Solved

Server restart : lsass.exe terminated unexpectedly with status code 1073741819

Posted on 2009-06-26
22
4,474 Views
Last Modified: 2012-05-07
Windows 2003 Server R2 x64  restart after every 15 sec with the massage
'C:\WINDOWS\system32\lsass.exe' terminated > unexpectedly with status code -1073741819"
It's a domain controller, i already run sasser removing tool and also full scanned with symantec end point protection.But i did'nt find any worm or virus.
it can happend when restart the server using LAN connection and without LAN connection the above massage not came to restart the server.
0
Comment
Question by:Arabsoft-ACS
  • 9
  • 5
  • 4
  • +3
22 Comments
 
LVL 10

Expert Comment

by:dnilson
ID: 24726530
if lsass.exe terminates, Windows WILL reboot.  Thats the intended operation.

Question is, whats crashing the process.

Since you are on a 64 bit box, a 32 bit driver, or application is immediately suspect.  

I) Setup a clean boot by Microsoft definitions to eliminate 32 bit applications
Step 2: Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.

II) Ifthat fails you need to make sure you are using a 64 bit version of EVERY driver.

Start with the NIC driver(s) per your abovedescription.

III) Look in the system and application logs for clues.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726559
Run sfc /scannow
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24726598
Sfc /scanniw will fix any bad windows system files, but it's not going to fix a bad 32 bit app or driver so don't forget to check those

What's the history of the machine old/new, recently failed/ always bad, upgraded, clean install etc
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726618
Are you able to abort the shutdown?
Shutdown -a

I gad this problem about 5 years ago and it was bad active directory data failing to replicate, are there other Domain Controlers?

Are you able to dcpromo to remove it as a DC and then DC promo it back?

Obviously after yransfering any FSMO roles to another DC
0
 

Author Comment

by:Arabsoft-ACS
ID: 24726641
I installed some microsoft hotfixes and the problem was solved temporary, the server running witout restarting but when i check my Active Directory and DNS both are not working, i checked the services there is IPsec service and Kerberos key Distribution center service is not running. When i try to start its faild to start then again facing the problem with LAN. can't able to ping the other servers and gateway found result " distination host unreachable"
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726671
After re-Reading your original post I would say you either have a failing/failed NIC or bad drivers for said NIC.

Try another NIC if you have one available or try re-installing  original drivers for the one you have
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726687
All of those services you have mentioned will fail if the NIC is not working so this is definately a good place to start!

Was it working and something has changed or did it never work?

Roll back the NIC driver in Device Manager using the roll back button on the properties of the NIC
0
 

Author Comment

by:Arabsoft-ACS
ID: 24726699
I already done to reinstall NIC drivers and there is two NIC card and both ha same problem
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726715
Have you got a NIC card you can install to test and disable the other 2?
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24726720
If you change the Nic it should be a different model brand, and have a 64 bit driver and / a windows native driver
0
 

Author Comment

by:Arabsoft-ACS
ID: 24726760
Both NIC's are built in, with the same configuration and driver are support to 64 bit.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24726774
If there is a problem with the NIC interface it will effect both as the onboard cards are normally dual port.

Can you try another NIC card that you plug on to the servers motherboard?
0
 

Author Comment

by:Arabsoft-ACS
ID: 24727084
Same problem after use the another NIc card. Still IPsec service and Kerberos service not start.
getting same result "distination Host Unreachable" When ping the gateway and another IP in the same subnet.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24727092
If you do an ipconfig /all what do you get?
Can you post the results
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24727118
Can you also run DCDIAG an NETDIAG and post the results
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24727505
Just curious, when you say "without LAN connection" do you mean unplugged or...?   If just unplugging it solves the problem try giving it a static ip on another subnet, could conceivably be getting attacked.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24728249
LSASS stands for Local Security Server. It goes to the kerberos ticket granting agent and verifies security identification for network logons.

Though it will fail without NIC support, the computer will not reboot on its own. The lack of time synchronization will also fail LSASS if it is out of the 5 minute phase offset. However, the lack of time synchronization will also not cause a computer reboot or slowness on the server.

The restart of the computer indicates a memory leak, or application failure. You can tell it to NOT to reboot upon failure. And then I would check out this article on memory leaks caused from LSASS.exe.

http://support.microsoft.com/kb/893246

If this doesn't work, you might look for a memory articles like this that have to do with LSASS causing a memory leak.

 
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24728595
ChiefIT

The reported problem is unexpected termination of LSASS, not it's failure due to lack of NIC support

Termination of LSASS process will in itself reboot the machine, that's how the shutdown command works

Kill the process on a running machine and you will see the familar shutdown dialog.

========================
author

Have you checked the system log to determine the sequence of events post bootup?

Can you list the error / status messages IN the chronological order they appear in the log starting with the Microsoft HAL loading so we can glean some idea of what failed first, etc.  Perhaps there is a why hidden in those messages

 
0
 
LVL 4

Expert Comment

by:Mike_Courtney
ID: 24729373
I'd be inclined to compare the service pack levels on all the DC's to ensure they match - are they all running R2?

You can check this using Windows 2003 version of repadmin

repadmin /showattr name of the domain controller that is in the target domain ncobj:domain: /filter:"(&(objectCategory=computer)(primaryGroupID=516))" /subtree /atts:operatingSystem,operatingSystemVersion,operatingSystemServicePack

It won't show you individual hotfixes, but worth thinking of those too
0
 

Accepted Solution

by:
Arabsoft-ACS earned 0 total points
ID: 24778980
After a long Discussion, there is no proper solution found&..atlast format the Server and restore the Last full + Differential Backup.

Thanks every one
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 24778996
It's a shame none of the last questions were answered as with the information requested we may well have found you a solution.
0
 
LVL 10

Expert Comment

by:Datedman
ID: 24780181
So, did restoring a backup solve the problem?  LOL...if it is an attack, it will still be one.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question