LSASS and AUTHZ.dll causing DC reboot on member join

  • 224 Views
  • Last Post 06 May 2016
bpffa posted this 05 May 2016

I am running into an odd issue; new 2012r2 domain where the DC will reboot whenever a client is joined or disjoined from the domain.

Setup is a 2012r2 DC running AD & DNS and a s2012r2 DHCP server both statically set IPs; DNS pointing to DC IP. DHCP has scope set for subnet and secure dynamic updates on.

Everything works until I join a member server; I join OK then reboot and thats when the DC says it needs to reboot due to lsass crashing. error is:

Faulting application name: lsass.exe, version: 6.3.9600.17415, time stamp: 0x545042fe
Faulting module name: AUTHZ.dll, version: 6.3.9600.17796, time stamp: 0x552c452f
Exception code: 0xc0000005
Fault offset: 0x0000000000034704
Faulting process id: 0x210
Faulting application start time: 0x01d1a61763719568
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\AUTHZ.dll
Report Id: 9c12ca77-1219-11e6-80ce-00155dc83203
Faulting package full name:
Faulting package-relative application ID:

 

Everything seems OK after that though; unless I want to disjoin to member- DC crashes again with same error. This happens with member being Server 2012r2 or Win10.

 

 

I have never seen a DC do this and cannot find info linking lsass and AUTHZ.dll crashing

Order By: Standard | Newest | Votes
gkirkpatrick posted this 05 May 2016

"New domain" meaning new forest?




Any third-party software installed on the DC?




My first thought would be to refresh/update the binaries on the DC.




-gil









show

bpffa posted this 05 May 2016

Yes; completely new forest running on a hyper-v host. I have run sfc /scannow and Dism /Online /Cleanup-Image /ScanHealth and both come back as clean. The only

policies I have applied are essentially security defaults and auditing.

 

brendan

 

show

kennedyjim posted this 05 May 2016

Wooo, auditing is enabled.



 

https://support.microsoft.com/en-us/kb/2914387

 

show

gkirkpatrick posted this 05 May 2016

Wow, déjà vu. There was a similar issue with Windows 2000 (!) I think that would cause certain audit events to fail, and if you had

the shutdown on audit fail policy enabled, it would shut down the DC. There was a certain large US military organization that watched their DCs go offline one by one as they replicated the bit of data that cause the audit failure. But at least it was a clean

shutdown…

 

-g

 

show

jeremyts posted this 05 May 2016

It shows that your new DC’s are not patched. This was part of the March 2014 rollup hotfix, available via WSUS, etc.

 

There are an enormous amount of issues addressed in all the monthly rollups until the end of 2014. I wouldn’t put a 2012R2 DC into production without first

applying them. For example, the May 2014 rollup addresses WMI memory leaks, etc.

 

Cheers,

Jeremy

 

show

bpffa posted this 06 May 2016

My NTDSAI.dll is version 6.3.9600.18009 which is newer than what is posted in the hotfix article. I have set DS Object audit logging to No Audit and still have

this issue. The article referenced does not mention AUTHZ.dll so it may be some other oddity. I have never run into such issues setting up a clean forest before.

 

brendan

 

show

jeremyts posted this 06 May 2016

It may have regressed. What version is yours?

 

Here’s the latest version that I could find:

https://support.microsoft.com/en-us/kb/3103709

 

Cheers,

Jeremy

 

show

bpffa posted this 06 May 2016

Due to limited internet connectivity it appears the template I was using was about 2 month out-of-date. Post-patching the issue appears to be resolved. Full auditing

has been re-enabled and joining/unjoining members to the domain works the way it should.

 

brendan

 

show

Close