Hardware Node or Container is restarted, the following message can be found in Event Viewer's System log:
Log Name: System Source: USER32 Event ID: 1074 Level: Information Keywords: Classic User: SYSTEM Description: The process wininit.exe has initiated the restart of computer <computer name> on behalf of user for the following reason: No title for this reason could be found Reason Code: 0x50006 Shutdown Type: restart Comment: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code 255. The system will now shut down and restart.
Always followed by this event:
Log Name: System Source: LsaSrv Event ID: 5000 Level: Error Keywords: User: SYSTEM Description: The security package Kerberos generated an exception. The exception information is the data.
When a Windows Server 2008 R2-based or Windows 7-based computer runs under a high Kerberos authentication load, the Lsass.exe process crashes and error code 255 is generated. Therefore, the computer restarts unexpectedly.
This scenario is known for Microsoft: Lsass.exe crashes and error code 255 is generated in Windows Server 2008 R2 or in Windows 7
Possible reasons behind excessive load on Kerberos authentication module:
High authentication activity due to server's role in infrastructure (it is by design to receive high authentication load)
- Bruteforce/DDoS attacks
If issue is triggered by RDP attacks, security measures should be enhanced by the administrator of the node/container. Among the possible measures:
- Security log can be analyzed and common attackers networks can be blocked by firewall.
- RDP port can be changed for the container, follow this MS article: How to change the listening port for Remote Desktop.
- "Network Level Authentication" can be enabled for such node/containers.
If your host is running Windows Server 2008 R2 SP1 you may install Microsoft Update KB2732595. This is a Limited Distribution Release update, therefore you should download and install it manually. It is safe according to the following article
NOTE: Upgrade from Windows Server 2008 R2 to Windows Server 2008 R2 SP1 is CURRENTLY NOT SUPPORTED