Windows Server 2012 R2-based or Windows Server 2012-based domain controller update, April 2016

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials

This article describes an update for Windows Server 2012 R2-based or Windows Server 2012-based domain controller dated April 2016 that addresses the following issues:
  • Issue 1 Faster insertions to the change notification queue. See details.
  • Issue 2 Renames of domain-joined computers that are running Microsoft SQL Server may fail if the rename operation is serviced by Windows Server 2012 R2 DCs. See details.
  • Issue 3 Single logons are reported incorrectly in Active Directory as two logons. See details.
  • Issue 4 LSSAS access violation occurs with error "0xC0000005" when targeted by AAD Connect clients that run "full import". See details.
  • Issue 5 LSASS access violation occurs when it is targeted by recursive LDAP query against an AD group. See details.

Before you install this update, see the Prerequisites section.

Issues that are fixed in this update

Issue 1 Faster inserts to Active Directory change notification queue delays servicing of Asynchronous Thread Queue (ATQ) thread pool, LDAP queries, and notification based replication. 

When this condition is true, domain controller (DC) Local Security Authority Subsystem Service (LSASS) consumes high CPU usage or 100% CPU usage in extreme cases. The following operations are blocked when change notification queues develop on a given DC:
  • Active Directory Replication triggered by change notification is delayed.
  • ATQ thread registration or unregistration is delayed.
  • Writes to the DC are blocked.
  • When the insertion string is ongoing, the processing of the notification queue is also blocked. Notification based replication is blocked during this operation.
  • CPU usage for the LSASS process runs cold on DCs as all multiple operations are blocked and the only thread gets CPU time as Active Directory replication.
This update includes an upper limit on the number of change notification items that a domain controller will add to the queue.  Once this threshold is reached, the DC will respond with "ERROR_DS_ADMIN_LIMIT_EXCEEDED".  By default, the threshold is 4096.  The following registry key can be added to modify this threshold as needed:
HKEY_LOCAL_MACHINE\CCS\Services\NTDS\Parameters DWORD "Maximum Concurrent LDAP Notifications"
A maximum value for change notifications that's too low could result in unnecessary failures to change notification clients. Therefore, it's important to determine the "normal" range of this counter prior to implementing the hotfix.  To establish the upper range of the change notification queue, consider monitoring the DS Notify Queue Size counter on all domain controllers in the forest to determine peak values. 

Consider a buffer of at least 25% on top of the peak value experienced while monitoring this counter to determine an appropriate value of Maximum Concurrent LDAP Notifications.

Note The fix for this issue is included in security update 3160352.

Issue 2 Renames of domain-joined Microsoft SQL Server member computers fails with error "The directory service is busy".

This issue occurs when the following conditions are true:
  • Microsoft SQL Server is installed on a Windows-based computer that is joined to an Active Directory domain.
  • The Service Principal Name (SPN) that's registered by Microsoft SQL Server or Microsoft SQL Express contains non-numeric characters after the ":" delimiter in the SPN attribute of the computer account that's being renamed.
  • The computer that is hosting Microsoft SQL Server is renamed in Control Panel.
  • A Windows Server 2012 R2 domain controller services the rename operation.
Similarly, adding an alternative computer name also fails. And the NetDom add computername command fails with the following an on-screen error:

Unable to add as an alternate name for the computer
The error is:

The requested resource is in use.

The command failed to complete successfully.

For more information about this issue, see update 3152220.

Issue 3

A single logon attempt on the website is counted as two logon attempts in Active Directory. Therefore, count of incorrect password increases by two instead of by one.

Issue 4 LSASS access violation occurs together with error "0xc0000005" on Windows Server 2012 R2 DCs targeted by Azure AD Connect identity sync clients that run "Full Import".

When a user runs "Full Import" on Azure AD Connect identity sync client against a Windows Server 2012 R2-based DC, access violation occurs on LSASS process, and the DC restarts with error code "0xc0000005". This issue occurs when the Active Directory Recycle Bin is disabled.

For more information about this issue, see update 3145339.

Issue 5

Lsass.exe crashes on a DC with an access violation when a user runs a recursive Lightweight Directory Access Protocol (LDAP) query against an Active Directory group that has many nested groups.  An example of a query that can trigger this kind of crash is as follows:
ldifde -f t.txt -d "dc=contoso,dc=com" -r "(memberof:memberID:=cn=cn,cn=cn,dc=contoso,dc=com)"

How to get this update

Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Method 1: Windows Update

This update is provided as a Recommended update on Windows Update. For more information on how to run Windows Update, see How to get an update through Windows Update.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to one of the following Microsoft Update Catalog websites: Note You must be running Microsoft Internet Explorer 6.0 or later.

Update detail information


To install this update, you should first install April 2014, update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) in Windows Server 2012 R2.

Note The update should be installed on Windows Server 2012 R2-based or Windows Server 2012-based computers that are hosting the Active Directory domain services (ADDS) domain controller role.

Registry information

To apply this update, you don't have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this update.

Update replacement information

This update doesn't replace a previously released update.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


Learn about the terminology that Microsoft uses to describe software updates.

File Information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables.

Note For the file attributes of Windows Server 2012, see security update 3160352.