Environment
Novell Identity Manager 3.6.1
Novell Identity Manager - Password Synchronization
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Novell Identity Manager - Password Synchronization
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Situation
After installing the password filter on a domain controller on a Windows 2008 (or Windows 2008 R2) server and specifying in the filter that a static port should be used (instead of the default of using a dynamic port), the server fails to start on the next reboot and subsequent tries. Once restarted, the server attempts to start but eventually when it begins to load the module lsass, it fails and then the system reboots automatically. The module lsass fails to load in the subsequent reboots as well, making the server continuously loop in this startup attempts.
Once the server has been normalized, the following error can be seen in the event viewer:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000374. The machine must now be restarted.
Once the server has been normalized, the following error can be seen in the event viewer:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000374. The machine must now be restarted.
Resolution
The issue has been reported to engineering and is currently under investigation. The problem seems to affect only Windows 2008 and 2008 R2 Operating Systems and not earlier versions of Windows.
In order to get the server out of the loop condition, one alternative is to boot the server with the installation media and go into the System Recovery Options (Repair current installation). Once there, select the option to get a command prompt and rename the file d:\windows\system32\pwfilter.dll to pwfilter.bak (On repair mode, drive C: is normally mounted as drive letter D:).
Once the server has been started normally, the current workaround is to configure the password filter to use a dynamic port instead. The configuration change can be done through the password sync applet or by removing the following key from the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\PwFilter\Port
The password filter can be used again once the configuration has been reverted back to use a dynamic port (and the system has been successfully restarted).
In order to get the server out of the loop condition, one alternative is to boot the server with the installation media and go into the System Recovery Options (Repair current installation). Once there, select the option to get a command prompt and rename the file d:\windows\system32\pwfilter.dll to pwfilter.bak (On repair mode, drive C: is normally mounted as drive letter D:).
Once the server has been started normally, the current workaround is to configure the password filter to use a dynamic port instead. The configuration change can be done through the password sync applet or by removing the following key from the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\PwFilter\Port
The password filter can be used again once the configuration has been reverted back to use a dynamic port (and the system has been successfully restarted).