Forum Discussion
Domain Controller 2019 Event ID 1074, Reason Code: 0x50006 Lsass.exe terminated unexpectedly
dasave Hi. We open ticket premier support case Microsoft. Infomation about my case below:
Issue: LSASS crashes on domain controller repeatedly
Resolution:
The issue happened because the password didn’t preserved properly previously and caused the crash. Normally, we save the hash after password is changed. But the password stored in dump showed up as plain text. And the plain text is way too long for LSASS to process.
iopl=0 nv up ei pl nz na po cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010205
samsrv!SampGetPrivateUserData+0x1db:
00007ff9`00ffb5eb 488b45f8 mov rax,qword ptr [rbp-8] ss:00000097`005f8ba8=0000023cf72a8df4
@rbx UserContext = 0x00000097`005f8270
<unavailable> UserPasswordSettings = <value unavailable>
<unavailable> DataLength = <value unavailable>
@r13 Data = 0x0000023c`bb6feda8
00000097`005f8b90 TempString = ""GREr_?;XqBo?\pfSfYEk*@bG)[;j?/\8nwV:s OGA1LZ?SXg]eS66_cVoD3xGbxQ+DRWYN_$""xV>3w!w9vS:q!Jri+'fXJ[I#sbv^wiYm1PUzrvwSdGDXK2""
00000097`005f8ba0 StoredBuffer = ""GREr_?;XqBo?\pfSfYEk*@bG)[;j?/\8nwV:s OGA1LZ?SXg]eS66_cVoD3xGbxQ+DRWYN_$""xV>3w!w9vS:q!Jri+'fXJ[I#sbv^wiYm1PUzrvwSdGDXK2""
@esi NtStatus = 0n0
<unavailable> BufferPointer = <value unavailable>
@r15d PasswordHistoryLength = 6
Dump you just uploaded:
UserContext = 0x0000020e`2760fb30
UserPasswordSettings = <value unavailable>
DataLength = <value unavailable>
Data = 0x0000020d`9c9eee78
TempString = ""GREr_?;XqBo?\pfSfYEk*@bG)[;j?/\8nwV:s OGA1LZ?SXg]eS66_cVoD3xGbxQ+DRWYN_$""xV>3w!w9vS:q!Jri+'fXJ[I#sbv^wiYm1PUzrvwSdGDXK2""
StoredBuffer = ""GREr_?;XqBo?\pfSfYEk*@bG)[;j?/\8nwV:s OGA1LZ?SXg]eS66_cVoD3xGbxQ+DRWYN_$""xV>3w!w9vS:q!Jri+'fXJ[I#sbv^wiYm1PUzrvwSdGDXK2""
NtStatus = 0n0
BufferPointer = <value unavailable>
PasswordHistoryLength = 6
We would recommend following to reduce the probability of this issue from happening again.
We found you changed PasswordHistoryLength to 6 (By default is 24). Based on code review, changing the passwordhistorylength to 24 may help with the symptom. This will require you change your default domain policy: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ Enforce password history to 24.
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fenforce-password-history&data=04%7C01%7CTrungNV%40hpt.vn%7Cb9a64afbbe6f4c35f43f08d9638e6917%7Ce16cf9e441d94ad28f58dc3de9f67f3c%7C0%7C0%7C637650285662527135%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=GH540YpLniC7frVqCyFGl%2F%2Fl861ULQzevAVVOUGXfmY%3D&reserved=0
Note: Enforce password history will apply for both machine account and user account.
Hello dear, could you please tell me if your problem was solved? Just resubmitted the error during business hours 😞
- Thank you very much for answering me, it's strange because in my case, I have DCs in different geographical locations, and they all have the same problem.
We are currently using the Manage Engine to allow users to reset their passwords and/or unlocks. for this reason our PasswordHistoryLength is in "5 passwords remembered", I will proceed to change it to 24 and validate.
In your case, was the problem solved?
Finally, it was not clear to me why the password was not saved well in Hash , and why it was saved in plain text?