Net Logon service not started error 0X00000997 fix
Domain join fails with 0X00000997 when Net Logon service is stopped. Here's the quick fix and why it happens.
Quick answer: Start the Net Logon service on the target machine, then restart the client. If it's a DC, check LSASS and the service dependencies.
I know this error is infuriating — you're trying to join a machine to the domain, and boom, 0X00000997 with "The Net Logon service has not been started." I tripped on this one my first year running a help desk. The real trigger? The Net Logon service is stopped or hung. On a domain controller (DC), this kills all authentication and domain join requests. On a client, it means no secure channel to the DC.
Most common scenario: You're deploying a new Windows 10/11 machine or a Windows Server 2022 member server, and the join fails. Or you're on a DC that's been rebooted and LSASS isn't talking to Net Logon yet. Let's fix it.
Fix Steps
1. Check if Net Logon is running
Open Services.msc (Win + R, type services.msc). Find Net Logon. If it's stopped, right-click and Start. Then set startup type to Automatic if it isn't already.
2. Verify dependencies
Net Logon depends on Remote Procedure Call (RPC) and Security Accounts Manager (SAM). Both should be running. Check these two services too — if SAM is stopped, Net Logon won't start. Start SAM first, then Net Logon.
3. If it won't start manually — check LSASS
This is the weird one. On a DC, the Local Security Authority Subsystem Service (LSASS) is critical. If LSASS is in a bad state or hung, Net Logon refuses to start. Open Task Manager, go to Details, look for lsass.exe. If it's using 0% CPU or memory is maxed, restart the server (yes, that's the nuclear option, but it works).
4. Restart the client
After starting the service on the DC or client, reboot the client machine trying to join the domain. This clears the cached secure channel state. Retry the domain join from System Properties.
5. Use the command line (for remote or scripted fixes)
You can do this without the GUI:
net start netlogon
sc config netlogon start= autoThe first line starts it now. The second sets it to auto-start on boot. Run both as Administrator.
Alternative Fixes if the Main One Fails
Alternative 1: Re-register Net Logon DLLs
Sometimes the service binary is corrupted. Run this from an elevated command prompt:
regsvr32 /u netlogon.dll
regsvr32 netlogon.dllThen restart the service. This is a quick hail mary — works about 20% of the time when the DLL is simply unregistered.
Alternative 2: Check Group Policy
On a DC, if Net Logon is set to Disabled via Group Policy, no local change will stick. Check Computer Configuration\Windows Settings\Security Settings\System Services for Net Logon. Set to Automatic and force GP update: gpupdate /force.
Alternative 3: Reinstall the domain controller role (extreme)
If this is a DC and Net Logon repeatedly fails, you might have a corrupt Active Directory database. Run dcdiag to check. If errors persist, demote the DC, clean up metadata, then promote again. I've only had to do this twice in 6 years, but it's the final step when nothing else works.
Prevention Tip
Set up a scheduled task or monitoring alert (I use a simple PowerShell script with Get-Service Netlogon | Where-Object {$_.Status -eq 'Stopped'}) that emails you if the service stops. Also, never disable the Net Logon service via GPO — I've seen admins do this accidentally to "secure" things, and it breaks everything.
One more thing: After fixing this error, the domain join might succeed, but you could still get a trust relationship failure later if the secure channel was broken. Run Test-ComputerSecureChannel -Repair on the client to be safe. That command is gold.
If you're still stuck, check the event logs: Applications and Services Logs\Microsoft\Windows\Netlogon. Look for event IDs 5719 or 5807 — they'll point you to the exact DC that's failing. Good luck.
Was this solution helpful?