Hello, Chris here from Directory Services support team with part 2 of the series.
After installing the November 2022/Out of Band update on your domain controllers you might experience a memory leak happening within LSASS.exe (Local Security Authority Subsystem Service). This could affect domain controller performance, cause operational failures, and/or reliability issues.
If you have already patched your domain controllers, the December 13, 2022 security update should resolve the known memory leak that is happening within LSASS.exe at this time. See table below, however if you do not currently feel comfortable with doing this please read the below:
|
OS |
Resolving Rollup KB |
Resolving Security Only Update |
|
Windows Server 2019 |
N/A |
|
|
Windows Server 2016 |
N/A |
|
|
Windows Server 2012 R2 |
||
|
Windows Server 2012 |
||
|
Windows Server 2008 R2 |
||
|
Windows Server 2008 |
To briefly summarize the below, there is currently a registry key workaround for the memory leak. If you haven’t installed the December update or newer yet, you can use the registry key to avoid this problem. Run the following commands in an elevated command prompt on all of your domain controllers:
reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD
The above registry change will stop the memory leak without stopping and starting the KDC Service. It WILL NOT free up memory that has already been leaked within LSASS. So, it is recommended that a reboot be done of the domain controller when it is feasible to do so.
Note: Once you have installed the patch that resolves this known issue, you should either remove this value or set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow. It is recommended to enable Enforcement mode as soon as your environment is ready. See: KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
If you want to see if you're affected by this specific memory issue, check for constant increases of this performance counter within Perfmon.exe to see if it is constantly rising:
\Process(lsass)\Private Bytes
You will want to monitor “Private Bytes” for LSASS over a period of time. If this value just keeps increasing after installation of the November 2022/OOB update, then you are more than likely affected by this issue. Normal behavior should be that this value should go up during higher loads on the DC and then go down when the DC is not being utilized overtime. Please be aware that domain controllers will, by default, attempt to cache as much of the Active Directory database in memory as possible. See the linked section of Memory usage considerations in AD DS performance tuning | Microsoft Learn.
Information about the changes made to Kerberos Privilege Attribute Certificate (PAC) with the November 2022 security update:
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
Links to operating system versions affected by this issue:
https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2012#2966msgdesc
https://learn.microsoft.com/en-us/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1#2966msgdesc
https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2008-sp2#2966msgdesc
Introduction to this blog series: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/having-issues-since-deploying-november-2022-security-updates-to/ba-p/3696512
Part 3 of this blog series: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-authentication-after-installing-the/ba-p/3696351
Microsoft