My Domain Controllers are Rebooting

Follow

My Domain Controllers are Rebooting!

Rev: 2.0
Date: 03/04/2009

Problem

You have installed the Server-to-Server Password Synchronizer version 4.x and it's associated agent on a synchronization target and the machine reboots when the agent is running.

You may see Microsoft errors similar to: 1073741819 C:\windows\system32\lsass.exe has halted and a shutdown command has been issued by the NT AUTHORITY SYSTEM. This may be followed by a 60 second countdown clock before your machine reboots.

Cause

This is a known issue with Server-to-Server Password Synchronizer version 4.x and is caused by the DEP (Data Execution Protection) function being enabled on your system. If you turn this feature off, the problem will be corrected. This issue was first fixed in Server-to-Server Password Synchronizer version 5.01.

The reason for the error is that Server-to-Server Password Synchronizer version 4.x agent connects to the LSASS subsystem of your target machines to extract password hashes. In Windows XP SP2 and Server 2003 SP1 and later, the attachment methodology looks like a DEP attack and the operating system service shuts down when DEP is enabled to protect itself from a security violation.

Resolution

To resolve the issue permanently and without modifying your DEP settings, upgrade immediately to version 5.x or later of Server to Server Password Synchronizer. The original agents deployed for version 4.x can be removed with the version 5.x console and new agents deployed directly from the console.


If you are unable to update to version 5.x of Server to Server Password Synchronzier, turn off Data Execution Protection (DEP) on the affected target servers upon which you have installed the synchronization agents. Although DEP settings can be adjusted by selecting Control Panel | System | Advanced | Settings | Data Execution Prevention | “turn on DEP for essential Windows programs and services only”, to ensure resolution to the issue, the following procedures are recommended.

For Windows XP and Server 2003, change the DEP settings in the boot.ini file

  1. Click Start, right-click My Computer, and then click Properties
  2. Click the Advanced tab, and then click Settings under the Startup and Recovery field
  3. In the System startup field, click Edit. The Boot.ini file opens in Notepad.
  4. Edit the /noexecute value so that its value is AlwaysOff (e.g. /noexecute=AlwaysOff).
  5. Reboot your system



For Windows Vista and Server 2008 do the following:

  1. Open a command prompt by right-clicking on it and choose to “Run As Administrator”
  2. In the command prompt, type: bcdedit.exe /set nx AlwaysOff

    Note: If you wish to turn DEP back on, you may later run the same command with one modification: bcdedit.exe /set nx AlwaysOn



More Information

This article may be of service to you in your management of DEP: http://support.microsoft.com/kb/875352

Applies To:

Server to Server Password Synchronizer (SSPS)

Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk