Not sure if this is the right fix? We've added this issue to our memory dump diagnostic which can confirm.
Symptoms
Consider the following scenario:
-
Domain Controller operating on Windows Server 2012 R2.
-
Advanced auditing is configured for "success audit" for "directory service changes."
-
Auditing is enabled for certain objects in the AD (user, group, OU).
-
An "auditing enabled" object is successfully renamed.
In this situation, the DC crashes in Local Security Authority Subsystem Service (LSASS) and restarts unexpectedly.
Resolution
To resolve this issue, install update rollup 2928680, or install the hotfix that is described in this article.
Update information
For more information about how to obtain update rollup 2928680, click the following article number to view the article in the Microsoft Knowledge Base:
2928680 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: March 2014
Hotfix information
A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.
To resolve this problem, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft website:http://support.microsoft.com/contactus/?ws=supportNote In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Prerequisites
To apply this hotfix, you must be running Windows 8.1 or Windows Server 2012 R2.
Registry information
To apply this hotfix, you do not have to make any changes to the registry.
Restart requirement
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace a previously released hotfix.
The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows 8.1 or Windows Server 2012 R2 file information notesImportant Windows 8.1 hotfixes and Windows Server 2012 R2 hotfixes are included in the same packages. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
-
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
Version
Product
Milestone
Service branch
6.3.960Â 0.16xxx
Windows 8.1 and Windows Server 2012 R2
RTM
GDR
-
The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows 8.1 and Windows Server 2012 R2" section. MUM, MANIFEST, and the associated security catalog (.cat) files, are very important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows 8.1
File name |
File version |
File size |
Date |
Time |
Platform |
---|---|---|---|---|---|
Ntdsai.dll |
6.3.9600.16517 |
2,556,928 |
17-Jan-2014 |
16:46 |
x86 |
For all supported x64-based versions of Windows 8.1 and Windows Server 2012 R2
File name |
File version |
File size |
Date |
Time |
Platform |
---|---|---|---|---|---|
Ntdsai.dll |
6.3.9600.16517 |
3,652,608 |
17-Jan-2014 |
17:00 |
x64 |
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates The following tools are known to trigger object renames operation:
-
Active Directory Users and Computers (ADUC or DSA.MSC)
-
Active Directory Administrative Center (ADAC or DSAC.EXE)
-
Active Directory Sites and Services (DSSITE.MSC)
-
ADSIEDIT.MSC
-
DNS Manager (DNSMGMT.MSC) when changing zone scopes and possibly other operations like deleting DNS zones
-
Microsoft Exchange 2007 Management console
-
LDP.EXE
-
Rename-AdoObject PowerShell commandlet
For an example of the logged events, see the following event log information:
Application Error Event ID 1000 Log Name: Application Event Source: Application Error Event ID 1000 Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed Exception code: 0xc0000005 Fault offset: 0x000000000019e45d Faulting process id: 0x214 Faulting application start time: 0x01cefa6743edbeec Faulting application path: C:\Windows\system32\lsass.exe Faulting module path: C:\Windows\system32\ntdsai.dll Report Id: d4cd7581-665c-11e3-80d7-005056984a2b Faulting package full name: Faulting package-relative application ID: Microsoft-Windows-Wininit Event 1015 Log Name: Application Source: Microsoft-Windows-Wininit Date: 22.01.2014 13:43:47 Event ID: 1015 Description: A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.Additional file information for Windows 8.1 and Windows Server 2012 R2
Additional files for all supported x86-based versions of Windows 8.1
File property |
Value |
---|---|
File name |
X86_99153ad436a1df0f36665dd886da0c0a_31bf3856ad364e35_6.3.9600.16517_none_9411b57a5f5b2d15.manifest |
File version |
Not applicable |
File size |
712 |
Date (UTC) |
18-Jan-2014 |
Time (UTC) |
06:23 |
Platform |
Not applicable |
File name |
X86_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.3.9600.16517_none_85b4ba91d480dc99.manifest |
File version |
Not applicable |
File size |
3,352 |
Date (UTC) |
17-Jan-2014 |
Time (UTC) |
22:27 |
Platform |
Not applicable |
Additional files for all supported x64-based versions of Windows 8.1 and Windows Server 2012 R2
File property |
Value |
---|---|
File name |
Amd64_834f935bdff3212878df07ff93d59a7f_31bf3856ad364e35_6.3.9600.16517_none_8cd7c1227151bd5b.manifest |
File version |
Not applicable |
File size |
716 |
Date (UTC) |
18-Jan-2014 |
Time (UTC) |
06:22 |
Platform |
Not applicable |
File name |
Amd64_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.3.9600.16517_none_e1d356158cde4dcf.manifest |
File version |
Not applicable |
File size |
3,356 |
Date (UTC) |
18-Jan-2014 |
Time (UTC) |
00:30 |
Platform |
Not applicable |