Link to home
Start Free TrialLog in
Avatar of djerryanderson
djerryandersonFlag for United States of America

asked on

LSASS error and server restart

I have a Windows 2003 Small Business Server that has just started to spontaneously restart. The event log shows application events similar to those described in MS artices 886174 and 818080.

_________________________________
Article 886174:

Type: Error
Event ID: 1015
Source: Winlogon
Description: A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000354. The machine must now be restarted.

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Description: Faulting application lsass.exe, version 5.2.3790.0, faulting module authz.dll, version 5.2.3718.0, fault address 0x000023cc. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

________________________________
Article 818080:

Type: Error
Event ID: 1015
Source: Winlogon
Description: A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000354. The machine must now be restarted.

Type: Error
Event ID: 1000
Source: Application Error
Description: Faulting application lsass.exe, version 5.2.3790.0, faulting module ntdsa.dll, version 5.2.3790.0, fault address 0x0008590f.
________________________________



With my server, EVENT ID 1015 is exactly as described. The key difference is that the 2nd Event ID 1000 error does not indicate the faulting module is either authz.dll or ntdsa.dll as each of these 2 articles would imply. The faulting module in EVENT ID 1000 in the 5 or so instances of my event log have been any of the following:

lsarv.dll
ntdll.dll
esent.dll


I have applied both hotfixes as well as a hotfix for article 875534 and it is still rebooting. Any suggestions would be appreciated.

Thanks,

Jerry
Avatar of Housenet
Housenet
Flag of Canada image
What about the known root cause?

This problem may occur when an inheritable Deny access control entry (ACE) is applied to an organizational unit (OU) that inherits only to user objects but applies to all properties. The access violation occurs when a principal that this Deny ACE applies to queries users in the OU.
Avatar of djerryanderson
djerryanderson
Flag of United States of America image

ASKER

Yea, I read that in one of the articles. I understand permissions and I understand Active Directory to some degree, but I would have no idea where to look for this.
Avatar of djerryanderson
djerryanderson
Flag of United States of America image

ASKER

Never Mind. I applied another hotfix that seems to have fixed the problem. Thanks anyway though.
ASKER CERTIFIED SOLUTION
Avatar of Housenet
Housenet
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Lofty Worm
Lofty Worm
Flag of United States of America image
WHat was your final solution??  Please help, I have the same issue :(
Avatar of djerryanderson
djerryanderson
Flag of United States of America image

ASKER

Wow...this was fom a long time ago. I'm sorry, but I don;t remeber what fixed it and I guess I should have been a little more clear here too. Have you downloaded all of the latest Windows updates and/or service packs. I looked in the ADD/REMOVE PROGRAMS to check my history of patches and it appears as though any hotfixes have been superceeded by the lates support packs.

I would almost have to belive I found tha answer throug a Google search though - Google and EE...those are my 2 primary sources for help.
Avatar of Lofty Worm
Lofty Worm
Flag of United States of America image
Yeah I searched around, and found these, none are superseded, looks like they were not integrated on purpose;
 
AD reboots  
KB 927342 bad LDAP request causes reboot  
http://support.microsoft.com/default.aspx?scid=kb;en-us;927342 
KB 875534 lsass crash using ssl  
http://support.microsoft.com/default.aspx?scid=kb;en-us;875534 
KB 886174 bad LDAP request crashes  
http://support.microsoft.com/default.aspx?scid=kb;en-us;886174 
KB 923977 MSDTC Warnings promote demote event  
http://support.microsoft.com/kb/923977 
KB 818080 LSASS event 1000 1015 rebotos form bad OU privs  
http://support.microsoft.com/default.aspx?scid=kb;en-us;818080 
KB 955410 memory leak form smart card use.  
http://support.microsoft.com/kb/955410 
KB 911185 lsass crash when logging onto MIT realm  
http://support.microsoft.com/kb/911185 
KB 897648 lsass crashes  
http://support.microsoft.com/kb/897648 
Avatar of djerryanderson
djerryanderson
Flag of United States of America image

ASKER

I don;t know if this is all inclusive or not, but I could send you some screen shots of everything installed on my SBS - this by looking under C:\WINDOWS\$NTUninstallKBXXXXXX$. I looked at the list of patches you had listed above and nothing matched what I have. Again, I don;t know how that history of hotfix installs is kept but I assume this is a comprehensive list... I did a sort on date and then googled each of the KB articles from that time frame - nothing stood out there. I looked back on all my old documentation to see if I noted what I had done - old timesheets, emails - nothing. I am sorry but I just don;t remeber. If you want to send me your email, I can send you those screenshots though - mine is janderson@dbc-llp.com. Post here again if you do - even if you email me. I want to make sure you don't get hung up in my spam filter.
Avatar of Lofty Worm
Lofty Worm
Flag of United States of America image
let me first run these patches and see if one works, if one does I will post.  thanks fo ryou effort on this, I will see what I can find...
Avatar of djerryanderson
djerryanderson
Flag of United States of America image

ASKER

Good luck