djerryanderson
asked on
LSASS error and server restart
I have a Windows 2003 Small Business Server that has just started to spontaneously restart. The event log shows application events similar to those described in MS artices 886174 and 818080.
__________________________ _______
Article 886174:
Type: Error
Event ID: 1015
Source: Winlogon
Description: A critical system process, C:\WINDOWS\system32\lsass. exe, failed with status code c0000354. The machine must now be restarted.
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Description: Faulting application lsass.exe, version 5.2.3790.0, faulting module authz.dll, version 5.2.3718.0, fault address 0x000023cc. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
__________________________ ______
Article 818080:
Type: Error
Event ID: 1015
Source: Winlogon
Description: A critical system process, C:\WINDOWS\system32\lsass. exe, failed with status code c0000354. The machine must now be restarted.
Type: Error
Event ID: 1000
Source: Application Error
Description: Faulting application lsass.exe, version 5.2.3790.0, faulting module ntdsa.dll, version 5.2.3790.0, fault address 0x0008590f.
__________________________ ______
With my server, EVENT ID 1015 is exactly as described. The key difference is that the 2nd Event ID 1000 error does not indicate the faulting module is either authz.dll or ntdsa.dll as each of these 2 articles would imply. The faulting module in EVENT ID 1000 in the 5 or so instances of my event log have been any of the following:
lsarv.dll
ntdll.dll
esent.dll
I have applied both hotfixes as well as a hotfix for article 875534 and it is still rebooting. Any suggestions would be appreciated.
Thanks,
Jerry
__________________________
Article 886174:
Type: Error
Event ID: 1015
Source: Winlogon
Description: A critical system process, C:\WINDOWS\system32\lsass.
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Description: Faulting application lsass.exe, version 5.2.3790.0, faulting module authz.dll, version 5.2.3718.0, fault address 0x000023cc. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
__________________________
Article 818080:
Type: Error
Event ID: 1015
Source: Winlogon
Description: A critical system process, C:\WINDOWS\system32\lsass.
Type: Error
Event ID: 1000
Source: Application Error
Description: Faulting application lsass.exe, version 5.2.3790.0, faulting module ntdsa.dll, version 5.2.3790.0, fault address 0x0008590f.
__________________________
With my server, EVENT ID 1015 is exactly as described. The key difference is that the 2nd Event ID 1000 error does not indicate the faulting module is either authz.dll or ntdsa.dll as each of these 2 articles would imply. The faulting module in EVENT ID 1000 in the 5 or so instances of my event log have been any of the following:
lsarv.dll
ntdll.dll
esent.dll
I have applied both hotfixes as well as a hotfix for article 875534 and it is still rebooting. Any suggestions would be appreciated.
Thanks,
Jerry
ASKER
Yea, I read that in one of the articles. I understand permissions and I understand Active Directory to some degree, but I would have no idea where to look for this.
ASKER
Never Mind. I applied another hotfix that seems to have fixed the problem. Thanks anyway though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
WHat was your final solution?? Please help, I have the same issue :(
ASKER
Wow...this was fom a long time ago. I'm sorry, but I don;t remeber what fixed it and I guess I should have been a little more clear here too. Have you downloaded all of the latest Windows updates and/or service packs. I looked in the ADD/REMOVE PROGRAMS to check my history of patches and it appears as though any hotfixes have been superceeded by the lates support packs.
I would almost have to belive I found tha answer throug a Google search though - Google and EE...those are my 2 primary sources for help.
I would almost have to belive I found tha answer throug a Google search though - Google and EE...those are my 2 primary sources for help.
Yeah I searched around, and found these, none are superseded, looks like they were not integrated on purpose;
AD reboots
KB 927342 bad LDAP request causes reboot
http://support.microsoft.com/default.aspx?scid=kb;en-us;927342
KB 875534 lsass crash using ssl
http://support.microsoft.com/default.aspx?scid=kb;en-us;875534
KB 886174 bad LDAP request crashes
http://support.microsoft.com/default.aspx?scid=kb;en-us;886174
KB 923977 MSDTC Warnings promote demote event
http://support.microsoft.com/kb/923977
KB 818080 LSASS event 1000 1015 rebotos form bad OU privs
http://support.microsoft.com/default.aspx?scid=kb;en-us;818080
KB 955410 memory leak form smart card use.
http://support.microsoft.com/kb/955410
KB 911185 lsass crash when logging onto MIT realm
http://support.microsoft.com/kb/911185
KB 897648 lsass crashes
http://support.microsoft.com/kb/897648
AD reboots
KB 927342 bad LDAP request causes reboot
http://support.microsoft.com/default.aspx?scid=kb;en-us;927342
KB 875534 lsass crash using ssl
http://support.microsoft.com/default.aspx?scid=kb;en-us;875534
KB 886174 bad LDAP request crashes
http://support.microsoft.com/default.aspx?scid=kb;en-us;886174
KB 923977 MSDTC Warnings promote demote event
http://support.microsoft.com/kb/923977
KB 818080 LSASS event 1000 1015 rebotos form bad OU privs
http://support.microsoft.com/default.aspx?scid=kb;en-us;818080
KB 955410 memory leak form smart card use.
http://support.microsoft.com/kb/955410
KB 911185 lsass crash when logging onto MIT realm
http://support.microsoft.com/kb/911185
KB 897648 lsass crashes
http://support.microsoft.com/kb/897648
ASKER
I don;t know if this is all inclusive or not, but I could send you some screen shots of everything installed on my SBS - this by looking under C:\WINDOWS\$NTUninstallKBX XXXXX$. I looked at the list of patches you had listed above and nothing matched what I have. Again, I don;t know how that history of hotfix installs is kept but I assume this is a comprehensive list... I did a sort on date and then googled each of the KB articles from that time frame - nothing stood out there. I looked back on all my old documentation to see if I noted what I had done - old timesheets, emails - nothing. I am sorry but I just don;t remeber. If you want to send me your email, I can send you those screenshots though - mine is janderson@dbc-llp.com. Post here again if you do - even if you email me. I want to make sure you don't get hung up in my spam filter.
let me first run these patches and see if one works, if one does I will post. thanks fo ryou effort on this, I will see what I can find...
ASKER
Good luck
This problem may occur when an inheritable Deny access control entry (ACE) is applied to an organizational unit (OU) that inherits only to user objects but applies to all properties. The access violation occurs when a principal that this Deny ACE applies to queries users in the OU.