Some Domain Controllers may restart unexpectedly after applying the March 12, 2024 Updates

Reading Time: 2 minutes

When installing updates, there is always the risk of rogue updates; updates that break functionality, unannounced, unexpected and unsettling. Microsoft is currently researching such a possible side-effect with the March 12, 2024 updates on Active Directory Domain Controllers.

 

About the issue

Domain Controllers may reboot unexpectedly and keep rebooting. Admins are reporting ballooning memory usage on the lsass.exe process.

The Local Security Authority Subsystem Service (LSASS) is responsible for enforcing the security policy on the system. It verifies users signing in to a Windows or Windows Server, handles password changes, and creates access tokens. It also writes to the Windows Security Log. Forcible termination of lsass.exe will result in a restart of the Domain Controller. The restarts are the actual recovery process, not the problem.

Affected platforms

The following currently supported Windows Server versions are affected:

  • Windows Server 2016 build 14393.6796 (after applying KB5035855)
  • Windows Server 2019 build 17763.5576 (after applying KB5035849)
  • Windows Server 2022 build 20348.2340 (after applying KB5035857)

Unconfirmed details and symptoms

Some admins report the following details and symptoms:

  • The symptoms are not merely observed on Active Directory Domain Controllers, but also on Microsoft Exchange Server installations
  • The symptoms are observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests

 

Workaround

Active Directory admins experiencing continually rebooting Domain Controllers share that they have stopped the reboots by disconnecting the network connection and uninstalling the March 12th, 2024 update from these systems. They rebooted the systems and after this reconnected the network connection.

To uninstall these updates, run the following command line:

Windows Server 2016: wusa.exe /uninstall /kb:5035855

Windows Server 2019: wusa.exe /uninstall /kb:5035849

Windows Server 2022: wusa.exe /uninstall /kb:5035857

 

Concluding

I’m not a fan of not having critical updates installed, but in this case I feel it may be wise to wait 14 days before installing the March 12th, 2024 updates on Domain Controllers. My experience is that serious problems like the above problem are addressed within that timeframe.

 

FURTHER READING

New Windows Server updates cause domain controller crashes, reboots
Microsoft confirms Windows Server issue behind domain controller crashes
Patch Tuesday Megathread (2024-03-12) : r/sysadmin (reddit.com)
Released: March 2024 Exchange Server Security Updates – Page 3 – Microsoft Community Hub
Domain Controllers running the latest updates may encounter LSASS memory leaks and unexpected restarts, unless…
Some Domain Controllers may restart unexpectedly after applying the January 11, 2022 Updates

Posted on March 21, 2024 by Sander Berkouwer in Active Directory, Security Updates, Systems Administration

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.