Article ID: 242361 - Last Review: November 1, 2006 - Revision: 1.1

RPC "Server is Unavailable" Message When Audit Log is Full

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q242361
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986  (http://support.microsoft.com/kb/256986/EN-US/ ) Description of the Microsoft Windows Registry

On This Page

Expand all | Collapse all

SYMPTOMS

You may receive one of the following error messages:
RPC Server Is Unavailable
RPC Too Busy
When this occurs, connectivity to the server stops. Rebooting the server clears the message and restores connectivity temporarily.
Back to the top

CAUSE

This behavior can occur if you have run the C2 Configuration Manager utility from the Microsoft Windows NT 4.0 Resource Kit. The C2 Configuration Manager utility makes changes to the server that disable network functionality if an auditable event cannot be logged.

The C2 Configuration Manager utility makes two changes to the server that stop networking functionality if auditable events cannot be logged. The first change is the addition of the following registry key:
Key: \CurrentControlSet\Control\Lsa
Value: CrashOnAuditFail
Type: REG_DWORD
Data Value: 1
This key prevents auditable activities when the Security log becomes full.

The second change is the setting for the log files in Event Viewer. The Log File Wrapping setting is changed to Do Not Overwrite Events (Clear Log Manually).

With these two settings in place, the server shuts down all auditable processes (causing Remote Procedure Call, or RPC, to stop working) when the Security event log becomes full.
Back to the top

RESOLUTION

Use either of the following methods to work around this problem:
Back to the top

Method 1: Remove the CrashOnAuditFail Value

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Use Registry Editor (Regedt32.exe) to delete the CrashOnAuditFail value from the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
After you make this change, quit Registry Editor and restart the computer to cause the change to take effect.
Back to the top

Method 2: Change the Event Log Settings

  1. Start Event Viewer.
  2. On the Log menu, click Log Settings.
  3. In the Settings dialog box, you can either increase the size of the Security log, or change the Log File Wrapping setting to Overwrite events as needed.
Back to the top

MORE INFORMATION

For additional information about the CrashOnAuditFail value, click the article numbers below to view the articles in the Microsoft Knowledge Base:
140058  (http://support.microsoft.com/kb/140058/EN-US/ ) How to Prevent Auditable Activities When Security Log Is Full
178208  (http://support.microsoft.com/kb/178208/EN-US/ ) CrashOnAuditFail with Logon/Logoff Auditing Causes Blue Screen
Back to the top
APPLIES TO
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT 4.0 Service Pack 1
  • Microsoft Windows NT 4.0 Service Pack 2
  • Microsoft Windows NT 4.0 Service Pack 3
  • Microsoft Windows NT 4.0 Service Pack 4
  • Microsoft Windows NT 4.0 Service Pack 5
Back to the top
Keywords: 
kbenv kberrmsg kbprb KB242361
Back to the top