, and then click OK.
  2. Type sc config Service Name type= share, and then press ENTER.

    Note In this step, Service Name is one of the services that are listed in the "More Information" section.
  3. Repeat step 1 for each service that is incorrectly configured.

    Note Even if you received activation notification before you followed these steps, you must reactivate your copy of Windows.

MORE INFORMATION

The following services run as part of the Lsass.exe process, unless otherwise specified:
  • HTTPFilter (HTTP SSL)
  • KDCSVC (Kerberos Key Distribution Center)
  • Netlogon (Net Logon)
  • NTLMssp (NTLM Security Support Provider)
  • PolicyAgent (IPSEC Services)
  • ProtectedStorage (Protected Storage)
  • SamSs (Security Accounts Manager)
  • Eventlog (Event Log)
  • PlugPlay (Plug and Play)

Modification Type:MajorLast Reviewed:8/3/2005
Keywords:kbService kbServer kbClient kberrmsg kblogin kbEvent kbSysSettings kbPerformance kbtshoot KB883268 kbAudITPRO kbAudEndUser