LSASS.EXE Shutdown after Server 2003 Upgrade

Hi,

I just upgraded my domain controller to server 2k3.  I ran through all the steps listed to do so.  The server starts up and the login window appears, I immediately get a pop up that says:

****************
This system is shutting down.  The shutdown was initiated by NT AUTHORITY\SYSTEM

Message:

Process C:\WINNT\SYSTEM32\LSASS.EXE terminted with status code 1073741819.  The system will now shutdown and restart.
****************

I have recovery console installed.  I copied a new version of lsass.exe from the cd to the \SYSTEM32 folder, but still get same error.

HELP!!!!!!
darrennelsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
Run a virus check specifically looking for the Sasser virus, it can cause the symptoms you are experiencing.
0
darrennelsonAuthor Commented:
any tips on how to do this when I can even get in to the server in safe mode?
0
Rob WilliamsCommented:
The following articles explain the Sasser virus in more detail and how to deal with it. You may have to interrupt the shutdown process with  shutdown -a  as described in the first article, to deal with it.
http://ask-leo.com/what_are_lsass_lsassexe_and_sasser_and_how_do_i_know_if_im_infected_what_do_i_do_if_i_am.html

http://vil.nai.com/vil/content/v_125007.htm

Free removal tools:
http://vil.nai.com/vil/stinger/
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html





0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Rob WilliamsCommented:
ps - there can be other causes for the LSASS shut down, but Sasser is a well known common cause.
0
darrennelsonAuthor Commented:
im following the ask-leo steps right now, about to scan for sasser.  Here is more info that might help.  i can get in in safemode, but not safemode with networking.  is this characteristic of sasser?
0
darrennelsonAuthor Commented:
and what would be the other causes?
0
Rant32Commented:
What service pack was Windows 2000 on, and what's the SP level of Windows 2003?

This error can also be caused by an invalid value for ReplicateEvery in a site link. See http://support.microsoft.com/kb/300038

Also, try enabling the Internet connection firewall on the network adapters, if possible. See if the error re-occurs. If it doesn't, then visit the WindowsUpdate website and install all available security updates.
0
Rob WilliamsCommented:
>>"i can get in in safe mode, but not safe mode with networking.  is this characteristic of sasser?"
I don't know but it does spread to network shares so it may be the case. I have noticed numerous site recommend starting in safe mode without networking to deal with it. I don't know if that is a recommended procedure r necessary, as per:
http://hsc.usf.edu/is/download/update/index.html

Blaster worm is another that can causes similar problems.
Then there is a list of other possible causes such as installing multiple updates without re-starting between the updates, but all of the others seem to have somewhat different symptoms, like random restarts over a period of time. One you might want to have a look at where your were installing updates:
http://www.jsifaq.com/subM/tip6100/rh6116.htm 
0
theruckCommented:
i got this problem when there was NOD32 antivirus installed on the server. if you have it just uninstall it
0
darrennelsonAuthor Commented:
server 2000 was on service pack 4, i upgraded to server 2003 standard edition R2 sp1.

I went into device manager and noticed that all drivers has loaded except the NIC drivers.  After installing NIC drivers, on the first subsequent logon, rather than the original error, I got this:

LSASS.EXE - System Error

Object Name Not Found

then it rebooted and i got the same error that i got the first time around.  I am currently going to check the "Replicate Every" settings
0
Rob WilliamsCommented:
Based on the sequence of events you have just listed above, it would be unlikely you got hit with a virus in the middle of your upgrade. What if you try uninstalling the NIC drivers or disable the adapter and reboot. If it boots OK, then search for different drivers.
0
Rant32Commented:
You're not the only one having problems upgrading a 2000 DC to 2003. The error codes are sometimes different. Maybe this link will help you:

When you upgrade a Windows 2000 domain controller to Windows Server 2003, you receive 'LSASS.EXE terminated unexpectedly with status code -1073741571' when you restart your server?
http://www.jsifaq.com/SUBQ/tip8100/rh8199.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
darrennelsonAuthor Commented:
Here is the solution to our specific scenario:

1.  The reason for the upgrade was to be able to use RPC over HTTP.  This allows your Exchange server to be accessed by the Outlook client outside of your LAN (ref article KB833401).  This requires your global catalog to be a Server 2003 box.

2.  Attempts were made to setup RPC over HTTP using KB833401 on GC before it was upgraded to Windows 2003 Server.  In doing so, the key "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\NSPI interface protocol sequences" was set to a data type of REG_SZ.  The key should actually be REG_MULTI_SZ.  This was causing the lsass.exe error.

Rant32, I just read your post (after typing the above two paragraphs).....ACK!, you would have saved me alot of time had that post been 24hours earlier, but either way, I was a good learning experience.

MODERATORS and POSTERS:  I need some input on points division.  RobWill was extremely helpful and responsive, but was looking in the wrong direction.  Rant32 posted the correct solution, but I actually found in through MS the day before.  Any input will be appreciated.
0
Rob WilliamsCommented:
No points necessary on my part. Glad to hear you were able to resolve. Sorry not of more help.
--Rob
0
darrennelsonAuthor Commented:
Rob, just knowing there was someone out there willing was enough.
Thanks Again

-Darren
0
Rob WilliamsCommented:
Thanks Darren,
--Rob
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.