This is a pretty rough draft that we wanted to get out to our community as soon as possible so we can help tackle this issue and hopefully save people long hours of troubleshooting. It is aimed at a mid to high IT level, so if you have any doubts and you have a server down, please, do not hesitate in calling your local PSS for support.
Also note that the link provided to the third party (Computer Associates) may contain other resolution steps that might be simpler than ours but may require the use of unsupported tools (from our perspective).
Our official Microsoft KnowledgeBase article can be found here:
KB 924995 - When you restart Windows Server 2003, the computer may display a gray screen or may appear to... |
http://support.microsoft.com/kb/924995/en-us |
MAIN ISSUE:
If you restart Windows Small Business Server 2003 the server may boot to a gray screen and appear to be hung. The server may respond to a ping but you cannot access it any other way.
Please note that there is a secondary issue that will affect your server even after you are able to boot up into normal mode again, this has to do with SSL sites not working, and this is discussed at the bottom of this post.
Cause and Resolution:
CA Antivirus signatures update 3054 (reported by CA products as 303.3.3054 or 303.3.3.3054) identify lsass.exe as a virus and delete or quarantine the file depending upon client configuration.
Link the CA website regarding this issue:
http://supportconnect.ca.com/sc/kb/techdetail.jsp?searchID=TEC405236&docid=405236&bypass=yes&fr...
The issue is that lsass.exe is being identified as infected and quarantined. We need to recover lsass.exe. You want to get LSASS.EXE with the SAME Service Pack version that was on the system; we can try copying it from DLLCACHE (if still present) as outlined in the steps below.
Try these steps:
Please note the following if you have OEM media: You might not able to boot into the recovery console with the OEM media, if this is the case, please use different media to boot up to the recovery console, such as Windows XP SP2 CD.
Method 1:
a) Boot to Recovery Console
b) Enter the number for the install you want to log on to.
c) Enter the LOCAL Administrator password for this machine.
d) Enter the following commands:
e) Copy C:windowssystem32dllcachelsass.exe C:windowssystem32lsass.exe
NOTE: If you get a "System cannot find file specified" message when running this command, then it will be necessary to copy LSASS.EXE from a working machine to a floppy disk or to extract it from a Service Pack and place it on a floppy disk. If LSASS.EXE can be copied to a floppy disk; you can then run this command:
Copy A:lsass.exe C:windowssystem32lsass.exe )
f) Boot to SAFE MODE
g) Disable all the AntiVirus services (use MSCONFIG; go to the Services tab; click Hide all Microsoft Services; uncheck all the AntiVirus services.)
h) Reboot and update the CA signature
Method 1a:
Alternate steps: - This disables the ETrust services through Recovery Console.
a) Start in Recovery Console
b1) Type the following commands:
1) Disable "realtimeservice"
2) Disable "jobservice"
3) Disable "Etrust Rpcservice"
(If you don’t disable it, Etrust will delete it again on reboot).
e) Copy the lsass.exe to c:windowssystem32dllcache and c:windowssystem32
NOTE: If you get a "System cannot find file specified" message when running this command, then it will be necessary to copy LSASS.EXE from a working machine to a floppy disk or to extract it from a Service Pack and place it on a floppy disk. If LSASS.EXE can be copied to a floppy disk; you can then run this command:
Copy A:lsass.exe C:windowssystem32lsass.exe )
f) Reboot and update the CA signature.
If you are getting ACCESS DENIED when trying to copy from the floppy, do the following commands on the recovery console:
Set allowallpaths = true
Set allowremovablemedia = true
If this does not help, sometimes using the XP SP2 recovery console helps (You will need the media).
Don't forget to provide your controller drivers when booting up to the recovery console if needed. You can usually tell you need them if when you get to the recovery console you are not prompted for a Password.
Other means of getting the right version of LSASS.EXE:
1. Extract lsass.exe from a Windows CD (with the appropriate service pack level).
2. Copy the file from a server that is not experiencing the issue and is at the same SP level. (lsass.exe is only 13KB in size so it will fit on a floppy)
3. If you did a parallel installation then you can service pack it if necessary and then copy lsass.exe from the parallel installation.
IF RECOVERY CONSOLE CANNOT BE USED, it may be necessary to place a parallel install on the system to get in.
Note 2: If lsass.exe has been removed from c:windowssystem32dllcache you will need to copy it both c:windowssystem32 and c:windowssystem32dllcache
SECOND ISSUE:
OWA and other sites requiring SSL may not start
Symptoms: OWA may not start; Any other web site that uses HTTP SSL may fail.
Issue: HTTP SSL service registry key may be missing
Resolution:
Using regedit, export HKLMCurrentControlSetServicesHTTPFilter key from a working server registry and import it to the server experiencing the issue.
After importing the registry key to the server with the problem, you need to check the ImagePath value to make sure it has the proper path (driver lettter + Path) to LSASS.EXE.
Reboot
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.