This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Changing Zone Replication = lsass.exe crashing and DC rebooting

General discussion
3

Sign in to vote
Ran into a pretty bad bug.

Using a Windows 8.1 Ent workstation, via Server manager I launch DNS Manager via Tools.

I proceed to connect to a Windows Server 2012 R2 Datacenter Edition Domain Controller via the DNS Manager.

In my case, I selected a reverse lookup zone, its properties -> "Change" for replication, selected in my case "All DNS servers in the domain" (currently set to all in the forest) clicked ok and then apply and received an error via DNS Manger. The DC now reboots!

I then tried doing the same steps locally on the DC same thing, server reboots.

OK, so I have to get this done so I figure Powershell right (ran the following local on the DC):

Set-DnsServerPrimaryZone -Name "10.in-addr.arpa" -ReplicationScope "Domain", again the server reboots!

So now there is NO way to manage DNS Zone replication changes???

DC's event log:

System log: Event ID 1074
The process wininit.exe has initiated the restart of computer %hostname% on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x50006
Shutdown Type: restart
Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819. The system will now shut down and restart.

Application log: Event ID 1000
Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
Exception code: 0xc0000005
Fault offset: 0x000000000019e45d
Faulting process id: 0x1d8
Faulting application start time: 0x01cee0ab5178fb6c
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ntdsai.dll
Report Id: 1d4047b0-4ca0-11e3-80ca-005056984a69
Faulting package full name:

Faulting package-relative application ID:

Followed by this event

Application log: Event ID 1015

A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

This is extremely similar (if not the same) to http://support.microsoft.com/kb/927342/en-us back in the days.

I don't know how to submit this to MS? Can anyone try (in a lab...) and reproduce. Thanks!
- Edited by Madburg Wednesday, November 13, 2013 8:56 PM removed hostname
- Changed type AnnaWY Thursday, November 21, 2013 6:21 AM
Wednesday, November 13, 2013 8:53 PM

All replies

0

Sign in to vote

Hi Madburg,

Thanks for your posting.

According to the error message, we find it seems to be system crash issue and we need to use ADPlus to create dump file and then analyze it to narrow down the root cause of the issue. Unfortunately, it is not effective for us to debug the crash dump file here in the forum. Therefore, I would like to suggest that you contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.

To obtain the phone numbers for specific technology request please take a look at the web site listed below:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607

Hope the issue will be resolved soon.

In addition, you are warmly welcome to share the resolution when the problem is resolved.

Thanks in advance!

Best regards,

Anna
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Thursday, November 14, 2013 9:30 AM
0

Sign in to vote

I understand Anna,

I will give it a shot, is CSS via phone a paid service?

I am going to also try and create a new zone and change its replication, to narrow this down to see if this is cause by any zone originally created by AD 2003 or any existing zone prior to 2012 R2 DC's being introduced.

Friday, November 15, 2013 5:35 AM
1

Sign in to vote
This is a "Feature" on2012 R2

Disable audit on AD

I know this sounds absurd,- but disabling auditing on AD objects will help you with this until patches will be released

Basically with new security features, if you do not
want the reboot, you have to make sure that your AD changes related to lsass.exe
do not reflect in the event log

I am sure that Microsoft will provide fix for that
issue soon

Have fun
- Edited by maz-it Friday, November 29, 2013 10:34 AM
Friday, November 29, 2013 10:25 AM
0

Sign in to vote
Thanks for the information. I just ran into this trying to remove an AD-integrated conditional forwarder from a Server 2012 R2 domain controller. It happened on three straight Server 2012 R2 domain controllers. As soon as I removed the auditing setting, it allowed me to remove the forwarder. I wish they would correct this "feature".

Eric J. Inch | Apex Digital Solutions | MCITP EA/EMA/LYNC/VA | CISSP | CEH | GSEC | VCP | CCNA
- Edited by eric-apex Thursday, December 12, 2013 8:02 PM
Thursday, December 12, 2013 8:01 PM
0

Sign in to vote

I am getting the exact same errors but only when I am renaming a user account. As soon as I hit enter I get the Server is rebooting in less than a minute message and then the DC reboots. I have event ids 1000 and 1015 immediately before the reboot. Where am I supposed to be removing auditing from?

Monday, January 13, 2014 8:45 PM
0

Sign in to vote

Bob86,

I ran into this issue for the first time last night too. I did have a Windows 2003 server that I had in addition to the 2012R2 server, so I did it from there.

You set this in Group Policy Management.

The Default Domain Controller Policy usually has auditing enabled under Policies, Windows Settings, Security Settings, Local Policies/Audit Policy.

I changed each of mine to Defined and unchecked the boxes for Success and Failure so when I click OK, it says No Auditing.

I run GPUpdate on the 2012R2 server and restarted it. Then, I wasn't having this issue any longer

Keep in mind that your domain may have additional group policy objects that also set auditing settings but I ALWAYS do these things in baby steps, so don't go overboard with lots of changes at one time.

I hope that helps. This advice provides no warranty.

Tuesday, January 14, 2014 4:55 PM
0

Sign in to vote

That seems to be it. I had several audit settings in there and once they were all turned off, refreshed and the issue disappeared. Not an ideal workaround, I am opening a case with MS and hopefully they will have a better solution. I'll update if one is found.

Tuesday, January 14, 2014 5:27 PM
0

Sign in to vote

Ok this has been confirmed as a known issue by MS and a hotfix will be released and rolled into the update process once it has been verified. The guy I spoke with thought March patch cycle seems likely.

Friday, January 31, 2014 7:55 PM
3

Sign in to vote
Hi,

For cases where LSASS crashes 60 seconds after renaming objects in Active Directory on Windows Server 2012 R2 computers, there are two courses of action:

Call Microsoft Support and request the on-demand version of MSKB 2914387. You will need to provide a credit card to initiate the support call but you will not be charged for a bug fix.
OR
Temporarily disable Success Auditing in Default Domain Controllers Policy. Success Auditing may be enabled on Global Audit Policy Path of:
Computer Configuration -> Policies -> Windows Settings –> Security Settings –> Local Policies -> Audit Policy -> Audit directory service access
OR
The granular audit policy path of:
Computer Configuration -> Policies -> Windows Settings –> Security Settings –> Advanced Audit Policy Configuration -> Audit Polices -> DS Access -> Audit Directory Service Changes

Refresh policy with GPUPDATE /FORCE, wait policy refresh interval or reboot the DC to make the audit policy change take effect.

I hope this helps,

Justin [MSFT]
Saturday, February 15, 2014 2:35 AM
0

Sign in to vote
I am also having this happen on 2012 R2 DCs, it happens when renaming a user or renaming an Exchange mailbox database. Nice to know a fix is coming. Disabling "Audit directory service access" (or more appropriately not defining it) and restarting the DCs did the trick.

Doug Kinzinger, MCSE
- Edited by Doug Kinzinger Friday, February 28, 2014 5:14 PM Appended
Friday, February 28, 2014 4:38 PM
0

Sign in to vote

I am having the same issue- originally thought it was VMware related (NIC driver), but then a new physical server started having the same problem. Glad I stumbled upon this article didn't see it in my original searches. I was able to recreate the reboot by renaming a test account. We are heavy users of auditing for sox-compliance reporting so turning that off isn't an option. I am gearing up to call MS for that patch. Will report back- Keep an eye out for a post on "clients older than W2008 not being able to see the netlogon and sysvol" directories" due to the new SMB version on R2.

Thursday, March 6, 2014 5:01 PM
0

Sign in to vote

Hello. I'm having exacly same issue - http://social.technet.microsoft.com/Forums/windowsserver/en-US/0de2ab00-7b74-41e4-a390-7cb277900558/active-directory-domain-services-crash-after-administrator-renames-object-in-active-directory-users?forum=winserver8gen

Tuesday, March 11, 2014 3:25 AM
0

Sign in to vote

It seems MS released update to address this bug: http://support.microsoft.com/kb/2914387

Wednesday, March 12, 2014 3:33 AM
0

Sign in to vote

FYI - We have now installed the fix as part of the rollup here - http://support.microsoft.com/kb/2928680/en-us

Which came via windows update. So far the DC has been stable so for us the issue seems to be fully resolved.

Thursday, March 13, 2014 7:35 AM
0

Sign in to vote
I met with this problem more than twice.
Options suggested above did not help me.
Offered his solution:
1 OS upgraded to the actual state.
2 net stop NTDS /y
3 net stop Netlogon
4 net start Netlogon
5 wait some time until you see in event viewer(Directory Service) Event 1119
6 net start NTDS ( all depended services will start)
7 Reboot (not the fact that it is necessary to)

Another option:
If the domain controller secondary and not replicating from the primary.
1. Move the secondary domain controller in the site to the primary controller using 'Active Directory Sites and Services'
2.wait 1-5 minutes and check the replication on secondary that was successfull: 'repadmin /showrepl'
3 Return secondary controller to the original site
- Edited by IamShell Friday, February 6, 2015 1:06 PM
Wednesday, September 24, 2014 12:08 PM
0

Sign in to vote
Server2012R2 with the patch (http://support.microsoft.com/kb/2928680/en-us) still rebooting every 10 min.

server has all the updates

Server started the problem after these updates were installed.

KB3000869

KB3000061

KB2995004

KB2994897

KB2989542

KB2987107

KB2984006

KB2979576

KB2978041

KB2977174
- Edited by anielk Friday, October 17, 2014 3:26 PM extra information
Friday, October 17, 2014 2:07 PM
0

Sign in to vote

I just uninstalled all the KB but with no success. it is still rebooting :(

Monday, October 20, 2014 7:23 AM