Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4884
  • Last Modified:

Server restart : lsass.exe terminated unexpectedly with status code 1073741819

Windows 2003 Server R2 x64  restart after every 15 sec with the massage
'C:\WINDOWS\system32\lsass.exe' terminated > unexpectedly with status code -1073741819"
It's a domain controller, i already run sasser removing tool and also full scanned with symantec end point protection.But i did'nt find any worm or virus.
it can happend when restart the server using LAN connection and without LAN connection the above massage not came to restart the server.
0
Arabsoft-ACS
Asked:
Arabsoft-ACS
  • 9
  • 5
  • 4
  • +3
1 Solution
 
dnilsonCommented:
if lsass.exe terminates, Windows WILL reboot.  Thats the intended operation.

Question is, whats crashing the process.

Since you are on a 64 bit box, a 32 bit driver, or application is immediately suspect.  

I) Setup a clean boot by Microsoft definitions to eliminate 32 bit applications
Step 2: Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.

II) Ifthat fails you need to make sure you are using a 64 bit version of EVERY driver.

Start with the NIC driver(s) per your abovedescription.

III) Look in the system and application logs for clues.
0
 
Glen KnightCommented:
Run sfc /scannow
0
 
dnilsonCommented:
Sfc /scanniw will fix any bad windows system files, but it's not going to fix a bad 32 bit app or driver so don't forget to check those

What's the history of the machine old/new, recently failed/ always bad, upgraded, clean install etc
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
Glen KnightCommented:
Are you able to abort the shutdown?
Shutdown -a

I gad this problem about 5 years ago and it was bad active directory data failing to replicate, are there other Domain Controlers?

Are you able to dcpromo to remove it as a DC and then DC promo it back?

Obviously after yransfering any FSMO roles to another DC
0
 
Arabsoft-ACSAuthor Commented:
I installed some microsoft hotfixes and the problem was solved temporary, the server running witout restarting but when i check my Active Directory and DNS both are not working, i checked the services there is IPsec service and Kerberos key Distribution center service is not running. When i try to start its faild to start then again facing the problem with LAN. can't able to ping the other servers and gateway found result " distination host unreachable"
0
 
Glen KnightCommented:
After re-Reading your original post I would say you either have a failing/failed NIC or bad drivers for said NIC.

Try another NIC if you have one available or try re-installing  original drivers for the one you have
0
 
Glen KnightCommented:
All of those services you have mentioned will fail if the NIC is not working so this is definately a good place to start!

Was it working and something has changed or did it never work?

Roll back the NIC driver in Device Manager using the roll back button on the properties of the NIC
0
 
Arabsoft-ACSAuthor Commented:
I already done to reinstall NIC drivers and there is two NIC card and both ha same problem
0
 
Glen KnightCommented:
Have you got a NIC card you can install to test and disable the other 2?
0
 
dnilsonCommented:
If you change the Nic it should be a different model brand, and have a 64 bit driver and / a windows native driver
0
 
Arabsoft-ACSAuthor Commented:
Both NIC's are built in, with the same configuration and driver are support to 64 bit.
0
 
Glen KnightCommented:
If there is a problem with the NIC interface it will effect both as the onboard cards are normally dual port.

Can you try another NIC card that you plug on to the servers motherboard?
0
 
Arabsoft-ACSAuthor Commented:
Same problem after use the another NIc card. Still IPsec service and Kerberos service not start.
getting same result "distination Host Unreachable" When ping the gateway and another IP in the same subnet.
0
 
Glen KnightCommented:
If you do an ipconfig /all what do you get?
Can you post the results
0
 
Glen KnightCommented:
Can you also run DCDIAG an NETDIAG and post the results
0
 
DatedmanCommented:
Just curious, when you say "without LAN connection" do you mean unplugged or...?   If just unplugging it solves the problem try giving it a static ip on another subnet, could conceivably be getting attacked.
0
 
ChiefITCommented:
LSASS stands for Local Security Server. It goes to the kerberos ticket granting agent and verifies security identification for network logons.

Though it will fail without NIC support, the computer will not reboot on its own. The lack of time synchronization will also fail LSASS if it is out of the 5 minute phase offset. However, the lack of time synchronization will also not cause a computer reboot or slowness on the server.

The restart of the computer indicates a memory leak, or application failure. You can tell it to NOT to reboot upon failure. And then I would check out this article on memory leaks caused from LSASS.exe.

http://support.microsoft.com/kb/893246

If this doesn't work, you might look for a memory articles like this that have to do with LSASS causing a memory leak.

 
0
 
dnilsonCommented:
ChiefIT

The reported problem is unexpected termination of LSASS, not it's failure due to lack of NIC support

Termination of LSASS process will in itself reboot the machine, that's how the shutdown command works

Kill the process on a running machine and you will see the familar shutdown dialog.

========================
author

Have you checked the system log to determine the sequence of events post bootup?

Can you list the error / status messages IN the chronological order they appear in the log starting with the Microsoft HAL loading so we can glean some idea of what failed first, etc.  Perhaps there is a why hidden in those messages

 
0
 
Mike_CourtneyCommented:
I'd be inclined to compare the service pack levels on all the DC's to ensure they match - are they all running R2?

You can check this using Windows 2003 version of repadmin

repadmin /showattr name of the domain controller that is in the target domain ncobj:domain: /filter:"(&(objectCategory=computer)(primaryGroupID=516))" /subtree /atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack

It won't show you individual hotfixes, but worth thinking of those too
0
 
Arabsoft-ACSAuthor Commented:
After a long Discussion, there is no proper solution found&..atlast format the Server and restore the Last full + Differential Backup.

Thanks every one
0
 
Glen KnightCommented:
It's a shame none of the last questions were answered as with the information requested we may well have found you a solution.
0
 
DatedmanCommented:
So, did restoring a backup solve the problem?  LOL...if it is an attack, it will still be one.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 9
  • 5
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now