?
Solved

Server restart : lsass.exe terminated unexpectedly with status code 1073741819

Posted on 2009-06-26
22
Medium Priority
?
4,695 Views
Last Modified: 2012-05-07
Windows 2003 Server R2 x64  restart after every 15 sec with the massage
'C:\WINDOWS\system32\lsass.exe' terminated > unexpectedly with status code -1073741819"
It's a domain controller, i already run sasser removing tool and also full scanned with symantec end point protection.But i did'nt find any worm or virus.
it can happend when restart the server using LAN connection and without LAN connection the above massage not came to restart the server.
0
Comment
Question by:Arabsoft-ACS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 4
  • +3
22 Comments
 
LVL 10

Expert Comment

by:dnilson
ID: 24726530
if lsass.exe terminates, Windows WILL reboot.  Thats the intended operation.

Question is, whats crashing the process.

Since you are on a 64 bit box, a 32 bit driver, or application is immediately suspect.  

I) Setup a clean boot by Microsoft definitions to eliminate 32 bit applications
Step 2: Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.

II) Ifthat fails you need to make sure you are using a 64 bit version of EVERY driver.

Start with the NIC driver(s) per your abovedescription.

III) Look in the system and application logs for clues.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726559
Run sfc /scannow
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24726598
Sfc /scanniw will fix any bad windows system files, but it's not going to fix a bad 32 bit app or driver so don't forget to check those

What's the history of the machine old/new, recently failed/ always bad, upgraded, clean install etc
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726618
Are you able to abort the shutdown?
Shutdown -a

I gad this problem about 5 years ago and it was bad active directory data failing to replicate, are there other Domain Controlers?

Are you able to dcpromo to remove it as a DC and then DC promo it back?

Obviously after yransfering any FSMO roles to another DC
0
 

Author Comment

by:Arabsoft-ACS
ID: 24726641
I installed some microsoft hotfixes and the problem was solved temporary, the server running witout restarting but when i check my Active Directory and DNS both are not working, i checked the services there is IPsec service and Kerberos key Distribution center service is not running. When i try to start its faild to start then again facing the problem with LAN. can't able to ping the other servers and gateway found result " distination host unreachable"
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726671
After re-Reading your original post I would say you either have a failing/failed NIC or bad drivers for said NIC.

Try another NIC if you have one available or try re-installing  original drivers for the one you have
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726687
All of those services you have mentioned will fail if the NIC is not working so this is definately a good place to start!

Was it working and something has changed or did it never work?

Roll back the NIC driver in Device Manager using the roll back button on the properties of the NIC
0
 

Author Comment

by:Arabsoft-ACS
ID: 24726699
I already done to reinstall NIC drivers and there is two NIC card and both ha same problem
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726715
Have you got a NIC card you can install to test and disable the other 2?
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24726720
If you change the Nic it should be a different model brand, and have a 64 bit driver and / a windows native driver
0
 

Author Comment

by:Arabsoft-ACS
ID: 24726760
Both NIC's are built in, with the same configuration and driver are support to 64 bit.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726774
If there is a problem with the NIC interface it will effect both as the onboard cards are normally dual port.

Can you try another NIC card that you plug on to the servers motherboard?
0
 

Author Comment

by:Arabsoft-ACS
ID: 24727084
Same problem after use the another NIc card. Still IPsec service and Kerberos service not start.
getting same result "distination Host Unreachable" When ping the gateway and another IP in the same subnet.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24727092
If you do an ipconfig /all what do you get?
Can you post the results
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24727118
Can you also run DCDIAG an NETDIAG and post the results
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24727505
Just curious, when you say "without LAN connection" do you mean unplugged or...?   If just unplugging it solves the problem try giving it a static ip on another subnet, could conceivably be getting attacked.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24728249
LSASS stands for Local Security Server. It goes to the kerberos ticket granting agent and verifies security identification for network logons.

Though it will fail without NIC support, the computer will not reboot on its own. The lack of time synchronization will also fail LSASS if it is out of the 5 minute phase offset. However, the lack of time synchronization will also not cause a computer reboot or slowness on the server.

The restart of the computer indicates a memory leak, or application failure. You can tell it to NOT to reboot upon failure. And then I would check out this article on memory leaks caused from LSASS.exe.

http://support.microsoft.com/kb/893246

If this doesn't work, you might look for a memory articles like this that have to do with LSASS causing a memory leak.

 
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24728595
ChiefIT

The reported problem is unexpected termination of LSASS, not it's failure due to lack of NIC support

Termination of LSASS process will in itself reboot the machine, that's how the shutdown command works

Kill the process on a running machine and you will see the familar shutdown dialog.

========================
author

Have you checked the system log to determine the sequence of events post bootup?

Can you list the error / status messages IN the chronological order they appear in the log starting with the Microsoft HAL loading so we can glean some idea of what failed first, etc.  Perhaps there is a why hidden in those messages

 
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24729373
I'd be inclined to compare the service pack levels on all the DC's to ensure they match - are they all running R2?

You can check this using Windows 2003 version of repadmin

repadmin /showattr name of the domain controller that is in the target domain ncobj:domain: /filter:"(&(objectCategory=computer)(primaryGroupID=516))" /subtree /atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack

It won't show you individual hotfixes, but worth thinking of those too
0
 

Accepted Solution

by:
Arabsoft-ACS earned 0 total points
ID: 24778980
After a long Discussion, there is no proper solution found&..atlast format the Server and restore the Last full + Differential Backup.

Thanks every one
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24778996
It's a shame none of the last questions were answered as with the information requested we may well have found you a solution.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24780181
So, did restoring a backup solve the problem?  LOL...if it is an attack, it will still be one.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question