Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 712
  • Last Modified:

LSASS.EXE 0xc00000f Windows 2000 server. Critical server!!!!

Hi,

Our dc decided to crash and upon boot we get the following error:

lsass.exe system error.  Directory services could not start due to the following error:  system cannot find file specified.  error status 0xc00000f.....

When we reboot to directory services mode we can see the lsass.exe file in the system folder and also the ntds.dit file in d:\ad\dbase\

I have read that this issue is due to a corrupt ad so I booted our other dc into ds mode and copied the ntds.dit file to the corrupt server.  However upon reboot I get the same error.  (I renamed the existing ntds.dit file ntds.old).

Has anyone any suggestion as to what I can try next??  The server is our exchange server so its pretty critical.

Many thnaks

G
0
GlenmoranUK
Asked:
GlenmoranUK
  • 6
  • 3
1 Solution
 
mattisflonesCommented:
Might be that a sasser worm infected your system.. Get the cure here: http://search.symantec.com/custom/us/query.html
0
 
GlenmoranUKAuthor Commented:
I am quite certain it was not a virus as it happened whilst we were stopping the internet information store.

The server is also protected with sophos which updates every 2 hours.

But I will check...

G
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
mattisflonesCommented:
Not a virus.. A worm! And any AV can experience a glitch..

If the LSASS.EXE itself is corrupted i guess you could fix it with a "SFC /SCANNOW" But thats quite a big job on a DC with Exchange..
0
 
mattisflonesCommented:
Ps, MS released a secpatch for LSASS problems too.. might be worth a try..
0
 
GlenmoranUKAuthor Commented:
I tried copying lsass.exe from our other domain controller but got the same result.

Our server is behind a managed firewall with all patches installed.  It may just be a coincidence that it happened when it did.

I will check for the worm..

G
0
 
mattisflonesCommented:
If you get the system to boot you should check taskmanager for LSASS, if its there you got worms..
0
 
GlenmoranUKAuthor Commented:
Got server to boot again..

Was not a virus but a corrupt AD as initially thought..

Firstly booted into D/S mode and tried to run ntdsutil but crashed out.  Then tried esentutl with the following structure:

esentutl /g "path\ntds.dit"/!10240 /8 /v /x /o

This showed a corrupt database so ran:

esentutl /p "path\ntds.dit" /!10240 /8 /v /x /o

This repaired the AD and then I had to delete the AD log files before booting back.

Server came back (5 mins ago) so will check whats happening.  As I type my outlook tells me the connection with the exchange server has been restored.

G
0
 
mattisflonesCommented:
Seems like glenmoranUK had the answer to the problem in his last comment.
I reccomend, PAQ and refund points..
0
 
ee_ai_constructCommented:
Question answered by asker or dialog valuable.
Closed, 500 points refunded.
ee_ai_construct (replacement part #xm34)
Community Support Admin
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now