- Issue 1 Faster insertions to the change notification queue. See details.
- Issue 2 Renames of domain-joined computers that are running Microsoft SQL Server may fail if the rename operation is serviced by Windows Server 2012 R2 DCs. See details.
- Issue 3 Single logons are reported incorrectly in Active Directory as two logons. See details.
- Issue 4 LSSAS access violation occurs with error "0xC0000005" when targeted by AAD Connect clients that run "full import". See details.
- Issue 5 LSASS access violation occurs when it is targeted by recursive LDAP query against an AD group. See details.
Before you install this update, see the Prerequisites section.
Issues that are fixed in this update
When this condition is true, domain controller (DC) Local Security Authority Subsystem Service (LSASS) consumes high CPU usage or 100% CPU usage in extreme cases. The following operations are blocked when change notification queues develop on a given DC:
- Active Directory Replication triggered by change notification is delayed.
- ATQ thread registration or unregistration is delayed.
- Writes to the DC are blocked.
- When the insertion string is ongoing, the processing of the notification queue is also blocked. Notification based replication is blocked during this operation.
- CPU usage for the LSASS process runs cold on DCs as all multiple operations are blocked and the only thread gets CPU time as Active Directory replication.
Consider a buffer of at least 25% on top of the peak value experienced while monitoring this counter to determine an appropriate value of Maximum Concurrent LDAP Notifications.
Note The fix for this issue is included in security update 3160352.
Issue 2 Renames of domain-joined Microsoft SQL Server member computers fails with error "The directory service is busy".
This issue occurs when the following conditions are true:
- Microsoft SQL Server is installed on a Windows-based computer that is joined to an Active Directory domain.
- The Service Principal Name (SPN) that's registered by Microsoft SQL Server or Microsoft SQL Express contains non-numeric characters after the ":" delimiter in the SPN attribute of the computer account that's being renamed.
- The computer that is hosting Microsoft SQL Server is renamed in Control Panel.
- A Windows Server 2012 R2 domain controller services the rename operation.
The error is:
The requested resource is in use.
The command failed to complete successfully.
For more information about this issue, see update 3152220.
A single logon attempt on the website is counted as two logon attempts in Active Directory. Therefore, count of incorrect password increases by two instead of by one.
Issue 4 LSASS access violation occurs together with error "0xc0000005" on Windows Server 2012 R2 DCs targeted by Azure AD Connect identity sync clients that run "Full Import".
When a user runs "Full Import" on Azure AD Connect identity sync client against a Windows Server 2012 R2-based DC, access violation occurs on LSASS process, and the DC restarts with error code "0xc0000005". This issue occurs when the Active Directory Recycle Bin is disabled.
For more information about this issue, see update 3145339.
Lsass.exe crashes on a DC with an access violation when a user runs a recursive Lightweight Directory Access Protocol (LDAP) query against an Active Directory group that has many nested groups. An example of a query that can trigger this kind of crash is as follows:
How to get this update
Method 1: Windows UpdateThis update is provided as a Recommended update on Windows Update. For more information on how to run Windows Update, see How to get an update through Windows Update.
Method 2: Microsoft Update CatalogTo get the stand-alone package for this update, go to one of the following Microsoft Update Catalog websites: Note You must be running Microsoft Internet Explorer 6.0 or later.
Update detail information
PrerequisitesTo install this update, you should first install April 2014, update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) in Windows Server 2012 R2.
Note The update should be installed on Windows Server 2012 R2-based or Windows Server 2012-based computers that are hosting the Active Directory domain services (ADDS) domain controller role.
Registry informationTo apply this update, you don't have to make any changes to the registry.
Restart requirementYou may have to restart the computer after you apply this update.
Update replacement informationThis update doesn't replace a previously released update.
Note For the file attributes of Windows Server 2012, see security update 3160352.