Topic Last Modified: 2009-03-12
The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the number of trusts established for each domain. If at least one domain controller in each domain has the NeverPing value set, the tool displays a best practice message.
The Exchange Server Analyzer displays a warning when the following conditions are true for each domain in the Exchange Server 2003 environment:
- The domain has more than 50 established trusts
- The domain controllers in the domain have the NeverPing
registry subkey value set to null (0)
This warning indicates that the LSASS.exe process or the process for authenticating users to the domain could stop responding. The Local Security Authority Subsystem Service (LSASS) is a process in Windows operating systems that verifies the user who is logging on to a Windows-based computer or server. If the following conditions are both true, the LSASS.exe process may be unable to allocate sufficient resources to authenticate client logon requests:
- Users do not specify a domain when they log on.
- The domain has many trusts configured.
If a user does not specify a domain, the LSASS.exe process communicates with all the domains to try to authenticate the user. If the number of simultaneous logons multiplied by the number of trusts is greater than 1,000, LSASS.exe may run out of resources to authenticate users. For example, in a domain that has 50 trusts configured, the LSASS.exe process may be unable to authenticate logon requests if more than 20 users try to log on at the same time. When this condition occurs, you may have to restart the domain controller that is running the particular LSASS.exe process to retry authentication.
To work around this issue, set the NeverPing registry subkey value for the domain controllers to 1. This workaround does not resolve the problem. Instead, it configures the particular domain controllers to no longer communicate with trusted domains to authenticate users who do not specify a domain in an authentication request. Therefore, after you set the NeverPing registry value, a non-domain user account will not be authenticated if the LSASS.exe process cannot locate the account in the local domain.
|This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore the registry if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.|
Click Start, click Run, type regedit, and then click OK.
Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
Right-click this subkey, point to New, click DWORD Value, type NeverPing, and then press ENTER.
Right-click NeverPing, click Modify, type 1 in the Value data box, and then click OK.
Exit Registry Editor.
For More Information
Before you edit the registry and for information about how to edit the registry, see Microsoft Knowledge Base article 256986, "Windows registry information for advanced users" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=256986).
For more information about this issue and about how to set the NeverPing parameter value for your domain controller, see the following Microsoft Knowledge Base articles:
- 923241, "The Lsass.exe process may stop responding if you have
many external trusts on a Windows Server 2003-based domain
- 825107, "The Lsass.exe process may stop responding if you have
many external trusts on a Windows 2000 Server-based domain