Windows Server Updates Trigger Domain Controller Failures

Recent updates for Windows Server have been linked to significant disruptions in IT infrastructure, with numerous reports of domain controllers experiencing crashes and forced reboots.

The issues have been traced back to the March 2024 cumulative updates for Windows Server 2016 and Windows Server 2022, explicitly KB5035855 and KB5035857.

Impact on Domain Controllers

The core of the problem lies in a memory leak within the Local Security Authority Subsystem Service (LSASS), a critical component of the Windows operating system responsible for enforcing security policies and managing user logins, access token creation, and password changes.

The LSASS process is essential for the stable operation of domain controllers, which are pivotal in managing network security and user authentication within an organization’s IT environment.

Administrators have observed that domain controllers exhibit steadily increasing LSASS memory usage after installing the March updates.

This escalation in resource consumption eventually leads to the system becoming unresponsive, culminating in crashes and automatic reboots.


Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Such behavior disrupts normal business operations and poses a risk to network security and data integrity.

Causes of Crashes and Reboots

The LSASS memory leak introduced by the updates is the direct cause of the crashes and reboots.

Memory leaks occur when a program incorrectly manages memory allocations, reducing performance and system stability as the available memory is gradually exhausted.

In the case of domain controllers, the LSASS process’s memory leak leads to an unsustainable load on the system, forcing a crash as a last resort to recover from the failure.

Affected Windows Server Versions

The reported issues specifically affect Windows Server 2016 and Windows Server 2022.

These versions are widely used in enterprise environments, meaning the impact of the problem is potentially vast, affecting organizations globally.

This is not the first time LSASS-related issues have been reported after Windows Server updates—previous incidents were recorded in December 2022 and March 2022—which raises concerns about the recurring nature of such critical vulnerabilities.

The sysadmin community has been vocal about the disruptions, with many taking to online forums such as Reddit to share their experiences and seek advice. Comments range from frustration over the repeated nature of these issues to concerns about the lack of immediate solutions or workarounds.

Some users have reported rolling back the updates as a temporary fix, while others are waiting for Microsoft’s official response or patch.

A particular comment on the Microsoft Tech Community Exchange Team Blog highlights the severity of the issue, with one user stating, “This is a disaster. We’ve had to roll back the updates on all our DCs to prevent the entire network from going down.”

LSASS Process Memory Leak

The LSASS process memory leak is not new, but its recurrence is troubling for Microsoft and its user base.

The memory leak leads to a gradual increase in memory usage by the LSASS process until the system can no longer function properly. This type of issue requires prompt attention and resolution to maintain the security and stability of affected systems.

Microsoft has not released an official statement or solution regarding the March 2024 updates and the resulting domain controller crashes.

This situation underscores the importance of thorough testing and quality assurance in software updates, mainly when they affect critical components of enterprise IT infrastructure.

As the situation develops, system administrators are advised to monitor official channels for updates and consider holding off on applying the problematic updates until a fix is confirmed.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *