Forum Discussion
Domain Controller 2019 Event ID 1074, Reason Code: 0x50006 Lsass.exe terminated unexpectedly
What's the history here? New domain controller or new problem? How many domain controllers?
I have plan upgrade AD from 2008 to 2019. On root site have 02 DC2019 (Also have issue "restart unexpected" then fixed by re-creating health mailbox account) but Child domain is not resolved. In this site, I forcing install DC2012 to client connect normally and with DC2016 & DC2019, if start NETLOGON services. they are rebooted unexpected.
I doubt that some suspicious client attacking thought NETLOGON services. 😞
Please save me. This issue still not resolve for 3 months
dasave Hi. We open ticket premier support case Microsoft. Infomation about my case below:
Issue: LSASS crashes on domain controller repeatedly
Resolution:
The issue happened because the password didn’t preserved properly previously and caused the crash. Normally, we save the hash after password is changed. But the password stored in dump showed up as plain text. And the plain text is way too long for LSASS to process.
iopl=0 nv up ei pl nz na po cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010205
samsrv!SampGetPrivateUserData+0x1db:
00007ff9`00ffb5eb 488b45f8 mov rax,qword ptr [rbp-8] ss:00000097`005f8ba8=0000023cf72a8df4
@rbx UserContext = 0x00000097`005f8270
<unavailable> UserPasswordSettings = <value unavailable>
<unavailable> DataLength = <value unavailable>
@r13 Data = 0x0000023c`bb6feda8
00000097`005f8b90 TempString = ""GREr_?;XqBo?\pfSfYEk*@bG)[;j?/\8nwV:s OGA1LZ?SXg]eS66_cVoD3xGbxQ+DRWYN_$""xV>3w!w9vS:q!Jri+'fXJ[I#sbv^wiYm1PUzrvwSdGDXK2""
00000097`005f8ba0 StoredBuffer = ""GREr_?;XqBo?\pfSfYEk*@bG)[;j?/\8nwV:s OGA1LZ?SXg]eS66_cVoD3xGbxQ+DRWYN_$""xV>3w!w9vS:q!Jri+'fXJ[I#sbv^wiYm1PUzrvwSdGDXK2""
@esi NtStatus = 0n0
<unavailable> BufferPointer = <value unavailable>
@r15d PasswordHistoryLength = 6
Dump you just uploaded:
UserContext = 0x0000020e`2760fb30
UserPasswordSettings = <value unavailable>
DataLength = <value unavailable>
Data = 0x0000020d`9c9eee78
TempString = ""GREr_?;XqBo?\pfSfYEk*@bG)[;j?/\8nwV:s OGA1LZ?SXg]eS66_cVoD3xGbxQ+DRWYN_$""xV>3w!w9vS:q!Jri+'fXJ[I#sbv^wiYm1PUzrvwSdGDXK2""
StoredBuffer = ""GREr_?;XqBo?\pfSfYEk*@bG)[;j?/\8nwV:s OGA1LZ?SXg]eS66_cVoD3xGbxQ+DRWYN_$""xV>3w!w9vS:q!Jri+'fXJ[I#sbv^wiYm1PUzrvwSdGDXK2""
NtStatus = 0n0
BufferPointer = <value unavailable>
PasswordHistoryLength = 6
We would recommend following to reduce the probability of this issue from happening again.
We found you changed PasswordHistoryLength to 6 (By default is 24). Based on code review, changing the passwordhistorylength to 24 may help with the symptom. This will require you change your default domain policy: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ Enforce password history to 24.
Note: Enforce password history will apply for both machine account and user account.
Hello dear, could you please tell me if your problem was solved? Just resubmitted the error during business hours 😞
I can still only understand about a third of this. Upgrading domain controllers in this broken environment is never recommended. You may want to restore a recent known good backup and work from there.
