You have one or more forests that have multiple domains.
There are combinations of users and resources (such as applications or proxy servers) in different domains.
There are lots of NTLM logon requests from remote domain users to a resource server that is running Windows Server 2008 R2.
In this scenario, the NTLM requests time out. For example, Exchange clients do not authenticate to the Exchange server when this issue occurs. Therefore, users cannot access their mailboxes, and Microsoft Outlook seems to stop responding.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2
To apply this hotfix, you do not have to make any changes to the registry.
You must restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace a previously released hotfix.
The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 R2 file information notes
Important Windows 7 hotfixes and Windows Server 2008 R2 hotfixes are included in the same packages. However, hotfixes on the Hotfix Request page are listed under both operating systems. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows 7/Windows Server 2008 R2" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
Collapse this tableExpand this table
Windows Server 2008 R2
The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
For all supported IA-64–based versions of Windows Server 2008 R2
The hotfix should be installed on all resource servers that accept a significant number of NTLM authentication requests. Because the API slots are also used for Kerberos PAC verification, servers on which non-service applications (such as IIS worker processes) accept many user sessions are also targets for this update.
This update should also be installed on all domain controllers. The primary targets are domain controllers in the high-volume resource domains and all domain controllers on the trust path of the domains where you have user accounts. If you have a clear separation between domains that host server resources vs. domains that host users, the domain controllers of the user domains don’t require the update.
If you don’t have a clear separation between user and resource domains, you should install this update on all domain controllers.
New functionality in this update
After you install the hotfix, the following new events and warnings are logged to track NTLM authentication delays and failures:
Log Name: System Source: NETLOGON Event ID: 5816 Level: Error Description: Netlogon has failed an authentication request of account username in domain user domain FQDN. The request timed out before it could be sent to domain controller directly trusted domain controller FQDN in domain directly trusted domain name. This is the first failure. If the problem continues, consolidated events will be logged about every <event log frequency value> minutes. Please see http://support.microsoft.com/kb/2654097
for more information.
Log Name: System Source: NETLOGON Event ID: 5817 Level: Error Description: Netlogon has failed an additional count authentication requests in the last event log frequency in <value> minutes. The requests timed out before they could be sent to domain controller directly trusted domain controller FQDN in domain directly trusted domain name. Please see http://support.microsoft.com/kb/2654097
for more information.
Log Name: System Source: NETLOGON Event ID: 5818 Level: Warning Description: Netlogon took more than warning event threshold seconds for an authentication request of account username in domain user domain FQDN, through domain controller directly trusted domain controller FQDN in domain directly trusted domain name. This is the first warning. If the problem persists, a recurring event will be logged every event log frequency in <value> minutes. Please see http://support.microsoft.com/kb/2654097
for more information on this error.
Log Name: System Source: NETLOGON Event ID: 5819 Level: Warning Description: Netlogon took more than warning event threshold seconds for count authentication requests through domain controller directly trusted domain controller FQDN in domain directly trusted domain name in the last event log frequency in <value> minutes. Please see http://support.microsoft.com/kb/2654097
for more information.
After you install the hotfix, the EventLogPeriodicity and WarningEventThreshold registry entries can be set in the following registry key:
Note By default, after you install the hotfix, event 5816 is logged when an initial failure occurs, and event 5817 is logged every 30 minutes when later failures occur.
Name: WarningEventThreshold Type: REG_DWORD Data: 0 to 45
Default: 0 (no warnings) Minimum: 1 Maximum: 45
Note When a request waits for a Netlogon API call slot for more than this number of seconds, event 5818 or event 5819 is logged. The maximum value of the registry subkey is 45. After 45 seconds, the request times out and is tracked by event 5816 and event 5817.
When you set the WarningEventThreshold registry subkey, use a value that suits the importance of NTLM authentication performance in your environment. We recommend that you start with a value of five seconds.
The following details describe how each of these events is logged:
Each outgoing Netlogon security channel is tracked independently.
A monitoring thread checks whether any secure channels require an event to be logged.
When the first error or warning condition is met, event 5816 or event 5818 is logged. Additionally, the affected security channel is flagged for monitoring by the thread that was mentioned earlier.
If an initial event is logged, on additional failures or warnings, only the instance counter is incremented.
The next time that the thread starts, event 5817 or event 5819 is logged if there are instances in the last monitoring interval.
If no problem or delay occurred during the last monitoring interval, event 5817 or event 5819 is not logged and the security channel is no longer monitored.
When the security channel detects this issue again, a new event 5816 or new event 5818 is logged, and the security channel enters the monitoring status again.
When the domain controller for a trusted domain changes and there are errors or delays, event 5816 or event 5818 is logged. Therefore, the new trusted domain controller name is tracked, and a new monitoring cycle begins. The change of domain controller may be related to previous events that were logged.
Additional file information
Additional file information for Windows Server 2008 R2
Additional files for all supported x64-based versions of Windows Server 2008 R2