Forum Discussion

Brass Contributor

Nov 15, 2018

ATA Client on a Server 2019 Domain Controller

We have noticed that when installing the ATA client on a Windows Server 2019 domain controller the Lsass.exe service crashes every 10-25 minutes and causes the server to reboot. We also noticed that ...

EliOfek

Microsoft

Nov 15, 2018

Interesting.

ATA does not install anything that I am aware of that should effect lsass at all.

Please open a case with MS support ASAP, and ask the responding support engineer to add me to the email thread.

This is something that will need to be investigated using crash dumps etc, which is not applicable on this forum thread. once we find root cause we can update this thread with results.

Also, we might want to engage both an ATA engineer and a platform engineer to take a look on the crash dumps.

Questions:

Can you tell me if uninstalling the ATA gateway resolves the issue and lsass stop crashing?

Any 3rd party security apps installed on the machines?

Are those physical machines / VMs or both?

Do you have other DCs (< 2019) where everything works fine?

Do you have other DCs (< 2019) which experience the same problem?

If you have crash dumps already, please zip and upload to the secured workspace that will be provided by the support engineer.

Also, attach any logs & blg files you can find from the gateway service on the crashing machine:

See those for how to collect these files:

https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs#ata-gateway-logs

https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs#ata-deployment-logs

Eli

EliOfek
Microsoft
Nov 15, 2018
Adding some important info to set expectations:

Officially, (and also according to ATA docs) ATA is not yet supported on 2019.

(When the latest ATA was released, Server 2019 was not GA yet).

In spite of that, we are interested in this case because this is not something we thought was possible,

so researching it is interesting, but eventually the support on this will be "best effort".
- Paul_Brock
  Brass Contributor
  Nov 15, 2018
  Can you tell me if uninstalling the ATA gateway resolves the issue and lsass stop crashing?
              Yes it did stop the reboots
  Any 3rd party security apps installed on the machines?
              None. These are dedicated AD controllers
  Are those physical machines / VMs or both?
              We tried both. The interesting thing is they all seemed to reboot at the same time.
  Do you have other DCs (< 2019) where everything works fine?
              Yes we have other 2016 DC’s that the Azure ATA client works just fine on
  Do you have other DCs (< 2019) which experience the same problem?
              No. The 2016 servers are acting as expected
  If you have crash dumps already, please zip and upload to the secured workspace that will be provided by the support engineer.
              Not yet. I will work on this.
  Also, attach any logs & blg files you can find from the gateway service on the crashing machine:
              I will work on this
  - Paul_Brock
    Brass Contributor
    Nov 16, 2018
    To be clear I'm talking about Azure Advanced Threat Protection and not the on prem version of ATP.