NeverPing parameter recommended

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2009-03-12

The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the number of trusts established for each domain. If at least one domain controller in each domain has the NeverPing value set, the tool displays a best practice message.

The Exchange Server Analyzer displays a warning when the following conditions are true for each domain in the Exchange Server 2003 environment:

• The domain has more than 50 established trusts

• The domain controllers in the domain have the NeverPing registry subkey value set to null (0)

This warning indicates that the LSASS.exe process or the process for authenticating users to the domain could stop responding. The Local Security Authority Subsystem Service (LSASS) is a process in Windows operating systems that verifies the user who is logging on to a Windows-based computer or server. If the following conditions are both true, the LSASS.exe process may be unable to allocate sufficient resources to authenticate client logon requests:

• Users do not specify a domain when they log on.

• The domain has many trusts configured.

If a user does not specify a domain, the LSASS.exe process communicates with all the domains to try to authenticate the user. If the number of simultaneous logons multiplied by the number of trusts is greater than 1,000, LSASS.exe may run out of resources to authenticate users. For example, in a domain that has 50 trusts configured, the LSASS.exe process may be unable to authenticate logon requests if more than 20 users try to log on at the same time. When this condition occurs, you may have to restart the domain controller that is running the particular LSASS.exe process to retry authentication.

To work around this issue, set the NeverPing registry subkey value for the domain controllers to 1. This workaround does not resolve the problem. Instead, it configures the particular domain controllers to no longer communicate with trusted domains to authenticate users who do not specify a domain in an authentication request. Therefore, after you set the NeverPing registry value, a non-domain user account will not be authenticated if the LSASS.exe process cannot locate the account in the local domain.

To set the NeverPing parameter for the domain controllers in your Exchange 2003 environment

1. Click Start, click Run, type regedit, and then click OK.

2. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.

3. Right-click this subkey, point to New, click DWORD Value, type NeverPing, and then press ENTER.

4. Right-click NeverPing, click Modify, type 1 in the Value data box, and then click OK.

5. Exit Registry Editor.