So, you say your DC’s memory is getting all used up after installing November 2022 security update

Hello, Chris here from Directory Services support team with part 2 of the series.

After installing the November 2022/Out of Band update on your domain controllers you might experience a memory leak happening within LSASS.exe (Local Security Authority Subsystem Service).  This could affect performance, cause operational failures, and/or reliability issues. 

If you have already patched your domain controllers, the December 13, 2022 security update should resolve the known memory leak that is happening within LSASS.exe at this time.  See table below, however if you do not currently feel comfortable with doing this please read the below:  

OS Resolving Rollup KB Resolving Security Only Update
Windows 5021237 N/A
2016 5021235 N/A
2012 R2 5021294 5021296
Windows Server 2012 5021285 5021303
Windows Server 2008 R2 5021291 5021288
Windows Server 2008 5021289 5021293

To briefly summarize the below, there is currently a registry key workaround for the memory leak.  If you haven't installed the December update or newer yet, you can use the registry key to avoid this problem.  Run the following commands in an elevated command prompt on all of your domain controllers:

reg add “HKLMSystemCurrentControlSetservicesKDC” -v “KrbtgtFullPacSignature” -d 0 -t REG_DWORD

The above registry change will stop the memory leak without stopping and starting the KDC Service.  It WILL NOT free up memory that has already been leaked within LSASS.  So, it is recommended that a reboot be done of the when it is feasible to do so.

Note: Once you have installed the patch that resolves this known issue, you should either remove this value or set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow. It is recommended to enable Enforcement mode as soon as your environment is ready. See: KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

If you want to see if you're affected by this specific memory issue, check for constant increases of this performance counter within Perfmon.exe to see if it is constantly rising: 

Process(lsass)Private Bytes

You will want to monitor “Private Bytes” for LSASS over a period of time.  If this value just keeps increasing after installation of the November 2022/OOB update, then you are more than likely affected by this issue.  Normal behavior should be that this value should go up during higher loads on the DC and then go down when the DC is not being utilized overtime. Please be aware that domain controllers will, by default, attempt to cache as much of the database in memory as possible. See the linked section of Memory usage considerations in AD DS performance tuning | Microsoft Learn.

Information about the changes made to Privilege Attribute (PAC) with the November 2022 security update:
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

Links to operating system versions affected by this issue:

https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1809-and-windows-server-2019#2966msgdesc

https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1607-and-windows-server-2016#2966msgdesc

https://learn.microsoft.com/en-us/windows/release-health/status-windows-8.1-and-windows-server-2012-r2#2966msgdesc

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2012#2966msgdesc
https://learn.microsoft.com/en-us/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1#2966msgdesc

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2008-sp2#2966msgdesc

Introduction to this blog series: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/having-issues-since-deploying-november-2022-security-updates-to/ba-p/3696512 

Part 3 of this blog series: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-authentication-after-installing-the/ba-p/3696351 

 

This article was originally published by Microsoft's Directory Services Team. You can find the original article here.