Incorrect results in LDAP query, domain controller restarts, or user logons are denied in Windows Server 2012 R2

This article describes three unrelated issues that may occur on a Windows Server 2012 R2-based domain controller. You can fix these issues by using the update in this article. Before you install this update, see the Prerequisites section and the Restart requirement section.
Issues fixed in this update
Issue 1
If you run a date-based Lightweight Directory Access Protocol (LDAP) query that includes comparison on a time-typed attribute (LDAP Syntax 2.5.5.11), Active Directory Domain Services may return incorrect results.

For example, an LDAP query with a query filter like (&(objectClass=*)(whenChanged<=19410404161039.0Z)) that queries for any object class modified prior to calendar year 1941 that predates the release of the operating system incorrectly returns all entries for ObjectClass=*. The expected result is that such a query should return 0 objects.

Issue 2
A domain controller restarts automatically. This issue occurs because the Local Security Authority Server Service (LSASS) process crashes if universal group membership caching is enabled. At the time of the domain controller restart, an event ID 1173 similar to the following one is logged:


Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 1173
Task Category: Internal Processing
Level: Warning
Keywords: Classic
Description:
Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.

Exception:c0000005 
Parameter:0  

Additional Data
Error value:7fffc0f924b3 
Internal ID:e0003fb

The significant data items in the event are the exception code and the "Internal ID". It is likely to be this problem when the three starting digits are "e00" and the lower four digits are close to "03fb".
Issue 3
Users can't log on to the computer after their password is changed. This issue occurs because of a latency in password synchronization between the branch domain controller and the primary domain controller (PDC).
How to get this update
You can get this update through Windows Update and the Microsoft Download Center. Even though this issue is observed only in Windows Server 2012 R2, this update also applies to Windows 8.1.

Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Method 1: Windows Update

This update is provided as a Recommended update on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update.

Method 2: Microsoft Download Center

The following files are available for download from the Microsoft Download Center.

Operating systemUpdate
All supported x86-based versions of Windows 8.1DownloadDownload the package now.
All supported x64-based versions of Windows 8.1DownloadDownload the package now.
All supported x64-based versions of Windows Server 2012 R2DownloadDownload the package now.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Update detail information

Prerequisites

To apply this update, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed on Windows 8.1 or Windows Server 2012 R2.

Registry information

To apply this update, you don't have to make any changes to the registry.

Restart requirement

You have to restart the computer after you apply this update.

Update replacement information

This update doesn't replace a previously released update.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More information
The following table is a non exhaustive-list of Active Directory and Exchange attributes that follow the 2.5.5.11 syntax. 

LDAP Display NameAttribute Common NameSyntax
createTimeStampCreate-Time-Stamp2.5.5.11
dSCorePropagationDataDS-Core-Propagation-Data2.5.5.11
dXAConfReqTimems-Exch-DXA-Conf-Req-Time2.5.5.11
dXAImpSeqTimems-Exch-DXA-Imp-Seq-Time2.5.5.11
dXAReqSeqTimems-Exch-DXA-Req-Seq-Time2.5.5.11
dXASvrSeqTimems-Exch-DXA-Svr-Seq-Time2.5.5.11
dXATemplateTimeStampms-Exch-DXA-Template-TimeStamp2.5.5.11
expirationTimems-Exch-Expiration-Time2.5.5.11
fRSTimeLastCommandFRS-Time-Last-Command2.5.5.11
fRSTimeLastConfigChangeFRS-Time-Last-Config-Change2.5.5.11
gWARTLastModifiedms-Exch-GWART-Last-Modified2.5.5.11
meetingEndTimemeetingEndTime2.5.5.11
meetingStartTimemeetingStartTime2.5.5.11
modifyTimeStampModify-Time-Stamp2.5.5.11
msDFS-LastModifiedv2ms-DFS-Last-Modified-v22.5.5.11
msDS-DateTimems-DS-Date-Time2.5.5.11
msDS-Entry-Time-To-Diems-DS-Entry-Time-To-Die2.5.5.11
msDS-LocalEffectiveDeletionTimems-DS-Local-Effective-Deletion-Time2.5.5.11
msDS-LocalEffectiveRecycleTimems-DS-Local-Effective-Recycle-Time2.5.5.11
msExchAuthNextEffectiveDatems-Exch-Auth-Next-Effective-Time2.5.5.11
msExchChatStartTimems-Exch-Chat-Start-Time2.5.5.11
msExchDeletionPeriodms-Exch-Deletion-Period2.5.5.11
msExchELCExpirySuspensionEndms-Exch-ELC-Expiry-Suspension-End2.5.5.11
msExchELCExpirySuspensionStartms-Exch-ELC-Expiry-Suspension-Start2.5.5.11
msExchFirstSyncTimems-Exch-First-Sync-Time2.5.5.11
msExchGalsyncLastSyncRunms-Exch-Galsync-Last-Sync-Run2.5.5.11
msExchLastExchangeChangedTimems-Exch-Last-Exchange-Changed-Time2.5.5.11
msExchLastUpdateTimems-Exch-Last-Update-Time2.5.5.11
msExchLitigationHoldDatems-Exch-Litigation-Hold-Date2.5.5.11
msExchMailboxAuditLastAdminAccessms-Exch-Mailbox-Audit-Last-Admin-Access2.5.5.11
msExchMailboxAuditLastDelegateAccessms-Exch-Mailbox-Audit-Last-Delegate-Access2.5.5.11
msExchMailboxAuditLastExternalAccessms-Exch-Mailbox-Audit-Last-External-Access2.5.5.11
msExchOABLastTouchedTimems-Exch-OAB-Last-Touched-Time2.5.5.11
msExchOrganizationUpgradePolicyDatems-Exch-Organization-Upgrade-Policy-Date2.5.5.11
msExchPolicyLastAppliedTimems-Exch-Policy-Last-Applied-Time2.5.5.11
msExchRelocateTenantStartLockdownms-Exch-Relocate-Tenant-Start-Lockdown2.5.5.11
msExchRelocateTenantStartRetiredms-Exch-Relocate-Tenant-Start-Retired2.5.5.11
msExchRelocateTenantStartSyncms-Exch-Relocate-Tenant-Start-Sync2.5.5.11
msExchServer1LastUpdateTimems-Exch-Server1-Last-Update-Time2.5.5.11
msExchServer2LastUpdateTimems-Exch-Server2-Last-Update-Time2.5.5.11
msExchSetupTimems-Exch-Setup-Time2.5.5.11
msExchShadowWhenSoftDeletedTimems-Exch-Shadow-When-Soft-Deleted-Time2.5.5.11
msExchStsRefreshTokensValidFromms-Exch-Sts-Refresh-Tokens-Valid-From2.5.5.11
msExchTeamMailboxExpirationms-Exch-Team-Mailbox-Expiration2.5.5.11
msExchWhenMailboxCreatedms-Exch-When-Mailbox-Created2.5.5.11
msExchWhenSoftDeletedTimems-Exch-When-Soft-Deleted-Time2.5.5.11
msTSExpireDate MS-TS-ExpireDate2.5.5.11
msTSExpireDate2MS-TS-ExpireDate22.5.5.11
msTSExpireDate3MS-TS-ExpireDate32.5.5.11
msTSExpireDate4MS-TS-ExpireDate42.5.5.11
promoExpirationms-Exch-Promo-Expiration2.5.5.11
schemaUpdateSchema-Update2.5.5.11
spaceLastComputedms-Exch-Space-Last-Computed2.5.5.11
whenChangedWhen-Changed2.5.5.11
whenCreatedWhen-Created2.5.5.11
References
Learn about the terminology that Microsoft uses to describe software updates.
File Information
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Be aware that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.

Windows 8.1 and Windows Server 2012 R2

Notes

  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    VersionProductMilestoneService branch
    6.3.960 0.18xxxWindows 8.1 and Windows Server 2012 R2RTMGDR
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed in the "Additional file information" section. MUM, MANIFEST, and the associated security catalog (.cat) files, are very important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
x86 Windows 8.1
File nameFile versionFile sizeDateTimePlatform
Ntdsa.mofNot applicable227,76518-Jun-201312:21Not applicable
Ntdsai.dll6.3.9600.181892,590,20806-Jan-201616:39x86
x64 Windows 8.1 and Windows Server 2012 R2
File nameFile versionFile sizeDateTimePlatform
Ntdsa.mofNot applicable227,76518-Jun-201314:45Not applicable
Ntdsai.dll6.3.9600.181893,683,32806-Jan-201616:51x64

Additional file information

x86 Windows 8.1
File propertyValue
File nameUpdate.mum
File versionNot applicable
File size1,591
Date (UTC)07-Jan-2016
Time (UTC)20:27
PlatformNot applicable
File nameX86_76f4217c1bfaaa3b92bc5b2e31e5a579_31bf3856ad364e35_6.3.9600.18189_none_04823c4b449d3f37.manifest
File versionNot applicable
File size712
Date (UTC)07-Jan-2016
Time (UTC)20:27
PlatformNot applicable
File nameX86_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.3.9600.18189_none_856ad689d4b81184.manifest
File versionNot applicable
File size3,352
Date (UTC)06-Jan-2016
Time (UTC)18:54
PlatformNot applicable
x64 Windows 8.1 and Windows Server 2012 R2
File propertyValue
File nameAmd64_8d850ef1841aabf615a693755ed5496a_31bf3856ad364e35_6.3.9600.18189_none_f20164ebddec8658.manifest
File versionNot applicable
File size716
Date (UTC)07-Jan-2016
Time (UTC)20:27
PlatformNot applicable
File nameAmd64_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.3.9600.18189_none_e189720d8d1582ba.manifest
File versionNot applicable
File size3,356
Date (UTC)06-Jan-2016
Time (UTC)19:48
PlatformNot applicable
File nameUpdate.mum
File versionNot applicable
File size2,052
Date (UTC)07-Jan-2016
Time (UTC)20:27
PlatformNot applicable
Properties

Article ID: 3106637 - Last Review: 03/08/2016 18:27:00 - Revision: 4.0

Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation, Windows 8.1 Enterprise, Windows 8.1 Pro, Windows 8.1

  • kbsurveynew kbfix atdownload kbexpertiseinter KB3106637
Feedback