question

AndyHunt-3387 avatar image
0 Votes"
AndyHunt-3387 asked MelissaMcClish-1506 commented

2012 r2 constant rebooting on DC

I am at a loss on this one - Server 2012 r2 with dc role - we have at least 2 DCs who on reboot constantly reboot with the warning message of server will restart in one minute - issue says it is lsass.exe crashing with faulting module lsadb.dll

Can only get in to server via safe mode

We dare not reboot any more DCs as they may have same fault! Any ideas very much appreciated

Crash report below:

Version=1
EventType=APPCRASH
EventTime=132451462808065074
ReportType=2
Consent=1
ReportIdentifier=94224e51-fbda-11ea-81c5-0050569d64c3
IntegratorReportIdentifier=94224e50-fbda-11ea-81c5-0050569d64c3
NsAppName=lsass.exe
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=lsass.exe
Sig[1].Name=Application Version
Sig[1].Value=6.3.9600.17415
Sig[2].Name=Application Timestamp
Sig[2].Value=545042fe
Sig[3].Name=Fault Module Name
Sig[3].Value=lsadb.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=6.3.9600.18759
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=59612c1e
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=000000000000a657
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.3.9600.2.0.0.400.8
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=2057
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=a8c1
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=a8c194a6f09e73c34c87e5e76aaa6cfa
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=ae9a
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=ae9a7a1de7edbcd1ca1027d29040ccdb
UI[2]=C:\Windows\system32\lsass.exe
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Local Security Authority Process stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Windows\system32\lsass.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\system32\KERNEL32.DLL
LoadedModule[3]=C:\Windows\system32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\system32\RPCRT4.dll
LoadedModule[5]=C:\Windows\system32\SspiSrv.dll
LoadedModule[6]=C:\Windows\system32\SspiCli.dll
LoadedModule[7]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[8]=C:\Windows\system32\lsasrv.dll
LoadedModule[9]=C:\Windows\system32\msvcrt.dll
LoadedModule[10]=C:\Windows\system32\WS2_32.dll
LoadedModule[11]=C:\Windows\SYSTEM32\cfgmgr32.dll
LoadedModule[12]=C:\Windows\system32\MSASN1.dll
LoadedModule[13]=C:\Windows\system32\NSI.dll
LoadedModule[14]=C:\Windows\SYSTEM32\samsrv.dll
LoadedModule[15]=C:\Windows\system32\bcrypt.dll
LoadedModule[16]=C:\Windows\system32\ncrypt.dll
LoadedModule[17]=C:\Windows\system32\NTASN1.dll
LoadedModule[18]=C:\Windows\system32\lsadb.dll
LoadedModule[19]=C:\Windows\system32\DSPARSE.dll
LoadedModule[20]=C:\Windows\system32\ADVAPI32.dll
LoadedModule[21]=C:\Windows\system32\CRYPTBASE.DLL
LoadedModule[22]=C:\Windows\system32\bcryptPrimitives.dll
LoadedModule[23]=C:\Windows\system32\msprivs.DLL
LoadedModule[24]=C:\Windows\SYSTEM32\netjoin.dll
LoadedModule[25]=C:\Windows\system32\negoexts.DLL
LoadedModule[26]=C:\Windows\system32\cryptdll.dll
LoadedModule[27]=C:\Windows\system32\kerberos.DLL
LoadedModule[28]=C:\Windows\system32\CRYPTSP.dll
LoadedModule[29]=C:\Windows\system32\mswsock.dll
LoadedModule[30]=C:\Windows\system32\msv1_0.DLL
LoadedModule[31]=C:\Windows\system32\netlogon.DLL
LoadedModule[32]=C:\Windows\system32\DNSAPI.dll
LoadedModule[33]=C:\Windows\system32\logoncli.dll
LoadedModule[34]=C:\Windows\SYSTEM32\powrprof.dll
LoadedModule[35]=C:\Windows\system32\USERENV.dll
LoadedModule[36]=C:\Windows\system32\profapi.dll
LoadedModule[37]=C:\Windows\system32\tspkg.DLL
LoadedModule[38]=C:\Windows\system32\pku2u.DLL
LoadedModule[39]=C:\Windows\system32\wdigest.DLL
LoadedModule[40]=C:\Windows\system32\rsaenh.dll
LoadedModule[41]=C:\Windows\system32\schannel.DLL
LoadedModule[42]=C:\Windows\system32\CRYPT32.dll
LoadedModule[43]=C:\Windows\system32\efslsaext.dll
LoadedModule[44]=C:\Windows\system32\dpapisrv.dll
LoadedModule[45]=C:\Windows\system32\ntdsa.dll
LoadedModule[46]=C:\Windows\system32\bcd.dll
LoadedModule[47]=C:\Windows\SYSTEM32\winsta.dll
LoadedModule[48]=C:\Windows\system32\ntdsai.dll
LoadedModule[49]=C:\Windows\system32\AUTHZ.dll
LoadedModule[50]=C:\Windows\system32\IPHLPAPI.DLL
LoadedModule[51]=C:\Windows\system32\WLDAP32.dll
LoadedModule[52]=C:\Windows\system32\NTDSKCC.dll
LoadedModule[53]=C:\Windows\system32\ntdsbsrv.dll
LoadedModule[54]=C:\Windows\system32\NTDSAPI.dll
LoadedModule[55]=C:\Windows\system32\NTDSATQ.dll
LoadedModule[56]=C:\Windows\system32\ESENT.dll
LoadedModule[57]=C:\Windows\system32\VERSION.dll
LoadedModule[58]=C:\Windows\system32\KdsCli.dll
LoadedModule[59]=C:\Windows\system32\DSROLESRV.dll
LoadedModule[60]=C:\Windows\system32\SYSNTFY.dll
LoadedModule[61]=C:\Windows\system32\WINNSI.DLL
LoadedModule[62]=C:\Windows\system32\W32TOPL.dll
LoadedModule[63]=C:\Windows\system32\VSSAPI.DLL
LoadedModule[64]=C:\Windows\system32\wevtapi.dll
LoadedModule[65]=C:\Windows\system32\OLEAUT32.dll
LoadedModule[66]=C:\Windows\SYSTEM32\combase.dll
LoadedModule[67]=C:\Windows\system32\WDSCORE.dll
LoadedModule[68]=C:\Windows\system32\VssTrace.DLL
LoadedModule[69]=C:\Windows\system32\DSROLE.dll
LoadedModule[70]=C:\Windows\system32\ntdsmsg.dll
LoadedModule[71]=C:\Windows\system32\netutils.dll
LoadedModule[72]=C:\Windows\system32\KDCPW.DLL
LoadedModule[73]=C:\Windows\system32\rassfm.DLL
LoadedModule[74]=C:\Windows\system32\scecli.DLL
LoadedModule[75]=C:\Windows\system32\wkscli.dll
LoadedModule[76]=C:\Windows\system32\ole32.dll
LoadedModule[77]=C:\Windows\system32\GDI32.dll
LoadedModule[78]=C:\Windows\system32\USER32.dll
LoadedModule[79]=C:\Windows\system32\SophosAV\SOPHOS~1.DLL
LoadedModule[80]=C:\Windows\system32\PSAPI.DLL
LoadedModule[81]=C:\Windows\SYSTEM32\kernel.appcore.dll
LoadedModule[82]=C:\Windows\system32\samcli.dll
LoadedModule[83]=C:\Windows\system32\SAMLIB.dll
LoadedModule[84]=C:\Windows\SYSTEM32\clbcatq.dll
LoadedModule[85]=C:\Windows\system32\es.dll
LoadedModule[86]=C:\Windows\system32\PROPSYS.dll
LoadedModule[87]=C:\Windows\system32\kdcsvc.dll
LoadedModule[88]=C:\Windows\System32\rasadhlp.dll
LoadedModule[89]=C:\Windows\System32\fwpuclnt.dll
LoadedModule[90]=C:\Windows\system32\dssenh.dll
LoadedModule[91]=C:\Windows\SYSTEM32\gpapi.dll
LoadedModule[92]=C:\Windows\System32\cryptnet.dll
LoadedModule[93]=C:\Windows\system32\pwdssp.dll
LoadedModule[94]=C:\Windows\system32\RpcRtRemote.dll
LoadedModule[95]=C:\Windows\system32\rpchttp.dll
LoadedModule[96]=C:\Windows\system32\Secur32.dll
LoadedModule[97]=C:\Windows\system32\pcwum.dll
LoadedModule[98]=C:\Windows\system32\srvcli.dll
LoadedModule[99]=C:\Windows\system32\WINBRAND.dll
LoadedModule[100]=C:\Windows\system32\cscapi.dll
LoadedModule[101]=C:\Windows\system32\ncryptsslp.dll
LoadedModule[102]=C:\Windows\system32\ncryptprov.dll
LoadedModule[103]=C:\Windows\system32\DPAPI.dll
LoadedModule[104]=C:\Windows\system32\dhcpcsvc6.DLL
LoadedModule[105]=C:\Windows\system32\dhcpcsvc.DLL
LoadedModule[106]=C:\Windows\system32\certpoleng.dll
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Local Security Authority Process
AppPath=C:\Windows\system32\lsass.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=8102D8877E41CC9ABDB06D18FC7E6609

windows-server-2012
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Very similar event here after applying 2022-01 updates to Server 2019.

Small business, two (2) DCs, one (1) subnet. Multiple roles crammed on the servers as the user has just a Standard license.

After the current MS Updates servers started to reboot after being up anywhere from two (2) to five (5) minutes.

The culprit: apparent Network Connection switch from "Domain network" to "Private network".

Symptoms:

  • Event 1074, User32. The process wininit.exe has initiated the restart

164384-wininit.png

  • Event 1000, Application Error. Faulting application lsass.exe, faulting module lsadb.dll

164405-lsadb.png

In order to stop a machine from rebooting another one should be down. Turning off Netlogon service just on one of them was not sufficient.

LSADB.DLL was replaced in the 2022-01 cumulative, but it appeared not be a problem.

Switching from Private to Domain was as easy as disabling and reenabling the respective adapter. Sometimes this step is not that easy, but it is outside of the scope of this note.

-Vladimir

1 Vote 1 ·
wininit.png (88.5 KiB)
lsadb.png (131.0 KiB)
Show more comments
DSPatrick avatar image
1 Vote"
DSPatrick answered JoshuaGatewood-4709 commented

This one might help.
https://support.microsoft.com/en-ca/help/3038261/lsass-exe-crashes-and-system-shuts-down-automatically-on-a-windows-ser


Not a lot to go on but the simplest / safer solution may be to stand up a new one for replacement.

I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2012, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

--please don't forget to Accept as answer if the reply is helpful--



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks - we did come across that one too and are also looking into replacement but may be a schema issue it seems

0 Votes 0 ·

That link has a faulting module of: kerberos.DLL

This error has a faulting module of : lsadb.dll

0 Votes 0 ·
CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered AndyHunt-3387 commented

Hi,
Have you met some other event error such as 1000/1001/ 1015?
It looks like some of the settings in the AD schema are missing.
For example, the NTDS Settings represents the domain controller in the replication system. The NTDS Settings object stores connection objects, which make replication possible between two or more domain controllers.
Try to troubleshoot lsass.exe crash, I consider that you may need to use process monitor to capture the dump. If you could see event 1000/1001, you could config WER dump.
Best Regards,
Carl

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Many thanks Carl - we have seen 1015 certainly and we have also noticed that if you disconnect the NIC then the server does not crash so this feels like heading in the right direction.

0 Votes 0 ·
JoshuaGatewood-4709 avatar image
0 Votes"
JoshuaGatewood-4709 answered PaulWhitfield-5584 commented

We have the same issue - it occurred after attempting to install the latest patches. We removed the patch but cannot get the DC to stay on unless we turn off the NIC. Booting into Safe Mode with Networking works, but no AD services run in that mode.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just to add - we found that changing NIC to DHCP and the server picking up our DHCP allocation which is a different subnet - and it did not reboot.

Makes no sense!!!

0 Votes 0 ·

I'm having the same issue here as well. It's believed that it may be due to patching but removing recent patches in safe mode doesn't help.

I tried turning off the NIC and also moving to a different host but neither made any difference. I can only boot in safe mode with networking.

0 Votes 0 ·

I got it working somehow.

We found it worked on a different IP range, turned off WSUS updates, used a manual tool called ABC-update to directly get updates from MS - this worked and server is now back on original IP and working fine.

But we did lots of other things along the way so who knows... added second NIC, changed NIC driver - the current setup is on a new NIC and old one now deleted.

Good luck with yours!

0 Votes 0 ·

I had the same issue on 3 DCs, all Win2012R2. In my situation no updates had been installed since July, the last Monthly Rollup installed was the July bundle KB4565541. KB4569739 (.NET) and KB4577071 (security-only for September 2020) were installed, and immediately after that the repeated reboots started. Uninstalling KB4577071 was tricky as the servers would only stay up for a few minutes before rebooting. Since it is lsass.exe (Active Directory) that is crashing and causing the reboot, booting into Directory Services Repair Mode means AD is not running and the server will stay up as long as you need. Uninstalling KB4577071 while in Directory Services Repair Mode resolved the issue.

For one of these servers, the installation of KB4577071 had failed, but was still causing the reboots. I rebooted into Directory Services Repair Mode, installed KB4577071, rebooted into Directory Services Repair Mode again, uninstalled KB4577071, and rebooted into normal mode.

1 Vote 1 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

Still remains the quickest / simplest / safer solution may be to stand up a new one for replacement.

I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2012, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

--please don't forget to Accept as answer if the reply is helpful--








5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonKrner-2914 avatar image
1 Vote"
SimonKrner-2914 answered WadeHarris-6749 published

Hi,
same issue since today here (see also comment of VladimirMikhelson-0287).
Main DC is Server 2012 R2 and secondary DC 2019. All Updates are installed. Maybe the latest update causes this problem?
Also hotfix 2998097 (https://support.microsoft.com/en-us/topic/lsass-exe-crashes-and-system-shuts-down-automatically-on-a-windows-server-2012-r2-based-server-5abde4d6-917e-7825-867e-4c9f4ff616b9) was already istalled with previous updates.

Any ideas to solve this?

Best regards,
Simon

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Looks like the last update KB5009624 from January 22 caused this. After uninstalling, it worked again.
https://borncity.com/win/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/

0 Votes 0 ·

Thanks- uninstalling the KB5009624 worked for me also. Same symptoms, same result.

0 Votes 0 ·
ServiceIT-1090 avatar image
0 Votes"
ServiceIT-1090 answered

We are seeing the same thing after installing the 2022-01 CU on our 3 domain controllers. All are 2016 servers.

I actually know what's causing it: we have a VDI master image for view that we update every now and then. It is in audit mode and not joined to the domain.
The applications like chrome etc. that we update are located on a synology share. As soon as I try to access the share using a domain account, the domain controllers reboot. I even made a video to prove it is what is causing it.

So I don't know if this CU enforced something on the authentication or if this is a nasty little bug.

Our solution for now is to remove the CU, no crash since then.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KevinLee-0458 avatar image
1 Vote"
KevinLee-0458 answered DavidMartinIT-9413 published

Same issue/resolution here.
I uninstalled all of the January 2022 updates and the reboots have stopped.
The errors were lsass.exe and lsadb.dll from the Event Viewer.
In my case, the reboots were happening when my Synology NAS tried to connect to the Windows 2019 AD.
I have the Windows Server 2019 Domain connected to the Synology (through Synology's Domain/LDAP services)
Something must have changed with the January 2022 update.
I have disabled all updates to Server 2019 until Synology or MS issues a fix.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I can confirm this. After shutdown the connected Synology, the server has stop rebooted. Also with a Server 2019 AD.

0 Votes 0 ·
LECORREEric-6077 avatar image
0 Votes"
LECORREEric-6077 answered MelissaMcClish-1506 commented

Hello,

Same for me, today all my DCs in windows 2019 reboot at the same time. All DC are updates with january updates installed.
Same errors with lsass.exe and i have also Synology NAS

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just uninstalls the january updates and reboots will stop.

0 Votes 0 ·

yes, but i need to keep windows server up to date


no other solution for the moment ?

thanks

0 Votes 0 ·