New Windows Server updates cause domain controller freezes, restarts
Microsoft is investigating LSASS Memory Leaks, which were caused by Windows Server Updates released during the November Patch Tuesday. This could lead to restarts or freezes of some domain controllers.
LSASS, which stands for Local Security Authority Subsystem Service, is responsible for enforcing Windows security policies. It handles access token creation, password change, and user logins.
If the service crashes, users logged in immediately lose access to Windows accounts and are shown a system restart error. This is followed by a system reboot.
Microsoft explains that LISASS may use more memory and the DC might become unresponsive and restart.” Microsoft can be found on the Windows Health dashboard.
LSASS may increase the memory usage of your server depending on your DCs’ workload and the time it has been since the last server restart. The server could become unresponsive or restart automatically, depending on this.
Redmond claims that this issue could also affect out-of-band Windows Updates, which were pushed out to fix authentication problems on Windows domain controllers.
The complete list of affected Windows versions includes Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.
Microsoft says it is working to resolve the issue and will release an update in a forthcoming release.
There are workarounds available
The company offers a temporary solution that allows IT administrators to deal with domain controller instability until a permanent fix is found.
This workaround requires admins to set the KrbtgtFullPacSignature registry key (used to gate CVE-2022-37967 Kerberos protocol changes) to 0 using the following command:
reg add “HKLM\System\CurrentControlSet\services\KDC” -v “KrbtgtFullPacSignature” -d 0 -t REG_DWORD
“Once this known issue is resolved, you should set Krbtgt Full Pac Signature to a higher setting depending on what your environment will allow,” Microsoft added.
It is recommended that you enable Enforcement mode as soon your environment is ready. This registry key can be found in KB5020805: How Kerberos Protocol Changes Related to CVE-2022-37967.
Redmond addressed another issue in March that led to reboots of Windows Server domain controllers as a result of LSASS crashes.
Microsoft has fixed domain controller sign in problems and other authentication issues earlier this month. This was also due to November Patch Tuesday Windows updates with out-of-band (OOB).