Access violation in LSASS while migrating domain information for NDS for NT installation on PDC.
(Last modified: 23Jan2002)
This document (10050645) is provided subject to the disclaimer at the end of this document.
fact
Novell NDS for NT 2.01
NDS Corporate Edition
NT domain with a PDC and one or more BDCs.
symptom
Access violation in LSASS while migrating domain information for NDS for NT installation on PDC.
Dr. Watson Error: "An application error has occurred and an application error log is being generated. LSASS.EXE Exception: Access violation."
Exception number: c0000005 (access violation)
Error: "Error moving user to NDS. error: c0020017 error description: Error opening NT user."
Error: "Error moving user to NDS. error: c002001b error description: Error obtaining NT user's information."
Error: "Error moving user to NDS. error: c002001b error description: Error getting the groups the user belongs to."
Error: "Error obtaining NT user's information."
Error: "Windows NT Security Message: Unexpected login error: Status 3221225527"
Error: "You do not have rights to shut down or restart the system."
cause
Backup domain controller (BDC) attempting to sync with PDC during NDS for NT account migration process.
fix
An internal test version of MIGFILTR.DLL (28APR2000) for NDS Corporate Edition is available from Novell technical support which addresses this issue. Once a field test or public version of this update is released the information in this document will be updated. This same file may potentially be used for NDS for NT 2.01 but has not been tested in that environment.
Private data saved in the SAM (information in addition to normal NT account information, such as Citrix data being saved with the user account) being processed by the MIGFILTR.DLL during migration was too large for the stack and resulted in the fault when a backup domain controller attempted to synchronize with the PDC while MIGFILTR.DLL was implemented (i.e. during migration).
Potential workaround:
Isolate the NT primary domain controller (PDC) such that it will have access to the NDS tree but the BDC(s) will be unable to communicate or sync with the PDC during the NDS for NT installation and account migration process. After installation is complete and the PDC is confirmed to be successfully redirected into NDS, allow the BDC(s) to re-establish contact with the PDC.
Background:
This issue appears to be more likely seen if there are a large number of user accounts in the domain to migrate, or if the NDS for NT migration process takes a significant amount of time for any other reason (such as network performance between the PDC and the necessary NDS replicas). The longer the migration takes, the more likely that a BDC may attempt to perform a synchronization with the PDC while the migration is in progress.
Using a two-controller domain (one PDC and one BDC), this issue could be duplicated by using NLTEST.EXE /SYNC (from the Windows NT Resource Kit) to force a full sync while the NDS for NT installation was at the point of running the Domain Object Wizard (SAMMIG.EXE). Within seconds of initiating the sync, the PDC showed an access violation in LSASS.EXE.
At that point the NDS for NT migration continued but incremented the "Error" count rather than the "Moved" count, as it was encountering a fatal error trying to read the NT account information for every account subsequent to the access violation. In the MOVE.LOG generated by the migration process the following type of errors were shown for each failed account:
Error moving user to NDS.
error: c0020017
error description: Error opening NT user.
User Name: <username>
User RID: <rid>
Error moving user to NDS.
error: c002001b
error description: Error obtaining NT user's information.
User Name: <username>
User RID: <rid>
Error moving user to NDS.
error: c002001b
error description: Error getting the groups the user belongs to.
User Name: <username>
User RID: <rid>
The migration program would then terminate, citing "Error obtaining NT user's information". Attempting to shut down or restart the PDC via the "Shut down" menu, NT indicates the currently logged in user does not have such rights. Logging out is successful, but attempting to log back in results in the error message "Windows NT Security Message: Unexpected login error: Status 3221225527". Forcing a restart of the PDC via the power or reset switch, the same error would still occur when attempting to login again. The PDC never recovers on it's own from the problem that has occurred.
Recovering a PDC which has encountered this condition involves restoring the Microsoft SAMSRV.DLL which had been replaced with MIGFILTR.DLL for the migration process. To revert back to Microsoft's SAMSRV.DLL would require performing the following file renames:
1. Rename C:\WINNT\SYSTEM32\SAMSRV.DLL to C:\WINNT\SYSTEM32\SAMSRV.OLD
2. Rename C:\WINNT\SYSTEM32\MSSAMSRV.DLL to C:\WINNT\SYSTEM32\SAMSRV.DLL
3. Rename C:\WINNT\SYSTEM32\SPSENTRY.EXE to C:\WINNT\SYSTEM32\SPSENTRY.OLD
Note that performing these renames would have to be performed without NT running, e.g. booting to MS-DOS to access the FAT partition where Windows NT is installed or using a third-party product to access an NTFS partition to rename these files in the Windows NT system subdirectory..
document
| Document Title: | Access violation in LSASS while migrating domain information for NDS for NT installation on PDC. |
| Document ID: | 10050645 |
| Solution ID: | NOVL500 |
| Creation Date: | 21Mar2000 |
| Modified Date: | 23Jan2002 |
| Novell Product Class: | NetWare Novell eDirectory |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.