Microsoft confirms Windows Server issue behind domain controller crashes

Update March 22: Microsoft has released emergency out-of-band (OOB) updates to fix this known issue.

Microsoft confirmed that a memory leak introduced with the March 2024 Windows Server security updates is behind a widespread issue causing Windows domain controllers to crash.

As BleepingComputer first reported on Wednesday and as many admins have warned over the last week, affected servers are freezing and restarting unexpectedly due to a Local Security Authority Subsystem Service (LSASS) process memory leak introduced with this month's cumulative updates.

"Since installation of the march updates (Exchange as well as regular Windows Server updates) most of our DCs show constantly increasing lsass memory usage (until they die)," one admin said.

"Our symptoms were ballooning memory usage on the lsass.exe process after installing KB5035855 (Server 2016) and KB5035857 (Server 2022) to the point that all physical and virtual memory was consumed and the machine hung," another Windows admin told BleepingComputer.

After BleepingComputer contacted Microsoft about the bug yesterday, the company has now confirmed it as a known issue that impacts all domain controller servers with the latest Windows Server 2012 R2, 2016, 2019, and 2022 updates.

It also only affects enterprise systems using the impacted Windows Server platform; home users are not affected.

"Following installation of the March 2024 security update, released March 12, 2024 (KB5035857), Local Security Authority Subsystem Service (LSASS) may experience a memory leak on domain controllers (DCs)," Microsoft says.

"This is observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests. Extreme memory leaks may cause LSASS to crash, which triggers an unscheduled reboot of underlying domain controllers (DCs)."

Microsoft has identified the root cause and is working on a fix, which will be released soon.

Temporary workaround

Until Microsoft releases a fix for this severe memory leak issue and if they're unwilling to monitor affected systems' memory usage and reboot them when needed, Windows admins are advised to remove the troublesome updates from their domain controllers.

"Microsoft Support has recommended that we uninstall the update for the time being," the same admin told BleepingComputer.

To remove these buggy updates, open an elevated command prompt from the Start menu by typing 'cmd,' right-clicking the Command Prompt application, and then clicking 'Run as Administrator.'

Next, depending on what update you have installed on affected domain controllers, run one of the following commands:

wusa /uninstall /kb:5035855

wusa /uninstall /kb:5035849

wusa /uninstall /kb:5035857

In December 2022, Microsoft resolved another LSASS memory leak affecting domain controllers. After installing Windows Server updates released during the November 2022 Patch Tuesday, impacted servers would freeze and restart.

Additionally, in March 2022, Microsoft fixed one more LSASS crash that caused unexpected reboots of Windows Server domain controllers.