question

TrungNguyenVan-8319 avatar image
0 Votes"
TrungNguyenVan-8319 asked Wilw-2115 edited

Server 2019 Event ID 1074, Reason Code: 0x50006 Lsass.exe terminated unexpectedly

The process wininit.exe has initiated the restart of computer Domain Controller 2019 on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073740767. The system will now shut down and restart.

I detected that when I stop NETLOGON Services, server 2019 doesn't restart unexpectedly. But when start NETLOGON Services, it still restart every 5 ~ 10 minutes.

windows-server-2019
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @TrungNguyenVan-8319, have you got any response from MS support about this?

I have the same issue with a couple of our client servers that are crashing every 6 hours and there are no Minidump files created after the crash to investigate further. And its keep on crashing after we patched the servers with the below security patches this month (Jan 2022)

Security Update MS21-OCT: Cumulative Security Update for Internet Explorer 11 - Windows Server 2012 R2 - IE 11 - KB5006671 (x64)
Security Update MS22-JAN: Security Monthly Quality Rollup - Monthly Rollup - Windows Server 2012 R2 - KB5009624 (x64)

Logs:

The process wininit.exe has initiated the restart of computer AHLPRNETAD02 on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart.


Thanks in advance.

Sri

0 Votes 0 ·

After uninstalling the security patch KB5009624, the issue got resolved and the server is not rebooting/restarting anymore.


Problem Description
KB5009624 Causes a Loop “Continuous Restart/Reboot” on all Windows Servers with any Role. As per Microsoft Support, the exact reason has not been figured out.
Root Cause Analysis
Microsoft Support is still working on this issue to figure out the exact reason why KB5009624 causes a continuous restart/reboot on all Windows Servers with any Role.
Solution
In “SAFE MODE” basically uninstall KB5009624 over “Programs and Features” and restart the Windows Servers again.





0 Votes 0 ·

I am having a very similar issue on a windows 2012 domain controller.
Il processo wininit.exe ha iniziato il restart del computer domaincontrollername per conto dell'utente a causa del motivo seguente: No title for this reason could be found
Codice motivo: 0x50006
Tipo di arresto : restart
Commento: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255. The system will now shut down and restart.

origin User32
Id 1074
it reboots every 10 minutes.
In that environment I see two synology nas using AD auth from the server having the issue, and it seems that If block the nas from querying the server, it is not rebooting.
Also the issue seems quite recent to me.

0 Votes 0 ·
ElevenYu-MSFT avatar image
0 Votes"
ElevenYu-MSFT answered TrungNguyenVan-8319 commented

Hi,

After researching, I found two threads mentioned the similar issue and contained possible solutions. But both of them were for Windows Server 2012 or 2012 R2.

You can have a try on your windows server 2019.

Solution 1: Increasing the MaxTempTableSize parameter value of LDAP

Steps:
1. Increase MaxTempTableSize up to a maximum of 100000 on the LDAP settings as per: https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil
2. Viewing current policy settings:
a. At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.
b. At the LDAP policy command prompt, type connections, and then press ENTER.
c. At the server connection command prompt, type connect to server DNS name of server, and then press ENTER. You want to connect to the server that you are currently working with.
d. At the server connection command prompt, type q, and then press ENTER to return to the previous menu.
e. At the LDAP policy command prompt, type Show Values, and then press ENTER.
3. Modifying policy settings
a. At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER.
b. At the LDAP policy command prompt, type Set setting to variable (For example: Set MaxTempTableSize to 100000), and then press ENTER.

Solution 2: Renaming the lplogin.dll to lplogin.dll.bak in safe mode and uninstalling the LastPass application in normal boot.

For your reference:
https://social.technet.microsoft.com/Forums/en-US/1b2a7958-4ecc-4ea0-a107-f53d1bd9fd18/the-process-wininitexe-has-initiated-the-restart-of-computer-on-behalf-of-user-for-the-following?forum=winserver8gen
https://serverfault.com/questions/788240/server-2012-stuck-in-a-reboot-loop-lsass-exe-failed

Thanks,


If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ElevenYu-MSFT
I tried your solutions, but not resolved. However event id application of my system report that:
Faulting application name: lsass.exe, version: 10.0.17763.1, time stamp: 0xf1beaffa
Faulting module name: verifier.dll, version: 10.0.17763.1, time stamp: 0x197d3cfd
Exception code: 0xc0000421
Fault offset: 0x0000000000006646
Faulting process id: 0x2a4
Faulting application start time: 0x01d77174ea850ebe
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\System32\verifier.dll
Report Id: 62e62818-ccba-40c1-a815-e036fe1c42c9
Faulting package full name:
Faulting package-relative application ID:

Maybe my crash file is verifier.dll? I changed verifier.dll to verifier.dll.bak then my domain controller 2019 could not start. Haha

0 Votes 0 ·
ElevenYu-MSFT avatar image
0 Votes"
ElevenYu-MSFT answered TrungNguyenVan-8319 commented

Hi,

Please kindly run below commands to see if there is any file system error and fix it:

sfc /scannow
Dism /Online /Cleanup-Image /CheckHealth
Dism /Online /Cleanup-Image /ScanHealth
Dism /Online /Cleanup-Image /RestoreHealth

Also, please ensure that the latest Windows Update has been installed on your server.

Thanks,


If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

111856-checkhealth.png111749-restorehealth.png111847-scanhealth.png111848-sfc-scannow.png



After I had executed command, I started NETLOGON services and DC2019 still reboot unexpectedly.

0 Votes 0 ·
checkhealth.png (15.4 KiB)
restorehealth.png (16.7 KiB)
scanhealth.png (16.6 KiB)
sfc-scannow.png (14.2 KiB)
ElevenYu-MSFT avatar image
0 Votes"
ElevenYu-MSFT answered TrungNguyenVan-8319 commented

Hi,

Another thing we can try is to replace your verifier.dll file under C:\Windows\System32 on the problematic server with a .dll file copied from another good machine with same version.

If it still does not help, you might need to collect procmon logs using Process Monitor for further troubleshooting.
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Thanks,


If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I doubt that some suspicious client are attacking NETLOGON Service. Maybe you guide me using procmon application with my issues?
@ElevenYu-MSFT

0 Votes 0 ·
ElevenYu-MSFT avatar image
0 Votes"
ElevenYu-MSFT answered ElevenYu-MSFT commented

Hi,

Please kindly read below articles about how to use procmon.
https://support.sophos.com/support/s/article/KB-000034769?language=en_US
https://kb.acronis.com/procmon

As forum service does not support procmon logs analysis, we suggest thay you could contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.


You may find phone number for your region accordingly from the link below:
Global Customer Service phone numbers
https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

Thanks,


If the Answer is helpful, please click "Accept Answer" and upvote it. Thanks.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ElevenYu-MSFT

I opened premium case with Microsoft Services 4 day ago but not yet received feedback or solution :(

0 Votes 0 ·

Hi,

Once you created the ticket, the support engineer will contact you within 24 business hours.

Do you mean you haven't received any response from support engineer after you raised the ticket? If so, you could Microsoft Customer Support and Services to explain the situation as well as escalate it.

Thanks,

0 Votes 0 ·
Wilw-2115 avatar image
0 Votes"
Wilw-2115 answered Wilw-2115 edited

Hi TrungNguyenVan-8319,

In order for you to resolve this issues, you need to check the most recent "windows security update" , that was installed and uninstall it. "KB5009595, KB5008897" Please make sure to also uninstall those bolded KB I post in this answer. Once you uninstall them, your issues should be resolved!

Please, mark it as answer if this resolve your issues.

Thanks!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.