Changing Zone Replication = lsass.exe crashing and DC rebooting RRS feed

  • General discussion

  • Ran into a pretty bad bug.

    Using a Windows 8.1 Ent workstation, via Server manager I launch DNS Manager via Tools.

    I proceed to connect to a Windows Server 2012 R2 Datacenter Edition Domain Controller via the DNS Manager.

    In my case, I selected a reverse lookup zone, its properties -> "Change" for replication, selected in my case "All DNS servers in the domain" (currently set to all in the forest) clicked ok and then apply and received an error via DNS Manger. The DC now reboots!

    I then tried doing the same steps locally on the DC same thing, server reboots.

    OK, so I have to get this done so I figure Powershell right (ran the following local on the DC):

    Set-DnsServerPrimaryZone -Name "10.in-addr.arpa" -ReplicationScope "Domain", again the server reboots!

    So now there is NO way to manage DNS Zone replication changes???

    DC's event log:

    System log: Event ID 1074

    The process wininit.exe has initiated the restart of computer %hostname% on behalf of user  for the following reason: No title for this reason could be found
     Reason Code: 0x50006
     Shutdown Type: restart
     Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819.  The system will now shut down and restart.

    Application log: Event ID 1000

    Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
    Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
    Exception code: 0xc0000005
    Fault offset: 0x000000000019e45d
    Faulting process id: 0x1d8
    Faulting application start time: 0x01cee0ab5178fb6c
    Faulting application path: C:\Windows\system32\lsass.exe
    Faulting module path: C:\Windows\system32\ntdsai.dll
    Report Id: 1d4047b0-4ca0-11e3-80ca-005056984a69
    Faulting package full name: 

    Faulting package-relative application ID: 

    Followed by this event

    Application log: Event ID 1015

    A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.

    This is extremely similar (if not the same) to http://support.microsoft.com/kb/927342/en-us back in the days.

    I don't know how to submit this to MS? Can anyone try (in a lab...) and reproduce. Thanks!

    • Edited by Madburg Wednesday, November 13, 2013 8:56 PM removed hostname
    • Changed type AnnaWY Thursday, November 21, 2013 6:21 AM
    Wednesday, November 13, 2013 8:53 PM

All replies

  • Hi Madburg,

    Thanks for your posting.

    According to the error message, we find it seems to be system crash issue and we need to use ADPlus to create dump file and then analyze it to narrow down the root cause of the issue. Unfortunately, it is not effective for us to debug the crash dump file here in the forum. Therefore, I would like to suggest that you contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.

    To obtain the phone numbers for specific technology request please take a look at the web site listed below:


    Hope the issue will be resolved soon.

    In addition, you are warmly welcome to share the resolution when the problem is resolved.

    Thanks in advance!

    Best regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Thursday, November 14, 2013 9:30 AM
  • I understand Anna,

    I will give it a shot, is CSS via phone a paid service?

    I am going to also try and create a new zone and change its replication, to narrow this down to see if this is cause by any zone originally created by AD 2003 or any existing zone prior to 2012 R2 DC's being introduced.

    Friday, November 15, 2013 5:35 AM
  • This is a "Feature" on2012 R2

    Disable audit on AD

    I know this sounds absurd,- but disabling auditing on AD objects will  help you with this until patches  will  be released

    Basically with new security features, if you do not
    want the reboot, you have to make sure that your AD changes related to
    do not reflect in the event log

    I am sure that Microsoft will provide fix for that
    issue soon

    Have  fun

    • Edited by maz-it Friday, November 29, 2013 10:34 AM
    Friday, November 29, 2013 10:25 AM
  • Thanks for the information. I just ran into this trying to remove an AD-integrated conditional forwarder from a Server 2012 R2 domain controller. It happened on three straight Server 2012 R2 domain controllers. As soon as I removed the auditing setting, it allowed me to remove the forwarder. I wish they would correct this "feature".

    Eric J. Inch | Apex Digital Solutions | MCITP EA/EMA/LYNC/VA | CISSP | CEH | GSEC | VCP | CCNA

    • Edited by eric-apex Thursday, December 12, 2013 8:02 PM
    Thursday, December 12, 2013 8:01 PM
  • I am getting the exact same errors but only when I am renaming a user account.  As soon as I hit enter I get the Server is rebooting in less than a minute message and then the DC reboots.  I have event ids 1000 and 1015 immediately before the reboot.  Where am I supposed to be removing auditing from?  
    Monday, January 13, 2014 8:45 PM
  • Bob86,

    I ran into this issue for the first time last night too.  I did have a Windows 2003 server that I had in addition to the 2012R2 server, so I did it from there. 

    You set this in Group Policy Management. 

    The Default Domain Controller Policy usually has auditing enabled under Policies, Windows Settings, Security Settings, Local Policies/Audit Policy. 

    I changed each of mine to Defined and unchecked the boxes for Success and Failure so when I click OK, it says No Auditing.

    I run GPUpdate on the 2012R2 server and restarted it.  Then, I wasn't having this issue any longer

    Keep in mind that your domain may have additional group policy objects that also set auditing settings but I ALWAYS do these things in baby steps, so don't go overboard with lots of changes at one time.

    I hope that helps.  This advice provides no warranty.

    Tuesday, January 14, 2014 4:55 PM
  • That seems to be it.  I had several audit settings in there and once they were all turned off, refreshed and the issue disappeared.  Not an ideal workaround, I am opening a case with MS and hopefully they will have a better solution.  I'll update if one is found.
    Tuesday, January 14, 2014 5:27 PM
  • Ok this has been confirmed as a known issue by MS and a hotfix will be released and rolled into the update process once it has been verified.  The guy I spoke with thought March patch cycle seems likely.
    Friday, January 31, 2014 7:55 PM
  • Hi,

    For cases where LSASS crashes 60 seconds after renaming objects in Active Directory on Windows Server 2012 R2 computers, there are two courses of action:

    1. Call Microsoft Support and request the on-demand version of MSKB 2914387. You will need to provide a credit card to initiate the support call but you will not be charged for a bug fix.
    2. Temporarily disable Success Auditing in Default Domain Controllers Policy. Success Auditing may be enabled  on Global Audit Policy Path of:
      Computer Configuration -> Policies -> Windows Settings –> Security Settings –> Local Policies -> Audit Policy -> Audit directory service access
      The granular audit policy path of:
      Computer Configuration -> Policies -> Windows Settings –> Security Settings –> Advanced Audit Policy Configuration -> Audit Polices -> DS Access -> Audit Directory Service Changes

    Refresh policy with GPUPDATE /FORCE, wait policy refresh interval or reboot the DC to make the audit policy change take effect.

    I hope this helps,

    Justin [MSFT]

    Saturday, February 15, 2014 2:35 AM
  • I am also having this happen on 2012 R2 DCs, it happens when renaming a user or renaming an Exchange mailbox database. Nice to know a fix is coming. Disabling "Audit directory service access" (or more appropriately not defining it) and restarting the DCs did the trick.

    Doug Kinzinger, MCSE

    Friday, February 28, 2014 4:38 PM
  • I am having the same issue- originally thought it was VMware related (NIC driver), but then a new physical server started having the same problem.  Glad I stumbled upon this article didn't see it in my original searches.  I was able to recreate the reboot by renaming a test account.  We are heavy users of auditing for sox-compliance reporting so turning that off isn't an option.  I am gearing up to call MS for that patch. Will report back- Keep an eye out for a post on "clients older than W2008 not being able to see the netlogon and sysvol" directories" due to the new SMB version on R2.
    Thursday, March 6, 2014 5:01 PM
  • Hello. I'm having exacly same issue - http://social.technet.microsoft.com/Forums/windowsserver/en-US/0de2ab00-7b74-41e4-a390-7cb277900558/active-directory-domain-services-crash-after-administrator-renames-object-in-active-directory-users?forum=winserver8gen

    Tuesday, March 11, 2014 3:25 AM
  • It seems MS released update to address this bug: http://support.microsoft.com/kb/2914387
    Wednesday, March 12, 2014 3:33 AM
  • FYI - We have now installed the fix as part of the rollup here - http://support.microsoft.com/kb/2928680/en-us

    Which came via windows update.  So far the DC has been stable so for us the issue seems to be fully resolved.

    Thursday, March 13, 2014 7:35 AM
  • I met with this problem more than twice.
    Options suggested above did not help me.
    Offered his solution: 
    1 OS upgraded to the actual state.
    2 net stop NTDS /y
    3 net stop Netlogon
    4 net start Netlogon
    5 wait some time until you see in event viewer(Directory Service) Event 1119
    6 net start NTDS  ( all depended services will start)
    7 Reboot (not the fact that it is necessary to)

    Another option:
    If the domain controller secondary and not replicating from the primary.
    1. Move the secondary domain controller in the site to the primary controller using 'Active Directory Sites and Services'
    2.wait 1-5 minutes and check  the replication on secondary that was successfull: 'repadmin /showrepl'
    3 Return secondary controller to the original site

    • Edited by IamShell Friday, February 6, 2015 1:06 PM
    Wednesday, September 24, 2014 12:08 PM
  • Server2012R2 with the patch (http://support.microsoft.com/kb/2928680/en-us) still rebooting every 10 min.

    server has all the updates

    Server started the problem after these updates were installed.











    • Edited by anielk Friday, October 17, 2014 3:26 PM extra information
    Friday, October 17, 2014 2:07 PM
  • I just uninstalled all the KB but with no success. it is still rebooting :(

    Monday, October 20, 2014 7:23 AM