One of our customers recently had an issue with 2 of their 2012 R2 domain controllers running in Azure. They were A2_v2 specification running 2 vCores and 4GB of memory.
After about 5 hours of uptime, both servers would be using 3.9 of 4GB memory.
I checked Resource Monitor on one of the servers and the highest consumer was the lsass.exe process but it wasn’t really consuming that much memory.
I downloaded RamMap from the Sysinternals suite which allowed me to look at files being stored in the memory. Again, I couldn’t see anything obvious.
I turned my attention to the current handles in the system but the highest amount was from the DNS service. Just to check, I compared this to DNS servers from other forests in different environments and they were around the same.
Whilst in Task Manager on the first server after rebooting it, I noticed the paged pool was only around 200MB. However on Server 2 just before I was about to restart it, it was 6.7GB….
Server 1:
Server 2:
I downloaded the Windows WDK and used PoolMon located in C:\Program Files (x86)\Windows Kits\10\Tools\x64 to inspect the paged memory on one of the servers and I found the following:
The Windows Notification Facility tag was using a lot of memory!
After looking online I found that Microsoft has acknowledged this as a problem for Windows Server 2012 and 2012 R2. The culprit turned out to be the Remote Registry service.
I resolved the issue by following the guidance in the Microsoft workaround above by opening regedit and changing the value of the DisableIdleStop DWORD from 0 to 1 and rebooting the servers.
This can be found in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RemoteRegistry
Since making the change, both servers have been running fine with normal memory usage levels!
Hope that helps! 🙂
