Forum Discussion
Paul_Brock
Nov 15, 2018Brass Contributor
ATA Client on a Server 2019 Domain Controller
We have noticed that when installing the ATA client on a Windows Server 2019 domain controller the Lsass.exe service crashes every 10-25 minutes and causes the server to reboot. We also noticed that ...
DougHowell
Jan 16, 2019Copper Contributor
I can confirm this is still an issue two months later! We have an open case with MS support on this issue. We upgraded two dedicated DCs from 2016 to 2019 and they were fine until Monday morning when they got user load then lsass became very unhappy.
It is very frustrating when MS tech breaks other MS tech, especially when it is tech specifically designed to run on a particular server role like this.
- EliOfekJan 16, 2019
Microsoft
Hi Doug,
There is a reason AATP is still not stating support for Windows Server 2019 Domain Controllers,
and this is because it hasn't cleared testing yet.
Sadly, there is a bug in lsass.exe that gets triggered easily when the sensor is installed.There is a private fix for it that wasn't publicly released yet, so if you are already in this situation support will be able to provide it to you for mitigation but this is "best effort" support for now as it's officially not yet a supported configuration.
Once the lsass fix will be publicly released, hoping that AATP will pass 2019 testing, we will work quickly to officially support it.
- DougHowellJan 18, 2019Copper Contributor
So on our open issue with support on Windows Hello for Business breaking when authenticating against a Server 2019 DC, support just came back to us and said that issue is due to a bug in LSASS which there will be a fix for in the February CU, and provided a "temporary fix" for "testing purposes only". Is it the same bug in LSASS that is biting both Azure ATP and WhfB?
I ask because we have a workaround that will be fine for us for the WhfB issue in the interim without the temporary fix, but would look at it if it will allow us to get Azure ATP going again so we are not partially blind until Feb 13th with the CU comes out.
- EliOfekJan 18, 2019
Microsoft
Yes, it's the same fix. we are actually waiting for it to be officially released, so we can complete testing of AATP on Server 2019, and given that we won't find new issues, also officially support it in the docs.