locked
Faulting lsass.exe causes restarts RRS feed

  • Question

  • Hello,

    Couple weeks ago one of two DC servers started randomly restarting. There were no software installed, no updates either. For the whole time I have been doing everything I can think of to fix the problem but nothing seems to help. Application fails at random times (sometimes during work hours, other time very early in the morning, usually at least 1 time a day) and I have ran out of ideas. Please. Help!

    Server is Windows 2008 R2 SP1 running on VMware ESXi, 5.5.0, 2068190

    Errors that are produced in event log:

    Log Name:      Application
    Source:        Application Error
    Date:          2015.11.29 17:35:31
    Event ID:      1000
    Task Category: (100)
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      DC02-SRV.kaunoenergija.lt
    Description:
    Faulting application name: lsass.exe, version: 6.1.7601.23250, time stamp: 0x56258092
    Faulting module name: NTDSATQ.dll, version: 6.1.7601.18219, time stamp: 0x51ec9496
    Exception code: 0xc0000005
    Fault offset: 0x00000000000012dd
    Faulting process id: 0x20c
    Faulting application start time: 0x01d12a3ccd5e2b59
    Faulting application path: C:\Windows\system32\lsass.exe
    Faulting module path: C:\Windows\system32\NTDSATQ.dll
    Report Id: d2ae6734-96ae-11e5-b87a-000c29f00e69
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2015-11-29T15:35:31.000000000Z" />
        <EventRecordID>75366</EventRecordID>
        <Channel>Application</Channel>
        <Computer>DC02-SRV.kaunoenergija.lt</Computer>
        <Security />
      </System>
      <EventData>
        <Data>lsass.exe</Data>
        <Data>6.1.7601.23250</Data>
        <Data>56258092</Data>
        <Data>NTDSATQ.dll</Data>
        <Data>6.1.7601.18219</Data>
        <Data>51ec9496</Data>
        <Data>c0000005</Data>
        <Data>00000000000012dd</Data>
        <Data>20c</Data>
        <Data>01d12a3ccd5e2b59</Data>
        <Data>C:\Windows\system32\lsass.exe</Data>
        <Data>C:\Windows\system32\NTDSATQ.dll</Data>
        <Data>d2ae6734-96ae-11e5-b87a-000c29f00e69</Data>
      </EventData>
    </Event>

    Log Name:      Application
    Source:        Microsoft-Windows-Wininit
    Date:          2015.11.29 17:35:32
    Event ID:      1015
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      DC02-SRV.kaunoenergija.lt
    Description:
    A critical system process, C:\Windows\system32\lsass.exe, failed with status code 255.  The machine must now be restarted.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
        <EventID Qualifiers="49152">1015</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2015-11-29T15:35:32.000000000Z" />
        <EventRecordID>75368</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>DC02-SRV.kaunoenergija.lt</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Windows\system32\lsass.exe</Data>
        <Data>255</Data>
      </EventData>
    </Event>

    Things I have tried that didn't help:

    1. Installed KB2886087 which should be for this specific problem, and it did nothing.

    2. Changed time synchronization, because there were ~8min delay after restarting, later figured out that it was VMware server problem.

    3. I'm pretty sure this is not BSOD problem.

    If you need any additional information I will be more than happy to provide it. 

    Monday, November 30, 2015 6:07 AM

All replies

  • Hi,

    Since this is a domain controller so lsass.exe process will be having high utilization of memory and CPU. Because of which it may crash. 

    First I would recommend you to verify if there are any file system errors in the server, by running chkdsk on system drive and then sfc /scannow.

    If there are no errors then I would recommend to check the CPU and memory utilization of lsass.exe. If the resources are highly utilized then a memory and CPU upgrade would be recommend.

    Also configure memory dump to get create during an unexpected reboot, it will help the debugger to gather more information on the lsass.exe crash.

    Thanks


    **-CK-**

    Monday, November 30, 2015 6:28 AM
  • Thanks for the reply,

    I have just performed disk check with "CHKDSK /R" it said it found some errors and fixed them. 

    I also ran "sfc /scannow"

    As for CPU and memory utilization of lsass.exe, I haven't noticed that it would be very demanding. Highest I have seen RAM go up was ~190 MB, however can't say it might have spike right before it crashes.

    As for memory dump, it is configured, I even created dedicated memory dump, but none is created during the restart, maybe because it is simple unexpected restart and not BSOD crash?


    Monday, November 30, 2015 6:46 AM
  • Did not help, system just restarted again...
    Monday, November 30, 2015 11:37 AM
  • Hi,

    I don't think Microsoft has also any corrective solutions for this. I would recommend to place a call with MS on this.

    Thanks


    **-CK-**

    Tuesday, December 1, 2015 8:01 AM
  • Hi,

    Confirm that if KB 2732595 - Lsass.exe crashes and error code 255 is generated in Windows Server 2008 R2 or in Windows 7 – is applied to your problem:
    https://support.microsoft.com/en-us/kb/2732595

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, December 1, 2015 9:44 AM
  • My supervisor will be contacting our support representative, and we will most likely end up asking for their help.

    Thanks

    Tuesday, December 1, 2015 10:42 AM
  • I have seen this KB how ever it states

    Faulting application name: lsass.exe, version: 6.1.7601.17725, time stamp: 0x4ec483fc
    Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e

    And in my case it is:

    Faulting application name: lsass.exe, version: 6.1.7601.23250, time stamp: 0x56258092
    Faulting module name: NTDSATQ.dll, version: 6.1.7601.18219, time stamp: 0x51ec9496

    I doubt that it if for the same problem, but I might as well try it later because I'm running out of ideas of what to do.

    Thanks

    Tuesday, December 1, 2015 10:45 AM
  • Hi,

    is there any update about this problem?

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, December 8, 2015 5:33 AM
  • We are also experiencing the same issue and can find no resolution have you had any response from Microsoft
    Wednesday, December 9, 2015 8:50 AM