Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Window Server. Show all posts

New Windows Server Updates Cause Domain Controller Freezes, Restarts

 

Microsoft is looking into LSASS memory leaks (caused by Windows Server updates released during the November Patch Tuesday) that may result in domain controller freezes and restarts. LSASS (Local Security Authority Subsystem Service) is in charge of enforcing security policies on Windows systems and managing access tokens, password changes, and user logins. 

If this service fails, logged-in users lose access to their Windows accounts on the machine and are presented with a system restart error followed by a system reboot. 

"LSASS might use more memory over time and the DC might become unresponsive and restart," Microsoft explains on the Windows Health dashboard.

"Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the uptime of your server and the server might become unresponsive or automatically restart."

Out-of-band Windows updates pushed out to address authentication issues on Windows domain controllers may also be affected by this known issue, according to Redmond. Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 are all affected. Microsoft is working on a solution and promises an update in an upcoming release.

Workaround  Available:

Until a fix for this LSASS memory leak issue is available, the company offers a workaround for IT administrators to work around domain controller instability. This workaround requires admins to set the KrbtgtFullPacSignature registry key (used to gate CVE-2022-37967 Kerberos protocol changes) to 0 using the following command: reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD

"Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow," Microsoft added.

"It is recommended to enable Enforcement mode as soon as your environment is ready. For more information on this registry key, please see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967."

Redmond addressed another known issue that caused Windows Server domain controller reboots due to LSASS crashes in March. Microsoft fixed domain controller sign-in failures and other authentication issues caused by November Patch Tuesday Windows updates earlier this month with emergency out-of-band (OOB) updates.