Microsoft KB Archive/888179

= Issues that occur when the crashonauditfail registry value is set to 1 on an Exchange computer or that occur when the Security event log reaches the maximum size in Windows 2000 Server =

Article ID: 888179

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange 2000 Enterprise Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry





SYMPTOMS
You may experience one or more of the following symptoms:  The logon process may be very slow when you log on to a Microsoft Windows 2000-based domain controller that is integrated with the Active Directory directory service. After you start the DNS snap-in, the domain name may not be displayed under Forward Lookup Zone. After you restart a Windows 2000-based computer, only users who are members of the Domain Admins local group can log on to the computer. When a Microsoft Outlook Web Access (OWA) user tries to access a Microsoft Exchange 2000 Server mailbox, the user receives the following error message:

HTTP 503

Note Administrators can still access their Exchange mailboxes. When Microsoft Office Outlook users try to access an Exchange 2000 Server mailbox by using Microsoft Outlook, they receive the following error message:

The set of folders could be opened. The attempt to log on to the Microsoft Exchange Server has failed.



Event messages on the Windows 2000-based computer
Additionally, the following event is logged in the Application log on the Windows 2000-based computer: Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1000

Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by this policy engine.

Event messages on the Exchange 2000 computer
Event 1000 may also be logged on the Exchange 2000 computer. Additionally, the following events may be logged in the Application log on the Exchange 2000 computer.

Event 9175
Event Type: Error

Event Source: MSExchangeSA

Event Category: MAPI Session

Event ID: 9175

Description: The MAPI call 'OpenMsgStore' failed with the following error: The attempt to log on to the Microsoft Exchange Server computer has failed. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0512-00000000

Event 9542
Event Type: Error

Event Source: MSExchangeIS

Event Category: General

Event ID: 9542

Description: Initialization of external interface OLEDB failed; Error ecAccessDenied-MAPI_E_NO_ACCESS.

Event 326
Event Type: Error

Event Source: MSExchangeTransport

Event Category: Exchange Store Driver

Event ID: 326

Description: Service Account failed to logon to the store as /o= /ou= /cn=Configuration/cn=Connections/cn=SMTP /cn={412C0189-E08F-46B9-86BB-E2C71D78DC36}. Error code : 0x80004005.

Event 324
Event Type: Error

Event Source: MSExchangeTransport

Event Category: Exchange Store Driver

Event ID: 324

Description: Instance 1 failed to initialize. Error code : 0x80004005.

Event 1005
Event Type: Error

Event Source: MSExchangeSA

Event Category: Monitoring

Event ID: 1005

Description: Unexpected error <<0xc1050000 - The attempt to log on to the Microsoft Exchange Server computer has failed. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0512-00000000>> occurred.



CAUSE
These issues may occur if one of the following conditions is true:
 * The crashonauditfail registry value is set to 1 on the Exchange computer.
 * The Security event log in Windows 2000 Server reaches the maximum size that is specified in the Shut down system immediately if unable to log security audits Group Policy policy setting, and new event messages are no longer logged.

<div class="resolution_section">

RESOLUTION
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To resolve these issues, change the value for the crashonauditfail registry value. To do this, follow these steps: <ol> Click Start, click Run, type regedit, and then click OK.</li> Locate and then click the following registry subkey:

 

</li> In the right-pane, double-click crashonauditfail, type 0 in the Value Data box, and then click OK.

Note If the registry data type for the crashonauditfail registry value is set to REG_NONE, and the data value is set to 2, change the data type to REG_DWORD, and then set the data value to 0. This step provides a temporary solution until you disable the Group Policy setting.

The following are the data options for the crashonauditfail registy value:  0 = Any user can log on. This is the default value.</li> 1 = Any user can log on if the computer can audit the events and write the events to the Security event log. If the Security event log is full, the value for the crashonauditfail key is changed to 2, and the computer crashes.</li> 2 = Only administrators can log on.</li></ul> </li> Quit Registry Editor.</li> Disable the Shut down system immediately if unable to log security audits Group Policy policy setting on the default domain or on the domain controller organizational unit.

This policy setting exists on the default domain policy, on the default domain controller policy, and on the local security policy. Even if you disable this policy setting, you must make the registry change that is described in step 3. Before you follow this step, we recommend that you install the latest updates for Exchange 2000 Server.

To disable the policy setting, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type gpedit.msc, and then click OK.</li> Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.</li> In the right-pane, double-click Shut down system immediately if unable to log security audits, click Disabled, and then click OK.</li></ol> </li> Disable security auditing. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type gpedit.msc, and then click OK.</li> Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.</li> In the right-pane, double-click Audit logon events, click to clear the Success check box, click to clear the Failure check box, and then click OK.</li></ol> </li> <li>If you successfully disabled security auditing, go to step 8. If you could not disable security auditing in step 6, archive and clear the Security log. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.</li> <li>Right-click Security Log, and then click Clear all Events.</li> <li>Click Yes when you are prompted to save the Security log before you clear it.</li> <li>Click to select the location where you want to save the Security log file, type a name for the Security log in the File name box, and then click Save.</li> <li>Close Event Viewer.</li></ol> </li> <li>Restart the Exchange computer.</li></ol>

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

301378 How to obtain the latest Exchange 2000 Server service pack

870540 Availability of the August 2004 Exchange 2000 Server post-Service Pack 3 Update Rollup

<div class="moreinformation_section">

MORE INFORMATION
If you enable the Shut down system immediately if unable to log security audits Group Policy policy setting, the crashonauditfail registry value is automatically set to 1. However, if you shut down the computer and then restart it, the crashonauditfail registry data type is set to REG_NONE. The data value is set to 2. If you change the crashonauditfail data type to REG_DWORD, and you set the data value to 0, the DNS snap-in can access the Windows 2000-based domain controller that is integrated with Active Directory. If you disable the crashonauditfail data value by setting this value to 0, the data value is set to 1 again after you reapply the Group Policy policy setting.

Even if you set the Security log size to 4 gigabytes (GB), the symptoms that are described in this article may occur if the Security log reaches 200 to 300 megabytes (MB). For additional information about the problem that is described in this article, click the following article numbers to view the articles in the Microsoft Knowledge Base:

316685 Active Directory-integrated domain name is not displayed in DNS snap-in with Event ID 4000 and 4013 messages

312571 The Event log stops logging events before reaching the maximum log size

232564 STOP 0xC0000244 when Security log full

178208 CrashOnAuditFail with logon/logoff auditing causes blue screen

160783 Error message: Users cannot log on to a workstation

149393 CrashOnAuditFail activates on shutdown with ProcessTracking

140058 How to prevent auditable activities when Security log is full

Additional query words: xadm

Keywords: kbgrppolicyprob kbgrppolicyinfo kbregistry kbtshoot kbprb KB888179

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.