If you are running a Windows 2012 R2 server that is a Domain controller with DHCP and DNS services on, you may encounter an issue where the DHCP service will lock up and stop responding with no errors logged in the Event log. This can cause problems for your network clients who rely on DHCP to obtain IP addresses and other configuration settings.
One way to diagnose this issue is to run "netstat -ano" on the server and check the output for UDP ports. You may notice that the DNS service is taking a lot of UDP ports, which can indicate that it is consuming too many resources and preventing other applications from using UDP.
This issue may be related to a security patch for DNS that was released by Microsoft in 2008 (MS08-037) and was included in Windows 2012. This patch was intended to prevent DNS cache poisoning attacks by randomizing the source port of DNS queries. However, this also had a side effect of increasing the number of UDP ports that DNS service can request, which can lead to port exhaustion over time.
The fix for this issue is to limit the number of ports that DNS service can request by using the following command:
dnscmd /Config /SocketPoolSize <value>
where <value> is a number between 0 and 10000. The default value is 2500, which may be too high for some environments. I normally use 100, as this seems ok for a small to medium business.
After running this command, you need to restart the DNS service for the changes to take effect. You can do this by using the following commands:
net stop dns
net start dns
Alternatively, you can use the Services console or PowerShell cmdlets to restart the service.
This should resolve the issue of DHCP service lock up and improve the performance and stability of your server
Microsoft Security Bulletin MS08-037 - Important | Microsoft Learn
No comments:
Post a Comment