Announcement

Collapse
No announcement yet.

My Domain Controllers are Rebooting!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • My Domain Controllers are Rebooting!

    My Domain Controllers are Rebooting!

    Rev: 2.0
    Date: 03/04/2009

    Problem

    You have installed the Server-to-Server Password Synchronizer version 4.x and it's associated agent on a synchronization target and the machine reboots when the agent is running.

    You may see Microsoft errors similar to: 1073741819 C:\windows\system32\lsass.exe has halted and a shutdown command has been issued by the NT AUTHORITY SYSTEM. This may be followed by a 60 second countdown clock before your machine reboots.

    Cause

    This is a known issue with Server-to-Server Password Synchronizer version 4.x and is caused by the DEP (Data Execution Protection) function being enabled on your system. If you turn this feature off, the problem will be corrected. This issue was first fixed in Server-to-Server Password Synchronizer version 5.01.

    The reason for the error is that Server-to-Server Password Synchronizer version 4.x agent connects to the LSASS subsystem of your target machines to extract password hashes. In Windows XP SP2 and Server 2003 SP1 and later, the attachment methodology looks like a DEP attack and the operating system service shuts down when DEP is enabled to protect itself from a security violation.

    Resolution

    To resolve the issue permanently and without modifying your DEP settings, upgrade immediately to version 5.x or later of Server to Server Password Synchronizer. The original agents deployed for version 4.x can be removed with the version 5.x console and new agents deployed directly from the console.


    If you are unable to update to version 5.x of Server to Server Password Synchronzier, turn off Data Execution Protection (DEP) on the affected target servers upon which you have installed the synchronization agents. Although DEP settings can be adjusted by selecting Control Panel | System | Advanced | Settings | Data Execution Prevention | “turn on DEP for essential Windows programs and services only”, to ensure resolution to the issue, the following procedures are recommended.

    For Windows XP and Server 2003, change the DEP settings in the boot.ini file
    1. Click Start, right-click My Computer, and then click Properties
    2. Click the Advanced tab, and then click Settings under the Startup and Recovery field
    3. In the System startup field, click Edit. The Boot.ini file opens in Notepad.
    4. Edit the /noexecute value so that its value is AlwaysOff (e.g. /noexecute=AlwaysOff).
    5. Reboot your system


    For Windows Vista and Server 2008 do the following:
    1. Open a command prompt by right-clicking on it and choose to “Run As Administrator”
    2. In the command prompt, type: bcdedit.exe /set nx AlwaysOff

      Note: If you wish to turn DEP back on, you may later run the same command with one modification: bcdedit.exe /set nx AlwaysOn


    More Information

    This article may be of service to you in your management of DEP: http://support.microsoft.com/kb/875352

    Applies To:

    Server to Server Password Synchronizer (SSPS)
    Last edited by Chris; 03-04-2009, 10:30 AM.
    Support
    support@liebsoft.com
    _________________________

    1875 Century Park East, Suite 1200
    Los Angeles, CA 90067
    http://www.liebsoft.com
    Main: (800) 829-6263
    International: +1 (310) 550-8575
    Fax: (310) 550-1152

  • #2
    Workaround for DEP

    I have been testing SSPS on windows server 2003 R2 systems and the systems start rebooting if the agent is deployed on them,
    The thread recommends turning off DEP system wide whcih is a security concern with our accounts , and i tried with turning off DEP only for the agent service ( SAgent.exe) with and without a couple of other SSPS executables but it does not help.

    Please advise if the system can be prevented from automatically rebooting by turning off DEP specifically for the agent service because my testing has not found that to be true. Only if I turn off DEP completely ( i.e. system-wide) then the servers wont reboot.

    Comment


    • #3
      Yes, DEP must be turned off for the whole system.

      We too confirmed that DEP cannot be turned off just for the SAgent.exe file which is why we recommend turning it off for the whole system. Because of the nature of the subsystems involved in the communication with the agent, such as the local security authority (LSA), DEP can cause problems for systems that must interact with it.
      Support
      support@liebsoft.com
      _________________________

      1875 Century Park East, Suite 1200
      Los Angeles, CA 90067
      http://www.liebsoft.com
      Main: (800) 829-6263
      International: +1 (310) 550-8575
      Fax: (310) 550-1152

      Comment

      Working...
      X