2012 r2 constant rebooting on DC

Question

I am at a loss on this one - Server 2012 r2 with dc role - we have at least 2 DCs who on reboot constantly reboot with the warning message of server will restart in one minute - issue says it is lsass.exe crashing with faulting module lsadb.dll

Can only get in to server via safe mode

We dare not reboot any more DCs as they may have same fault! Any ideas very much appreciated

Crash report below:

Version=1
EventType=APPCRASH
EventTime=132451462808065074
ReportType=2
Consent=1
ReportIdentifier=94224e51-fbda-11ea-81c5-0050569d64c3
IntegratorReportIdentifier=94224e50-fbda-11ea-81c5-0050569d64c3
NsAppName=lsass.exe
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=lsass.exe
Sig[1].Name=Application Version
Sig[1].Value=6.3.9600.17415
Sig[2].Name=Application Timestamp
Sig[2].Value=545042fe
Sig[3].Name=Fault Module Name
Sig[3].Value=lsadb.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=6.3.9600.18759
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=59612c1e
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=000000000000a657
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.3.9600.2.0.0.400.8
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=2057
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=a8c1
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=a8c194a6f09e73c34c87e5e76aaa6cfa
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=ae9a
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=ae9a7a1de7edbcd1ca1027d29040ccdb
UI[2]=C:\Windows\system32\lsass.exe
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Local Security Authority Process stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Windows\system32\lsass.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\system32\KERNEL32.DLL
LoadedModule[3]=C:\Windows\system32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\system32\RPCRT4.dll
LoadedModule[5]=C:\Windows\system32\SspiSrv.dll
LoadedModule[6]=C:\Windows\system32\SspiCli.dll
LoadedModule[7]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[8]=C:\Windows\system32\lsasrv.dll
LoadedModule[9]=C:\Windows\system32\msvcrt.dll
LoadedModule[10]=C:\Windows\system32\WS2_32.dll
LoadedModule[11]=C:\Windows\SYSTEM32\cfgmgr32.dll
LoadedModule[12]=C:\Windows\system32\MSASN1.dll
LoadedModule[13]=C:\Windows\system32\NSI.dll
LoadedModule[14]=C:\Windows\SYSTEM32\samsrv.dll
LoadedModule[15]=C:\Windows\system32\bcrypt.dll
LoadedModule[16]=C:\Windows\system32\ncrypt.dll
LoadedModule[17]=C:\Windows\system32\NTASN1.dll
LoadedModule[18]=C:\Windows\system32\lsadb.dll
LoadedModule[19]=C:\Windows\system32\DSPARSE.dll
LoadedModule[20]=C:\Windows\system32\ADVAPI32.dll
LoadedModule[21]=C:\Windows\system32\CRYPTBASE.DLL
LoadedModule[22]=C:\Windows\system32\bcryptPrimitives.dll
LoadedModule[23]=C:\Windows\system32\msprivs.DLL
LoadedModule[24]=C:\Windows\SYSTEM32\netjoin.dll
LoadedModule[25]=C:\Windows\system32\negoexts.DLL
LoadedModule[26]=C:\Windows\system32\cryptdll.dll
LoadedModule[27]=C:\Windows\system32\kerberos.DLL
LoadedModule[28]=C:\Windows\system32\CRYPTSP.dll
LoadedModule[29]=C:\Windows\system32\mswsock.dll
LoadedModule[30]=C:\Windows\system32\msv1_0.DLL
LoadedModule[31]=C:\Windows\system32\netlogon.DLL
LoadedModule[32]=C:\Windows\system32\DNSAPI.dll
LoadedModule[33]=C:\Windows\system32\logoncli.dll
LoadedModule[34]=C:\Windows\SYSTEM32\powrprof.dll
LoadedModule[35]=C:\Windows\system32\USERENV.dll
LoadedModule[36]=C:\Windows\system32\profapi.dll
LoadedModule[37]=C:\Windows\system32\tspkg.DLL
LoadedModule[38]=C:\Windows\system32\pku2u.DLL
LoadedModule[39]=C:\Windows\system32\wdigest.DLL
LoadedModule[40]=C:\Windows\system32\rsaenh.dll
LoadedModule[41]=C:\Windows\system32\schannel.DLL
LoadedModule[42]=C:\Windows\system32\CRYPT32.dll
LoadedModule[43]=C:\Windows\system32\efslsaext.dll
LoadedModule[44]=C:\Windows\system32\dpapisrv.dll
LoadedModule[45]=C:\Windows\system32\ntdsa.dll
LoadedModule[46]=C:\Windows\system32\bcd.dll
LoadedModule[47]=C:\Windows\SYSTEM32\winsta.dll
LoadedModule[48]=C:\Windows\system32\ntdsai.dll
LoadedModule[49]=C:\Windows\system32\AUTHZ.dll
LoadedModule[50]=C:\Windows\system32\IPHLPAPI.DLL
LoadedModule[51]=C:\Windows\system32\WLDAP32.dll
LoadedModule[52]=C:\Windows\system32\NTDSKCC.dll
LoadedModule[53]=C:\Windows\system32\ntdsbsrv.dll
LoadedModule[54]=C:\Windows\system32\NTDSAPI.dll
LoadedModule[55]=C:\Windows\system32\NTDSATQ.dll
LoadedModule[56]=C:\Windows\system32\ESENT.dll
LoadedModule[57]=C:\Windows\system32\VERSION.dll
LoadedModule[58]=C:\Windows\system32\KdsCli.dll
LoadedModule[59]=C:\Windows\system32\DSROLESRV.dll
LoadedModule[60]=C:\Windows\system32\SYSNTFY.dll
LoadedModule[61]=C:\Windows\system32\WINNSI.DLL
LoadedModule[62]=C:\Windows\system32\W32TOPL.dll
LoadedModule[63]=C:\Windows\system32\VSSAPI.DLL
LoadedModule[64]=C:\Windows\system32\wevtapi.dll
LoadedModule[65]=C:\Windows\system32\OLEAUT32.dll
LoadedModule[66]=C:\Windows\SYSTEM32\combase.dll
LoadedModule[67]=C:\Windows\system32\WDSCORE.dll
LoadedModule[68]=C:\Windows\system32\VssTrace.DLL
LoadedModule[69]=C:\Windows\system32\DSROLE.dll
LoadedModule[70]=C:\Windows\system32\ntdsmsg.dll
LoadedModule[71]=C:\Windows\system32\netutils.dll
LoadedModule[72]=C:\Windows\system32\KDCPW.DLL
LoadedModule[73]=C:\Windows\system32\rassfm.DLL
LoadedModule[74]=C:\Windows\system32\scecli.DLL
LoadedModule[75]=C:\Windows\system32\wkscli.dll
LoadedModule[76]=C:\Windows\system32\ole32.dll
LoadedModule[77]=C:\Windows\system32\GDI32.dll
LoadedModule[78]=C:\Windows\system32\USER32.dll
LoadedModule[79]=C:\Windows\system32\SophosAV\SOPHOS~1.DLL
LoadedModule[80]=C:\Windows\system32\PSAPI.DLL
LoadedModule[81]=C:\Windows\SYSTEM32\kernel.appcore.dll
LoadedModule[82]=C:\Windows\system32\samcli.dll
LoadedModule[83]=C:\Windows\system32\SAMLIB.dll
LoadedModule[84]=C:\Windows\SYSTEM32\clbcatq.dll
LoadedModule[85]=C:\Windows\system32\es.dll
LoadedModule[86]=C:\Windows\system32\PROPSYS.dll
LoadedModule[87]=C:\Windows\system32\kdcsvc.dll
LoadedModule[88]=C:\Windows\System32\rasadhlp.dll
LoadedModule[89]=C:\Windows\System32\fwpuclnt.dll
LoadedModule[90]=C:\Windows\system32\dssenh.dll
LoadedModule[91]=C:\Windows\SYSTEM32\gpapi.dll
LoadedModule[92]=C:\Windows\System32\cryptnet.dll
LoadedModule[93]=C:\Windows\system32\pwdssp.dll
LoadedModule[94]=C:\Windows\system32\RpcRtRemote.dll
LoadedModule[95]=C:\Windows\system32\rpchttp.dll
LoadedModule[96]=C:\Windows\system32\Secur32.dll
LoadedModule[97]=C:\Windows\system32\pcwum.dll
LoadedModule[98]=C:\Windows\system32\srvcli.dll
LoadedModule[99]=C:\Windows\system32\WINBRAND.dll
LoadedModule[100]=C:\Windows\system32\cscapi.dll
LoadedModule[101]=C:\Windows\system32\ncryptsslp.dll
LoadedModule[102]=C:\Windows\system32\ncryptprov.dll
LoadedModule[103]=C:\Windows\system32\DPAPI.dll
LoadedModule[104]=C:\Windows\system32\dhcpcsvc6.DLL
LoadedModule[105]=C:\Windows\system32\dhcpcsvc.DLL
LoadedModule[106]=C:\Windows\system32\certpoleng.dll
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Local Security Authority Process
AppPath=C:\Windows\system32\lsass.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=8102D8877E41CC9ABDB06D18FC7E6609

Answer 1

This one might help.
https://support.microsoft.com/en-ca/help/3038261/lsass-exe-crashes-and-system-shuts-down-automatically-on-a-windows-ser

Not a lot to go on but the simplest / safer solution may be to stand up a new one for replacement.

I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2012, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

Hi,
same issue since today here (see also comment of VladimirMikhelson-0287).
Main DC is Server 2012 R2 and secondary DC 2019. All Updates are installed. Maybe the latest update causes this problem?
Also hotfix 2998097 (https://support.microsoft.com/en-us/topic/lsass-exe-crashes-and-system-shuts-down-automatically-on-a-windows-server-2012-r2-based-server-5abde4d6-917e-7825-867e-4c9f4ff616b9) was already istalled with previous updates.

Any ideas to solve this?

Best regards,
Simon

Answer 3

Same issue/resolution here.
I uninstalled all of the January 2022 updates and the reboots have stopped.
The errors were lsass.exe and lsadb.dll from the Event Viewer.
In my case, the reboots were happening when my Synology NAS tried to connect to the Windows 2019 AD.
I have the Windows Server 2019 Domain connected to the Synology (through Synology's Domain/LDAP services)
Something must have changed with the January 2022 update.
I have disabled all updates to Server 2019 until Synology or MS issues a fix.

Answer 4

Hi,
Have you met some other event error such as 1000/1001/ 1015?
It looks like some of the settings in the AD schema are missing.
For example, the NTDS Settings represents the domain controller in the replication system. The NTDS Settings object stores connection objects, which make replication possible between two or more domain controllers.
Try to troubleshoot lsass.exe crash, I consider that you may need to use process monitor to capture the dump. If you could see event 1000/1001, you could config WER dump.
Best Regards,
Carl

Answer 5

We have the same issue - it occurred after attempting to install the latest patches. We removed the patch but cannot get the DC to stay on unless we turn off the NIC. Booting into Safe Mode with Networking works, but no AD services run in that mode.