Blog Post

Ask the Directory Services Team
3 MIN READ

So, you say your DC’s memory is getting all used up after installing November 2022 security update

DavidFisher's avatar
DavidFisher
Icon for Microsoft rankMicrosoft
Dec 13, 2022
Hello, Chris here from Directory Services support team with part 2 of the series.   After installing the November 2022/Out of Band update on your domain controllers you might experience a memory ...
Updated Dec 13, 2022
Version 2.0
TMChannel's avatar
TMChannel
Copper Contributor
Dec 15, 2022

Not to be rude, but is Microsoft going to reinstate proper regression testing of AD-related patches in future? I can't think of one update to AD since November last year that has not resulted in significant issues.

 

Especially since major security changes are ongoing with the underlying protocols - the scale of these changes should entail more testing, not less, as it seems at present. I'm starting to develop a conspiracy theory that Microsoft trying to stealth-deprecate on-prem AD with problem patches (reminiscent of Exchange CUs)!

 

In case this helps someone else, we've found that the overall commit charge for the system memory is useful to determine which DCs are struggling. In our environment, we have different hardware specs in various AD sites, so the raw LSASS PrivateBytes counter was a little tricky to compare (other than the figures going up over time, of course). For us, we rebooted the DCs once they got to 70% memory commit, after setting KrbtgtFullPacSignature to 0.

 

$dcs = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).domaincontrollers.name |sort
$DCMemUsage = foreach ($dc in $DCs) {
    write-host "Querying $dc"
    Invoke-command $dc -scriptblock {
        $vmemsize = Get-CIMInstance -class win32_operatingsystem | select totalvirtualmemorysize,freevirtualmemory
        [pscustomobject]@{
        # total commit charge
        "SystemCommit (%)" = [math]::round((($vmemsize.totalvirtualmemorysize - $vmemsize.freevirtualmemory)/$vmemsize.totalvirtualmemorysize * 100),1)
        #Lsass private bytes
        "LsassPB (MB)" = [math]::round((gcim -query "SELECT PrivateBytes FROM Win32_PerfFormattedData_PerfProc_Process WHERE name='lsass'").privatebytes /1Mb)
        }

    }
}
$DCMemUsage |select PSComputerName,"SystemCommit (%)","LsassPB (MB)" |sort PrivateBytes -Descending |ft -AutoSize

----------------
PS > .Get-DCMemoryCommit.ps1
Querying TSTDC001.example.com
Querying TSTDC002.example.com
Querying TSTDC003.example.com
Querying TSTDC006.example.com
Querying TSTDC008.example.com

PSComputerName         SystemCommit (%) LsassPB (MB)
--------------         ---------------- ------------
TSTDC001.example.com           34.8          593
TSTDC002.example.com           66.1         5701
TSTDC003.example.com           34.7          803
TSTDC006.example.com           59.4          390
TSTDC008.example.com             63          205