Windows Event Log Service is Not Starting… and my domain is down!
Hi everybody, Scott Goad here to discuss an issue that I worked recently where the customer was unable to logon to the domain. The end result was a group policy preference setting, so enjoy the read.
The issue occurred after a change was made to set a group policy preference item to change the clock display setting, but at first glance this was unrelated. The scenario:
- Change made to group policy preferences.
- No one could logon to the domain, regardless of Operating System.
- Windows Event Log service would not start on Windows Server 2008 servers.
Knowing this information, it was time to start investigating why no one could logon. The usual items were checked, with running DCDIAG /v /e and checking the servers for errors. There were only 2 domain controllers, so we started with the first. We gathered the DCDIAG output and tried to open Event Viewer to see if there were any outstanding errors reported, but we could not launch the MMC. This was interesting, but still not the focus of the investigation.
The next step was network connectivity – could we ping the DCs in question? Checking this allowed us to learn that the DNS Server Service was stopped, and trying to start the service resulted in:
Error 1722: The RPC server is unavailable.
Since the Event Log service would not start, this was the only error information reported from the OS. The Services snap-in shows that the Windows Event Log service was “Starting…”, and the Task Scheduler service and DNS Server Service were set to automatic, but not able to start.
In discussing with the customer, it was apparent that they had set Locale-specific information via group policy preferences, and now had this issue. It turns out that there’s a known issue in group policy preferences, as outlined in KB:
951430 A non-administrator user cannot log on to a domain from a computer that is running Windows Server 2008 if you set the locale information for the user by using a Group Policy preference setting
As the article describes, the issue is within group policy preferences, but what is missing is the workaround information. To resolve the issue, you have to set the following registry value:
Set Locale to: 0000409 (Default for English – United States)
Additional Locale IDs can be found here:
The hotfix from the KB article will prevent this issue from happening in the future; however, to resolve the situation, the customer had to set the registry value and reboot. Once this had been set, the servers came back and were functional again.
The KB 951430 has been rewritten to better identify this scenario, and will be published with the new content, similar to this article.
If any of these symptoms sound familiar, check the version of gpprefcl.dll and gppref.dll and be sure it’s at least as high or newer as mentioned in the KB.
Scott “Red Herring” Goad