xxgenius
asked on
Windows 2003 lsass.exe error logging in w/ Terminal Services
I setup a Windows Server 2003 Enterprise Edition. I setup Terminal Services so I can use this server remotely. I can logon to the server at the console with the server Admin ID and a domain ID and pass. When I launch Terminal Services I can logon ok with the server Admin ID, however, when I try to use a domain ID and pass I recieve an error and the server reboots. I am able to logon at the consol with this ID and have setup this ID in Terminal Services Manager. When I attempt to logon with the domain ID it looks as though it will connect but then I get two pop-up errors below. I included the Event errors too.
===Popup 1===
***Logon Message***
The system cannot log you on due to the following error:
An internal error ocurred.
Please try again or consult your system administrator.
-OK-
====Popup 2====
***System Shutdown***
The system is shutting down. Please save all work in progress and log off. Any unsaved changes will
be lost. This shutdown was iniated by NT AUTHORITY\SYSTEM. Shutdown will begin in 59 seconds.
Shutdown message: The system process 'C:\WINDOWS\system32\lsass
status code -1073741819. The system will now shut down and restart..
-ok-
====Event Logs====
Source: Winlogon
Category: None
Event ID: 1015
Type: Error
A critical system process, C:\WINDOWS\system32\lsass.
machine must now be restarted.
Source: Application Error
Category: (100)
Event ID: 1000
Type: Error
Faulting application lsass.exe, version 5.2.3790.0, faulting module unknown, version 0.0.0.0, fault
address 0x00000000.
===Popup 1===
***Logon Message***
The system cannot log you on due to the following error:
An internal error ocurred.
Please try again or consult your system administrator.
-OK-
====Popup 2====
***System Shutdown***
The system is shutting down. Please save all work in progress and log off. Any unsaved changes will
be lost. This shutdown was iniated by NT AUTHORITY\SYSTEM. Shutdown will begin in 59 seconds.
Shutdown message: The system process 'C:\WINDOWS\system32\lsass
status code -1073741819. The system will now shut down and restart..
-ok-
====Event Logs====
Source: Winlogon
Category: None
Event ID: 1015
Type: Error
A critical system process, C:\WINDOWS\system32\lsass.
machine must now be restarted.
Source: Application Error
Category: (100)
Event ID: 1000
Type: Error
Faulting application lsass.exe, version 5.2.3790.0, faulting module unknown, version 0.0.0.0, fault
address 0x00000000.
Try MS support to see if it's related to a known LDAP error with W2003 authentication. There is a hotfix for this known error. (paste both parts of the following line)
http://support.microsoft.com/default.aspx?scid=kb;en-us;826819&Product=winsvr2003
cheers
http://support.microsoft.com/default.aspx?scid=kb;en-us;826819&Product=winsvr2003
cheers
ASKER
CrazyOne: i don't have the blaster worm. i installed Net Associates 7.1 and updated and ran the scan. that was the first thing i did to make sure it wasn't a virus. unless the NetAssociates didn't catch anything, i don't know. i didn't see msblaster in the task manager.
Gnart: i saw this and another article on the MS site, however the patch needed is from microsoft directly and i don't want to use up a support call for this if this patch may not help since the article doesn't directly state my issue.
Gnart: i saw this and another article on the MS site, however the patch needed is from microsoft directly and i don't want to use up a support call for this if this patch may not help since the article doesn't directly state my issue.
CrazyOne, are you using a special scan&answer tool to grab questions? why you can always answer questions with long post within ONE minute after the question posted? 8-) or, you are an answer machine at all?! ;)) just kidding...
xxgenius, did your TS work well before? that means, did all valid users (either admin or common user) login successfully before? did you recently changed some NTFS permissions of any folder on the server? this w2k3 installation is a fresh new one or upgraded from 2k/nt? thanks.
xxgenius, did your TS work well before? that means, did all valid users (either admin or common user) login successfully before? did you recently changed some NTFS permissions of any folder on the server? this w2k3 installation is a fresh new one or upgraded from 2k/nt? thanks.
ASKER
this is a fresh install. after the first install when i got this error, i reinstalled since it would be easier to reinstall than to troubleshoot. since it happened the second time then there must be a Windows issue. The TS only works with the local system ID, therefore since it is LSASS.exe that is causing the issue, something during the domain authentication stops the lsass.exe process.
This is very similar to an NT and 2000 issue I found in the KB (220946):
http://support.microsoft.com/default.aspx?scid=kb;en-us;220946&Product=termsvr
Right now I'm installing it on another hardware server and see what I get. I'll post the results when I'm finished.
This is very similar to an NT and 2000 issue I found in the KB (220946):
http://support.microsoft.com/default.aspx?scid=kb;en-us;220946&Product=termsvr
Right now I'm installing it on another hardware server and see what I get. I'll post the results when I'm finished.
ASKER
I still get this error on another server. This is my third installation with this error.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
my fix (which may be a bug on MS's end). the account i was using to login was a member of both the Enterprise Admins and Domain Admins. The primary group was set to Enterprise Admins, once I set the ID to Domain Admin as primary, it worked.
Sure is a bug... Enterprise Admins is over Domain Admins by all account. As it exists Enterprise Admins cannot use Term to remote admin. Thanks for the points.
cheers
cheers
I am having the same issues here. It is definitely NOT a virus. I have even installed the lsass hotfix from Microsoft. Still the same issue. Not with TS, but just logging in. After a certain amount of time, it will give the lsass error, and NT/Authority will reboot the server. Also getting some errors with FRS starting up, seems like it sometimes takes four or five times to get it started. No errors in AD, SFC finds nothing, AV is always running... I'm at the end of my rope.
Later,
RushB
Later,
RushB
Has this been resolved by MS? I'm also having the same problem. my config is server 2003 enterprise w/ exchange 2003 installed. All the service packs etc.
Thanks for the info about the Enterprise Admin. I can log in with an account that's only Domain Admin. I have not seen MS post a fix for this as of today.
Thanks for the posts!
l8r..
Thanks for the info about the Enterprise Admin. I can log in with an account that's only Domain Admin. I have not seen MS post a fix for this as of today.
Thanks for the posts!
l8r..
ASKER
no, i never logged a call about the issue. as of now i'm using that trick as a work around. i did obtain an lsass hotfix, but it did not help.
Same issue still happening here, I am demoting all my DC's and as I do the problem follows me to the DC's that remain. How am I going to get rid of the problem if it is somehow tied to active directory, and yet there are no errors in active directory. It has degraded to the point that my other DC's can't see the domain. Now my Exchange 2000 box cannot see a DC, and system attendant hangs up and will not start. Well, then Unity can't start up and do voicemail... I bought Exchange 2003, but have held off on upgrading that server until I get this issue resolved. I'm at my wits end, and waiting on service pack 1. I may just go back to Win2K unless I can get one DC to act right for more than a few hours, but I'm a little afraid of making the change back and losing anything.
Later,
RushB
Later,
RushB
I'm going to add in some search terms here for others to find this thread.
lsass errors out NT Authority shutdown. File Replication stops. Exchange System Attendant hangs while starting. nltest /sc_query shows no domain. Domain controllers cannot see domain.
Shoot me now.
Later,
RushB
lsass errors out NT Authority shutdown. File Replication stops. Exchange System Attendant hangs while starting. nltest /sc_query shows no domain. Domain controllers cannot see domain.
Shoot me now.
Later,
RushB
ASKER
ok, i still haven't resolved the problem either. but when i do i'll post.
Like you RushB I'm at my wit's end! I have the same problem here ... a 2003 DC running Exchange 2003 Enterprise.
I can log in OK under safe mode but Ctrl-Alt-Del doesn't work (ie does nothing) in any other mode before the system shuts down in 60 seconds. As such, not sure how I can select a Domain Account rather than an Enterprise Account?
Whilst in Safe Mode are there any services I can disable so that I can at least login under normal mode?
I can log in OK under safe mode but Ctrl-Alt-Del doesn't work (ie does nothing) in any other mode before the system shuts down in 60 seconds. As such, not sure how I can select a Domain Account rather than an Enterprise Account?
Whilst in Safe Mode are there any services I can disable so that I can at least login under normal mode?
ASKER
either hotfix in both KB articles 826819 and 821265 did not help.
One of our customers had the same problem.
It seems that you have installed Terminal Services without licenses.
On windows 2000 you install Term. Services for remote administration.
On windows 2003 you have to enable Remote Desktop on the System Properties. (Just like XP)
So if you un-instal terminal services en enable remote desktop it will work.
Regards
It seems that you have installed Terminal Services without licenses.
On windows 2000 you install Term. Services for remote administration.
On windows 2003 you have to enable Remote Desktop on the System Properties. (Just like XP)
So if you un-instal terminal services en enable remote desktop it will work.
Regards
Similar to xxgenius, encounter the same problem as well. Did you manage to resolve the problem already?
ASKER
as a note. i followed bvanbeusichem's advise. it works great. apparently if you need to do remote administration you shouldn't use terminal services. i have enabled the Remote Desktop above.
as for bvanbeusichem, you deserve some points for this. i will open another question titles "points for bvanbeusichem" in this same category.
as for bvanbeusichem, you deserve some points for this. i will open another question titles "points for bvanbeusichem" in this same category.
Opening another thread for points is against the membership agreement... Just thought I would throw that out before a mod steps in... They are starting to get rather strict on this lately..
FE
FE
this is also posted in the wrong area, should be posted in w2k3 forum as this is where the issue was at...
ASKER
sure, but back when it was first opened there was no Win2k3 forum.
Did MS solved this problem for you? How? I experience the same behaviour.
I found at least one cause.....
This is what happened to me.
I got the Lsass shutdown errors after I installed service pack 1. I am getting it with Nod32 -> IMON (Internet Monitor) enabled. I've used the latest version of Nod32 as well as 2.50.9 beta. In one machine I had to disable IMON in Nod32, and so far no LSASS errors. On the other, I had to uninstall Nod32 completely.
So for me, the factors were,
Windows Server 2003
SP1 (final, no lsass prob w/ beta)
Nod32 (w/ w/o IMON enabled YMMV)
I've also found reports of this occuring w/ SP1
and certain versions of Acronis True Image Server
Here's one link to SP1 <-> Nod32 <-> LSASS errors...
http://www.neowin.net/comments.php?id=27755&category=main
Hope it helps.
NV
This is what happened to me.
I got the Lsass shutdown errors after I installed service pack 1. I am getting it with Nod32 -> IMON (Internet Monitor) enabled. I've used the latest version of Nod32 as well as 2.50.9 beta. In one machine I had to disable IMON in Nod32, and so far no LSASS errors. On the other, I had to uninstall Nod32 completely.
So for me, the factors were,
Windows Server 2003
SP1 (final, no lsass prob w/ beta)
Nod32 (w/ w/o IMON enabled YMMV)
I've also found reports of this occuring w/ SP1
and certain versions of Acronis True Image Server
Here's one link to SP1 <-> Nod32 <-> LSASS errors...
http://www.neowin.net/comments.php?id=27755&category=main
Hope it helps.
NV
Greetings all,
I have found that this issue is also related to a problem with a user changing thier password from within terminal services, i have recieved this error about 2 times a week, and it was maddening, untill i read an article published by microsoft
http://support.microsoft.com/default.aspx?scid=kb;en-us;818080
It seems when ever a user changes thier password from within terminal services, there is a keberos error and lsass fails causing a reboot of the system.
Now i just need to find the resolution to the problem, oh look at that i just got an email from M$ with a custom hotfix.
Wish me luck !!!!!
have a great day!
I have found that this issue is also related to a problem with a user changing thier password from within terminal services, i have recieved this error about 2 times a week, and it was maddening, untill i read an article published by microsoft
http://support.microsoft.com/default.aspx?scid=kb;en-us;818080
It seems when ever a user changes thier password from within terminal services, there is a keberos error and lsass fails causing a reboot of the system.
Now i just need to find the resolution to the problem, oh look at that i just got an email from M$ with a custom hotfix.
Wish me luck !!!!!
have a great day!
Good Luck! come back in and let us know how it went!
It is a worm that causes this problem
first do this
What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp
Start > Run services
Double Click on Remote Procedure Call (RPC)
Click the Recovery tab
Set all three failure boxes to "Take No Action"
Then open the task manager Start > Run taskmgr and under the Processes tab look for msblaster.exe and if you find it end the task.
then
Removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Download
http://securityresponse.symantec.com/avcenter/FixBlast.exe
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp using TCP port 135. It will attempt to download and run the file Msblast.exe.
You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.
Click here http://securityresponse.symantec.com/avcenter/security/Content/8205.html for more information on the vulnerability being exploited by this worm and to find out which Symantec products can help mitigate risk from this vulnerability.
...
technical details
When W32.Blaster.Worm is executed, it does the following:
Creates a Mutex named "BILLY". If the mutex exists, the worm will exit.
Adds the value:
"windows auto update"="msblast.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWAR
so that the worm runs when you start Windows.
Calculates the IP address, based on the following algorithm, 40% of the time:
Host IP: A.B.C.D
sets D equal to 0.
if C > 20, will subtract a random value less than 20.
Once calculated it will start attempting to exploit the computer based on A.B.C.0 and count up.
NOTE: This means the Local Subnet will become saturated with port 135 requests prior to exiting the local subnet.
Calculates the IP address, based on many random numbers, 60% of the time:
A.B.C.D
set D equal to 0.
sets A, B, and C to random values between 0 and 255.
Sends data on TCP port 135 that may exploit the DCOM RPC vulnerabilty to allow the following actions to occur on the vulnerable computer:
Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.
NOTE: Due to the randomness with how it constructs the exploit data, it may cause computers to crash if it sends incorrect data.
Listens on UDP port 69. When it recieves a request, it will send back the Msblast.exe binary.
Sends the commands to the remote computer to connect back to the infected host and download and run the Msblast.exe.
If the current month is after August, or if the current date is after the 15th it will perform a denial of service on "windowsupdate.com"
With the current logic, the worm will activate the Denial of Service attack on the 16th of this month, and continue until the end of the year.
The worm contains the following text which is never displayed:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
...
Restarting the computer in Safe mode or ending the Worm process
Windows 95/98/Me
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."
Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.
5. Reversing the changes made to the registry
CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry, http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617 " for instructions.
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\Softwar
In the right pane, delete the value:
"windows auto update"="msblast.exe"
Exit the Registry Editor.
Now apply the patch
The Patch
Microsoft Windows XP 64-bit Edition :
Microsoft Windows XP Home SP1:
Microsoft Patch WindowsXP-KB823980-x86-ENU
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en
Microsoft Windows XP Home :
Microsoft Windows XP Professional SP1:
Microsoft Patch WindowsXP-KB823980-x86-ENU
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en
Microsoft Windows 2000 Advanced Server SP4:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en
Microsoft Windows 2000 Advanced Server SP3:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en
Microsoft Windows 2000 Advanced Server SP2:
Microsoft Windows 2000 Datacenter Server SP4:
Microsoft Windows 2000 Datacenter Server SP3:
Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Windows 2000 Professional SP4:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en
Microsoft Windows 2000 Professional SP3:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en
Microsoft Windows 2000 Professional SP2:
Microsoft Windows 2000 Server SP4:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en
Microsoft Windows 2000 Server SP3:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en
Microsoft Windows 2000 Server SP2:
Microsoft Windows NT Enterprise Server 4.0 SP6a:
Microsoft Patch Q823980i.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF-DF77A0B9303F&displaylang=en