Windows Server domain controllers may stop, restart after recent updates

Updates to Windows Server released as part of this month's Patch Tuesday onslaught might cause some domain controllers to stop working or automatically restart, according to Microsoft.

The enterprise software behemoth said organizations installing KB5019966 or later updates on domain controllers (DCs) could see a memory leak with the Local Security Authority Subsystem Service (LSASS).

"Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of your server and the server might become unresponsive or automatically restart," Microsoft wrote in its Windows Health Dashboard.

The out-of-band (OOB) updates for domain controllers released November 17 and 18 also might be affected by the issue.

LSASS is a Windows process on an Active Directory domain controller that is used to enforce the security policy on the operating system. Its tasks include providing Active Directory database lookups, authentication, and replication. It authenticates and verifies users who want to log into a Windows system, manages password changes, and create access tokens.

It's an increasingly important tool at a time when threat groups are looking more at identity to access corporate networks.

The problem affects Windows Server versions 2008 SP2 and R2 SP1, 2012 and 2012 R2, 2016 and 2019.

Microsoft engineers are working on a fix that will appear as an update in an upcoming release.

In the meantime, the company is offering a workaround for users, who can open Command Prompt as Administrator to set the registry key KrbtgtFullPacSignature to "0."

• Microsoft's attempts to harden Kerberos authentication broke it on Windows Servers
• Microsoft warns Direct Access on Windows 10 and 11 could be anything but
• Windows Subsystem for Linux now packaged as a Microsoft Store app
• SQL Server license prices rise ten percent as version 2022 debuts

After opening Command Prompt as Administrator, they can use the command:

reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD

"Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow," Microsoft wrote. "It is recommended to enable Enforcement mode as soon as your environment is ready."

The company added that more information about the registry key can be found in the Windows Health Dashboard note, which is related to issues coming out of the November Patch Tuesday update that impacted the Kerberos network authentication protocol on Windows Server with the domain controller roles of managing network and identity security requests.

In that case, the updates caused a number of problems, including failures in domain user sign-ins, failed Group Managed Service Accounts authentication, and remote desktop connections not actually connecting.

Users were also unable to access shared folders on workstations and printer connections that require domain user authentication.

Microsoft a couple of weeks ago issued the emergency OOB updates that users could install in all domain controllers to fix the problems. ®