Access Violation in Lsass.exe Because of LDAP Version 2 Search with Referrals

This article was previously published under Q324184
This article has been archived. It is offered "as is" and will no longer be updated.
An access violation error message may occur in the Lsass.exe process of a domain controller. An event ID 1173 from NTDS may be logged, and your server may then restart. The description of the event is:
Internal event: Exception c0000005 has occurred with parameters 758291C9 and 0 (Internal ID 0).
An LDAP version 2 client that performs a search that generates two or more referrals may cause the domain controller on which the search is running to stop responding (hang). The occurrence of the domain controller hanging is random. This is because it depends on the actual size of the buffer that is allocated for the referrals and the size of the referrals.

Service Pack Information

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack

Hotfix Information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version           Size     File name   -----------------------------------------------------------   13-Jun-2002  16:26  5.0.2195.5781     123,664  Adsldp.dll          13-Jun-2002  16:26  5.0.2195.5781     131,344  Adsldpc.dll         13-Jun-2002  16:26  5.0.2195.5781      62,736  Adsmsext.dll        13-Jun-2002  16:26  5.0.2195.5801     358,160  Advapi32.dll        13-Jun-2002  16:26  5.0.2195.5265      42,256  Basesrv.dll         13-Jun-2002  16:26  5.0.2195.5855      49,424  Browser.dll         13-Jun-2002  16:26  5.0.2195.5595     135,952  Dnsapi.dll          13-Jun-2002  16:26  5.0.2195.5595      96,016  Dnsrslvr.dll        13-Jun-2002  16:26  5.0.2195.5722      45,328  Eventlog.dll        13-Jun-2002  16:26  5.0.2195.5878     222,992  Gdi32.dll           13-Jun-2002  16:26  5.0.2195.5859     145,680  Kdcsvc.dll          04-Jun-2002  21:31  5.0.2195.5859     199,952  Kerberos.dll        13-Jun-2002  16:26  5.0.2195.4928     708,880  Kernel32.dll        05-Jun-2002  17:50  5.0.2195.5861      71,024  Ksecdd.sys   05-Jun-2002  17:50  5.0.2195.5861     505,616  Lsasrv.dll          05-Jun-2002  17:50  5.0.2195.5861      33,552  Lsass.exe           04-Jun-2002  21:31  5.0.2195.5859     107,792  Msv1_0.dll          13-Jun-2002  16:26  5.0.2195.5877     307,472  Netapi32.dll        13-Jun-2002  16:26  5.0.2195.5723     360,208  Netlogon.dll        13-Jun-2002  16:26  5.0.2195.5884     916,752  Ntdsa.dll           13-Jun-2002  16:26  5.0.2195.5585     386,832  Samsrv.dll          13-Jun-2002  16:26  5.0.2195.5837     128,784  Scecli.dll          13-Jun-2002  16:26  5.0.2195.5757     299,792  Scesrv.dll          26-Jun-2001  02:17         47,808  User.exe            13-Jun-2002  16:26  5.0.2195.4314     402,192  User32.dll          13-Jun-2002  16:26  5.0.2195.5644     369,936  Userenv.dll         13-Jun-2002  16:26  5.0.2195.5859      48,912  W32time.dll         04-Jun-2002  21:32  5.0.2195.5859      57,104  W32tm.exe           11-Jun-2002  00:21  5.0.2195.5876   1,641,680  Win32k.sys   03-May-2002  18:31  5.0.2195.5731     178,960  Winlogon.exe        13-Jun-2002  16:26  5.0.2195.4602     243,472  Winsrv.dll          13-Jun-2002  16:26  5.0.2195.5737     125,712  Wldap32.dll      				

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:
296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

Article ID: 324184 - Last Review: 10/26/2013 17:14:21 - Revision: 3.6

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • kbnosurvey kbarchive kbautohotfix kbhotfixserver kbqfe kbdirservices kbwin2ksp4fix kbbug kbenv kberrmsg kbfix kbwin2000presp4fix KB324184