Every time that you restart your Microsoft Windows Server 2003-based domain controller, you may receive the following two error events in the application log in Event Viewer.
Event message 1
Event Source: Userenv Event Category: None Event ID: 1030 Date: date Time: time Type: Error User: NT AUTHORITY\SYSTEM Computer: servername Description: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Event message 2
Event Source: Userenv Event Category: None Event ID: 1097 Date: date Time: time Type: Error User: NT AUTHORITY\SYSTEM Computer: servername Description: Windows cannot find the machine account. The Local Security Authority cannot be contacted.
Additionally, the following information appears in the Userenv.log file:
USERENV(198.4fc) 14:47:41:140 GetMachineToken: AcceptSecurityContext failed with 0x80090304USERENV(198.4fc) 14:47:41:140 GetGPOInfo: Failed to get the machine token with -2146893052USERENV(198.4fc) 14:47:41:140 GetGPOInfo: Leaving with 0USERENV(198.4fc) 14:47:41:140 GetGPOInfo: ********************************USERENV(198.4fc) 14:47:41:140 ProcessGPOs: GetGPOInfo failed.USERENV(198.4fc) 14:47:41:140 ProcessGPOs: No WMI logging done in this policy cycle.USERENV(198.4fc) 14:47:41:140 ProcessGPOs: Processing failed with error -2146893052.
Additionally, the following information appears in the Netlogon.log file:
07/09 13:37:04 [CRITICAL] NetpDcHandlePingResponse: corp.example.com.: Netlogon is paused on the server. 0x1407/09 13:37:04 [MISC] NetpDcGetName: corp.example.com. using cached information07/09 13:37:04 [MISC] DsGetDcName function returns 0: Dom:RTMS_PDC Acct:(null) Flags: DS NETBIOS RET_DNS 07/09 13:37:05 [SITE] DsrGetSiteName: Returning site name 'Default-First-Site-Name' from local cache.07/09 13:37:05 [LOGON] SamLogon: Generic logon of CORP.EXAMPLE.COM\(null) from (null) Package:Kerberos Entered07/09 13:37:05 [LOGON] SamLogon: Generic logon of CORP.EXAMPLE.COM\(null) from (null) Package:Kerberos Returns 0xC00002F5
This issue may occur if one or more of the following conditions are true:
Only one other domain controller is available in the domain, and that domain controller is starting up, but is not completely started.
This is the only domain controller in the domain. The error events that are described in the "Symptoms" section of this article are logged while the domain controller is starting up.
A program sends a request that requires a domain controller role, and the domain controller is still starting up.
The Net Logon service on a domain controller is set to Manual and is not started.
The "Turn off background refresh of Group Policy" Group Policy setting is being applied.
This behavior occurs because, during startup, the Net Logon service enters a paused state together with Directory Services startup. During this time, the domain controller responds to netlogon ping requests with a "netlogon paused" response.
Note These netlogon ping requests may also originate from the local computer.
In this scenario, domain controller locator requests are unsuccessful. Therefore, the program or service that sends the request cannot locate a domain controller. Typically, this error only occurs while the domain controller starts. The error stops when the services are available. When the Net Logon service resumes from the paused state, other programs and services can again contact the domain controller.
To work around this issue, if you only have one domain controller, add one or more additional domain controllers to your domain. Make sure that the Net Logon service on the domain controllers is configured as Automatic and is started. To do this, follow these steps:
Click Start, point to Administrative Tools, and then click Services.
Double-click the Net Logon service.
Click Automatic in the Startup type list.
If the Net Logon service is not running, right-click the Net Logon service and then click Start.
Additionally, check whether
has a dependency on LanmanServer in the following registry subkey:
If the "Turn off background refresh of Group Policy" setting is enabled, the following registry value will exist on the local computer:
This policy prevents Group Policy from being applied while users are logged on. If this policy is enabled, policy refresh occurs only when no users are logged on to the computer.
You can enable NETLOGON and USERENV logging to further troubleshoot this issue. Use the nltest /dbflag command for best results. For more information about how to enable USERENV logging, click the following article number to view the article in the Microsoft Knowledge Base:
221833 How to enable user environment debug logging in retail builds of Windows