Solved

Server restart : lsass.exe terminated unexpectedly with status code 1073741819

Posted on 2009-06-26
22
4,383 Views
Last Modified: 2012-05-07
Windows 2003 Server R2 x64  restart after every 15 sec with the massage
'C:\WINDOWS\system32\lsass.exe' terminated > unexpectedly with status code -1073741819"
It's a domain controller, i already run sasser removing tool and also full scanned with symantec end point protection.But i did'nt find any worm or virus.
it can happend when restart the server using LAN connection and without LAN connection the above massage not came to restart the server.
0
Comment
Question by:Arabsoft-ACS
  • 9
  • 5
  • 4
  • +3
22 Comments
 
LVL 10

Expert Comment

by:dnilson
ID: 24726530
if lsass.exe terminates, Windows WILL reboot.  Thats the intended operation.

Question is, whats crashing the process.

Since you are on a 64 bit box, a 32 bit driver, or application is immediately suspect.  

I) Setup a clean boot by Microsoft definitions to eliminate 32 bit applications
Step 2: Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.

II) Ifthat fails you need to make sure you are using a 64 bit version of EVERY driver.

Start with the NIC driver(s) per your abovedescription.

III) Look in the system and application logs for clues.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726559
Run sfc /scannow
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24726598
Sfc /scanniw will fix any bad windows system files, but it's not going to fix a bad 32 bit app or driver so don't forget to check those

What's the history of the machine old/new, recently failed/ always bad, upgraded, clean install etc
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726618
Are you able to abort the shutdown?
Shutdown -a

I gad this problem about 5 years ago and it was bad active directory data failing to replicate, are there other Domain Controlers?

Are you able to dcpromo to remove it as a DC and then DC promo it back?

Obviously after yransfering any FSMO roles to another DC
0
 

Author Comment

by:Arabsoft-ACS
ID: 24726641
I installed some microsoft hotfixes and the problem was solved temporary, the server running witout restarting but when i check my Active Directory and DNS both are not working, i checked the services there is IPsec service and Kerberos key Distribution center service is not running. When i try to start its faild to start then again facing the problem with LAN. can't able to ping the other servers and gateway found result " distination host unreachable"
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726671
After re-Reading your original post I would say you either have a failing/failed NIC or bad drivers for said NIC.

Try another NIC if you have one available or try re-installing  original drivers for the one you have
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726687
All of those services you have mentioned will fail if the NIC is not working so this is definately a good place to start!

Was it working and something has changed or did it never work?

Roll back the NIC driver in Device Manager using the roll back button on the properties of the NIC
0
 

Author Comment

by:Arabsoft-ACS
ID: 24726699
I already done to reinstall NIC drivers and there is two NIC card and both ha same problem
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726715
Have you got a NIC card you can install to test and disable the other 2?
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24726720
If you change the Nic it should be a different model brand, and have a 64 bit driver and / a windows native driver
0
 

Author Comment

by:Arabsoft-ACS
ID: 24726760
Both NIC's are built in, with the same configuration and driver are support to 64 bit.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726774
If there is a problem with the NIC interface it will effect both as the onboard cards are normally dual port.

Can you try another NIC card that you plug on to the servers motherboard?
0
 

Author Comment

by:Arabsoft-ACS
ID: 24727084
Same problem after use the another NIc card. Still IPsec service and Kerberos service not start.
getting same result "distination Host Unreachable" When ping the gateway and another IP in the same subnet.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24727092
If you do an ipconfig /all what do you get?
Can you post the results
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24727118
Can you also run DCDIAG an NETDIAG and post the results
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24727505
Just curious, when you say "without LAN connection" do you mean unplugged or...?   If just unplugging it solves the problem try giving it a static ip on another subnet, could conceivably be getting attacked.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24728249
LSASS stands for Local Security Server. It goes to the kerberos ticket granting agent and verifies security identification for network logons.

Though it will fail without NIC support, the computer will not reboot on its own. The lack of time synchronization will also fail LSASS if it is out of the 5 minute phase offset. However, the lack of time synchronization will also not cause a computer reboot or slowness on the server.

The restart of the computer indicates a memory leak, or application failure. You can tell it to NOT to reboot upon failure. And then I would check out this article on memory leaks caused from LSASS.exe.

http://support.microsoft.com/kb/893246

If this doesn't work, you might look for a memory articles like this that have to do with LSASS causing a memory leak.

 
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24728595
ChiefIT

The reported problem is unexpected termination of LSASS, not it's failure due to lack of NIC support

Termination of LSASS process will in itself reboot the machine, that's how the shutdown command works

Kill the process on a running machine and you will see the familar shutdown dialog.

========================
author

Have you checked the system log to determine the sequence of events post bootup?

Can you list the error / status messages IN the chronological order they appear in the log starting with the Microsoft HAL loading so we can glean some idea of what failed first, etc.  Perhaps there is a why hidden in those messages

 
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24729373
I'd be inclined to compare the service pack levels on all the DC's to ensure they match - are they all running R2?

You can check this using Windows 2003 version of repadmin

repadmin /showattr name of the domain controller that is in the target domain ncobj:domain: /filter:"(&(objectCategory=computer)(primaryGroupID=516))" /subtree /atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack

It won't show you individual hotfixes, but worth thinking of those too
0
 

Accepted Solution

by:
Arabsoft-ACS earned 0 total points
ID: 24778980
After a long Discussion, there is no proper solution found&..atlast format the Server and restore the Last full + Differential Backup.

Thanks every one
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24778996
It's a shame none of the last questions were answered as with the information requested we may well have found you a solution.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24780181
So, did restoring a backup solve the problem?  LOL...if it is an attack, it will still be one.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now