Posted December 13, 20222 yr Hello, Chris here from Directory Services support team with part 2 of the series. After installing the November 2022/Out of Band update on your domain controllers you might experience a memory leak happening within LSASS.exe (Local Security Authority Subsystem Service). This could affect domain controller performance, cause operational failures, and/or reliability issues. If you have already patched your domain controllers, the December 13, 2022 security update should resolve the known memory leak that is happening within LSASS.exe at this time. See table below, however if you do not currently feel comfortable with doing this please read the below: OS Resolving Rollup KB Resolving Security Only Update Windows Server 2019 5021237 N/A Windows Server 2016 5021235 N/A Windows Server 2012 R2 5021294 5021296 Windows Server 2012 5021285 5021303 Windows Server 2008 R2 5021291 5021288 Windows Server 2008 5021289 5021293 To briefly summarize the below, there is currently a registry key workaround for the memory leak. If you haven’t installed the December update or newer yet, you can use the registry key to avoid this problem. Run the following commands in an elevated command prompt on all of your domain controllers: reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD The above registry change will stop the memory leak without stopping and starting the KDC Service. It WILL NOT free up memory that has already been leaked within LSASS. So, it is recommended that a reboot be done of the domain controller when it is feasible to do so. Note: Once you have installed the patch that resolves this known issue, you should either remove this value or set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow. It is recommended to enable Enforcement mode as soon as your environment is ready. See: KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 If you want to see if you're affected by this specific memory issue, check for constant increases of this performance counter within Perfmon.exe to see if it is constantly rising: \Process(lsass)\Private Bytes You will want to monitor “Private Bytes” for LSASS over a period of time. If this value just keeps increasing after installation of the November 2022/OOB update, then you are more than likely affected by this issue. Normal behavior should be that this value should go up during higher loads on the DC and then go down when the DC is not being utilized overtime. Please be aware that domain controllers will, by default, attempt to cache as much of the Active Directory database in memory as possible. See the linked section of Memory usage considerations in AD DS performance tuning | Microsoft Learn. Information about the changes made to Kerberos Privilege Attribute Certificate (PAC) with the November 2022 security update: KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 Links to operating system versions affected by this issue: Windows 10, version 1809 and Windows Server 2019 Windows 10, version 1607 and Windows Server 2016 Windows 8.1 and Windows Server 2012 R2 Windows Server 2012 Windows 7 and Windows Server 2008 R2 SP1 Windows Server 2008 SP2 Introduction to this blog series: Having issues since deploying November 2022 Security Updates to your domain controller? Part 3 of this blog series: What happened to Kerberos Authentication after installing the November 2022/OOB updates? Continue reading...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.