|
| 1 | +--- |
| 2 | +title: Troubleshoot Netlogon service startup failures |
| 3 | +description: Describes the symptoms, causes, and solutions for the scenarios that lead to Netlogon service startup failures. |
| 4 | +ms.date: 04/30/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: davfish, wincicadsec |
| 9 | +ms.custom: |
| 10 | +- sap:windows security\netlogon,secure channel,dc locator |
| 11 | +- pcy:WinComm Directory Services |
| 12 | +--- |
| 13 | +# Troubleshoot Netlogon service startup failures |
| 14 | + |
| 15 | +This article describes the symptoms, causes, and solutions for the scenarios that lead to Netlogon service startup failures. |
| 16 | + |
| 17 | +## Service dependencies |
| 18 | + |
| 19 | +The Netlogon service provides support for New Technology LAN Manager (NTLM) logon requests, Kerberos Privilege Attribute Certificate (PAC) verifications, domain controller discovery, DNS registration of SRV records, managing the system's computer account password, and maintaining trust passwords on domain controllers. To accomplish these operations, Netlogon requires facilities of other components and services within the operating system. Generally known as Service Dependencies, Netlogon depends on the services noted in the picture below: |
| 20 | + |
| 21 | +:::image type="content" source="media/troubleshoot-netlogon-service-startup-failures/diagram-of-the-netlogon-service-dependencies.png" alt-text="A diagram of the Netlogon service dependencies."::: |
| 22 | + |
| 23 | +Notice that Netlogon depends on the Workstation service, the Workstation service depends on the Browser, MrxSMB20, and NSI services, and so on. On servers operating as domain controllers, Netlogon has additional dependencies on the Server service, the Server service depends on SAMSS and SRV2, SRV2 depends on SRVNET, and so on. These dependency relationships are detailed by the Services MMC snap-in within the properties of the service's "Dependencies" tab. This dependency configuration is stored within the registry for each services' key under `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services`. Contained within each service key is a value "DependsOnService" that defines the specific, direct dependencies of that service. For example, the Netlogon service registry key of a domain controller defines the DependOnService value containing the data "LanmanWorkstation LanmanServer". |
| 24 | + |
| 25 | +To view the dependencies of the Netlogon service, leverage the Services MMC and inspect the service properties: |
| 26 | + |
| 27 | +:::image type="content" source="media/troubleshoot-netlogon-service-startup-failures/screenshot-of-the-netlogon-service-properties.png" alt-text="A screenshot of the Netlogon service properties."::: |
| 28 | + |
| 29 | +Another method of querying dependencies is via the Service Control Manager Configuration Tool (sc.exe) command line utility. Below is the output of the `QC` command to query the configuration for Netlogon service dependencies of a domain controller: |
| 30 | + |
| 31 | +```console |
| 32 | +C:\Windows\System32>sc qc netlogon |
| 33 | + |
| 34 | +[SC] QueryServiceConfig SUCCESS |
| 35 | + |
| 36 | +SERVICE_NAME: netlogon |
| 37 | + TYPE : 20 WIN32_SHARE_PROCESS |
| 38 | + START_TYPE : 2 AUTO_START |
| 39 | + ERROR_CONTROL : 1 NORMAL |
| 40 | + BINARY_PATH_NAME : C:\Windows\system32\lsass.exe |
| 41 | + LOAD_ORDER_GROUP : MS_WindowsRemoteValidation |
| 42 | + TAG : 0 |
| 43 | + DISPLAY_NAME : Netlogon |
| 44 | + DEPENDENCIES : LanmanWorkstation |
| 45 | + : LanmanServer |
| 46 | + SERVICE_START_NAME : LocalSystem |
| 47 | +``` |
| 48 | + |
| 49 | +Or, you may navigate to the Netlogon service registry key to inspect the service configuration: |
| 50 | + |
| 51 | +1. Open the registry editor. |
| 52 | +2. Browse to the desired service key (in this example, the path is `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon`): |
| 53 | + |
| 54 | + :::image type="content" source="media/troubleshoot-netlogon-service-startup-failures/screenshot-of-the-registry-editor.png" alt-text="A screenshot of the Registry Editor."::: |
| 55 | + |
| 56 | +3. Confirm the proper settings. For example, dependencies are configured (**DependOnService** value), start type is defined (**Start** value), and the service binary (**ImagePath** value). |
| 57 | + |
| 58 | +### Troubleshoot |
| 59 | + |
| 60 | +If a dependent service fails to start, both that service and any services with dependencies on it will likewise not start. When investigating a Netlogon service startup failure, it is important to identify which service was responsible for the failures in all other dependent services. For example, below are the System event log errors reported when the Netlogon service failed to start because the Workstation (LanmanWorkstation) service depends on another service (bowser) that failed to start: |
| 61 | + |
| 62 | +> Log Name: System |
| 63 | +> Source: Service Control Manager |
| 64 | +> Event ID: 7001 |
| 65 | +> Level: Error |
| 66 | +> Description: The Netlogon service depends on the LanmanWorkstation service which failed to start because of the following error: |
| 67 | +> The dependency service or group failed to start. |
| 68 | +
|
| 69 | +> Log Name: System |
| 70 | +> Source: Service Control Manager |
| 71 | +> Event ID: 7001 |
| 72 | +> Level: Error |
| 73 | +> Description: The LanmanWorkstation service depends on the bowser service which failed to start because of the following error: |
| 74 | +> The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. |
| 75 | +
|
| 76 | +## Netlogon startup failures issues |
| 77 | + |
| 78 | +Netlogon startup failures (or any dependent service start failures) may require one or more actions to correct the problem. This can include (but is not limited to): |
| 79 | + |
| 80 | +- Correcting disabled dependent services |
| 81 | +- Correcting invalid or missing service configuration registry values |
| 82 | +- Restoring missing or corrupted executable or DLL files |
| 83 | +- Correcting restrictive registry permissions |
| 84 | + |
| 85 | +Below are some of the event log errors that indicate that Netlogon has failed to start. |
| 86 | + |
| 87 | +### Symptom 1 |
| 88 | + |
| 89 | +A dependent service did not start: |
| 90 | + |
| 91 | +> Log Name: System |
| 92 | +> Source: Service Control Manager |
| 93 | +> Event ID: 7001 |
| 94 | +> Level: Error |
| 95 | +> Description: The Netlogon service depends on the \<SERVICE NAME\> service which failed to start because of the following error: |
| 96 | +> The dependency service or group failed to start. |
| 97 | +
|
| 98 | +#### Resolution |
| 99 | + |
| 100 | +Inspect the dependent services to determine which service(s) failed to start. Verify the services have a proper service start configuration using the Services MMC snap-in (Services.msc) to view and modify the service configuration. |
| 101 | + |
| 102 | +In the example below, the Workstation service has been configured with a 'disabled' startup type and therefore is in a 'stopped' state: |
| 103 | + |
| 104 | +:::image type="content" source="media/troubleshoot-netlogon-service-startup-failures/screenshot-of-the-servicesmsc.png" alt-text="A screenshot of the services.msc."::: |
| 105 | + |
| 106 | +:::image type="content" source="media/troubleshoot-netlogon-service-startup-failures/screenshot-of-the-workstation-service-properties.png" alt-text="A screenshot of the Workstation service properties."::: |
| 107 | + |
| 108 | +Setting the **Startup type** to **Automatic** and starting the service will restore Workstation service operation. |
| 109 | + |
| 110 | +### Symptom 2 |
| 111 | + |
| 112 | +A nonexistent or invalid service defined for the Netlogon service or a dependent service: |
| 113 | + |
| 114 | +> Log Name: System |
| 115 | +> Source: Service Control Manager |
| 116 | +> Event ID: 7003 |
| 117 | +> Level: Error |
| 118 | +> Description: The Netlogon service depends on the following service: \<MISSING OR INVALID SERVICE\>. This service might not be installed. |
| 119 | +
|
| 120 | +#### Resolution |
| 121 | + |
| 122 | +An invalid service may be configured in the 'DependOnService' registry value of the Netlogon service or the service referenced in this value is missing as an installed service. In the example below, the Netlogon service on a member server failed to start because it was unable to validate a dependent service. |
| 123 | + |
| 124 | +> Log Name: System |
| 125 | +> Source: Service Control Manager |
| 126 | +> Event ID: 7003 |
| 127 | +> Level: Error |
| 128 | +> Description: The Netlogon service depends on the following service: Contoso\_Service. This service might not be installed. |
| 129 | +
|
| 130 | +Remove the offending entry found within the DependOnService registry value: |
| 131 | + |
| 132 | +:::image type="content" source="media/troubleshoot-netlogon-service-startup-failures/edit-the-depend-on-service-registry-value.png" alt-text="Edit the DependOnService registry value."::: |
| 133 | + |
| 134 | +:::image type="content" source="media/troubleshoot-netlogon-service-startup-failures/remove-an-entry-from-the-depend-on-service-registry-value.png" alt-text="Remove an entry from the DependOnService registry value."::: |
| 135 | + |
| 136 | +### Symptom 3 |
| 137 | + |
| 138 | +An invalid or missing service Dynamic Linked Library (DLL) specified causes a dependent service to not start: |
| 139 | + |
| 140 | +> Log Name: System |
| 141 | +> Source: Service Control Manager |
| 142 | +> Event ID: 7001 |
| 143 | +> Level: Error |
| 144 | +> Description: The Netlogon service depends on the \<SERVICE NAME\> service which failed to start because of the following error: |
| 145 | +> The specified module could not be found. |
| 146 | +
|
| 147 | +Attempting to start Netlogon via Services MMC returns the error "Windows could not start the Netlogon service on Local Computer. Error 126: The specified module could not be found." |
| 148 | + |
| 149 | +#### Resolution |
| 150 | + |
| 151 | +Each service application must initialize dynamic linked libraries (DLLs) successfully in order to function. Perform a system file scan via the System File Checker (SFC.exe) tool (see <https://support.microsoft.com/en-us/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e>), restore missing DLLs from backup, or perform a repair or reinstallation of the operating system. |
| 152 | + |
| 153 | +### Symptom 4 |
| 154 | + |
| 155 | +An invalid or missing service executable specified causes a dependent service to not start: |
| 156 | + |
| 157 | +> Log Name: System |
| 158 | +> Source: Service Control Manager |
| 159 | +> Event ID: 7000 |
| 160 | +> Level: Error |
| 161 | +> Description: The Netlogon service failed to start due to the following error: |
| 162 | +> The system cannot find the file specified. |
| 163 | +
|
| 164 | +Attempting to start Netlogon via Services MMC returns the error "Windows could not start the Netlogon service on Local Computer. Error 2: The system cannot find the file specified." |
| 165 | + |
| 166 | +#### Resolution |
| 167 | + |
| 168 | +Validate that the service(s) failing to start have a valid value configured in the "Path to executable" field when viewing service properties via the Services MMC, or validate the proper 'ImagePath' value in the registry for the affected service(s). |
| 169 | + |
| 170 | +### Symptom 5 |
| 171 | + |
| 172 | +Netlogon reports that the service entered the stopped state during system boot. Attempting to manually start the service results in the following error: |
| 173 | +The Netlogon service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs. |
| 174 | + |
| 175 | +#### Resolution |
| 176 | + |
| 177 | +Validate the service permissions within the registry are set to appropriate values. Permissions will vary based on the role of the system (for example domain controllers as compared to workstations or member servers). Ensure that no entries are specifying a 'deny' permission for 'SYSTEM' or 'Administrators'. By default, the registry permissions are inherited from the parent registry key and the owner is configured as 'SYSTEM'. |
| 178 | + |
| 179 | +## Additional symptoms |
| 180 | + |
| 181 | +Other services, such as the Windows Time Service or the Group Policy Service may report failed operations due to Netlogon not being started: |
| 182 | + |
| 183 | +> Log Name: System |
| 184 | +> Source: Microsoft-Windows-Time-Service |
| 185 | +> Event ID: 159 |
| 186 | +> Level: Warning |
| 187 | +> Description: W32time is unable to communicate with Netlogon Service. This failure prevents NTPClient from discovering and using domain peers, besides causing problems with correct W32time service state being advertised by Netlogon. This could be a temporary condition that resolves itself shortly. If this warning repeats over a considerable period of time, ensure the Netlogon service is running and is responsive and restart W32time service to reintiaize the overall state. The error was 0x80070700: An attempt was made to logon, but the network logon service was not started. |
| 188 | +
|
| 189 | +> Log Name: System |
| 190 | +> Source: Microsoft-Windows-Time-Service |
| 191 | +> Event ID: 130 |
| 192 | +> Level: Warning |
| 193 | +> Description: NtpClient was unable to set a domain peer to use as a time source because of failure in establishing a trust relationship between this computer and the 'litware.com' domain in order to securely synchronize time. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The RPC server is unavailable. (0x800706BA) |
| 194 | +
|
| 195 | +> Log Name: System |
| 196 | +> Source: Microsoft-Windows-GroupPolicy |
| 197 | +> Event ID: 1110 |
| 198 | +> Level: Error |
| 199 | +> Description: The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account. |
| 200 | +
|
| 201 | +Management or other operations relying on the Netlogon service will also fail: |
| 202 | + |
| 203 | +```console |
| 204 | +nltest /sc_query:litware.com |
| 205 | + |
| 206 | +I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE |
| 207 | +``` |
| 208 | + |
| 209 | +```console |
| 210 | +net use \\192.168.1.11 /user:litware\administrator |
| 211 | + |
| 212 | +System error 1792 has occurred. |
| 213 | + |
| 214 | +An attempt was made to logon, but the network logon service was not started. |
| 215 | +``` |
| 216 | + |
| 217 | +Domain controller locator will fail to locate a domain controller with error 1355 or "The specified domain either does not exist or could not be contacted". |
| 218 | + |
| 219 | +Domain trust relationships may fail if all reachable domain controllers have their Netlogon service stopped: |
| 220 | + |
| 221 | +> Log Name: System |
| 222 | +> Source: NETLOGON |
| 223 | +> Event ID: 5719 |
| 224 | +> Level: Error |
| 225 | +> Description: This computer was not able to set up a secure session with a domain controller in domain <DOMAIN> due to the following: |
| 226 | +> We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential. |
| 227 | +> This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. |
| 228 | +
|
| 229 | +## More information |
| 230 | + |
| 231 | +If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. |
0 commit comments