So, you say your DC’s memory is getting all used up after installing November 2022 security update
Published Dec 13 2022 09:35 PM 21.9K Views
Microsoft

Hello, Chris here from Directory Services support team with part 2 of the series.

 

After installing the November 2022/Out of Band update on your domain controllers you might experience a memory leak happening within LSASS.exe (Local Security Authority Subsystem Service).  This could affect domain controller performance, cause operational failures, and/or reliability issues. 

 

If you have already patched your domain controllers, the December 13, 2022 security update should resolve the known memory leak that is happening within LSASS.exe at this time.  See table below, however if you do not currently feel comfortable with doing this please read the below:  

OS

Resolving Rollup KB

Resolving Security Only Update

Windows Server 2019

5021237

N/A

Windows Server 2016

5021235

N/A

Windows Server 2012 R2

5021294

5021296

Windows Server 2012

5021285

5021303

Windows Server 2008 R2

5021291

5021288

Windows Server 2008

5021289

5021293

 

To briefly summarize the below, there is currently a registry key workaround for the memory leak.  If you haven’t installed the December update or newer yet, you can use the registry key to avoid this problem.  Run the following commands in an elevated command prompt on all of your domain controllers:

reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD

The above registry change will stop the memory leak without stopping and starting the KDC Service.  It WILL NOT free up memory that has already been leaked within LSASS.  So, it is recommended that a reboot be done of the domain controller when it is feasible to do so.

 

Note: Once you have installed the patch that resolves this known issue, you should either remove this value or set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow. It is recommended to enable Enforcement mode as soon as your environment is ready. See: KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

 

If you want to see if you're affected by this specific memory issue, check for constant increases of this performance counter within Perfmon.exe to see if it is constantly rising: 

\Process(lsass)\Private Bytes

 

You will want to monitor “Private Bytes” for LSASS over a period of time.  If this value just keeps increasing after installation of the November 2022/OOB update, then you are more than likely affected by this issue.  Normal behavior should be that this value should go up during higher loads on the DC and then go down when the DC is not being utilized overtime. Please be aware that domain controllers will, by default, attempt to cache as much of the Active Directory database in memory as possible. See the linked section of Memory usage considerations in AD DS performance tuning | Microsoft Learn.

 

Information about the changes made to Kerberos Privilege Attribute Certificate (PAC) with the November 2022 security update:
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

 

Links to operating system versions affected by this issue:

https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1809-and-windows-server-2...

https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1607-and-windows-server-2...

https://learn.microsoft.com/en-us/windows/release-health/status-windows-8.1-and-windows-server-2012-...

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2012#2966msgdesc
https://learn.microsoft.com/en-us/windows/release-health/status-windows-7-and-windows-server-2008-r2...

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2008-sp2#2966msgdesc

 

Introduction to this blog series: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/having-issues-since-deploying... 

Part 3 of this blog series: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-aut... 

1 Comment
Co-Authors
Version history
Last update:
‎Dec 13 2022 01:42 PM
Updated by: