This article describes three unrelated issues that may occur on a Windows Server 2012 R2-based domain controller. You can fix these issues by using the update in this article. Before you install this update, see the Prerequisites section and the Restart requirement section.
Issues fixed in this update
If you run a date-based Lightweight Directory Access Protocol (LDAP) query that includes comparison on a time-typed attribute (LDAP Syntax 184.108.40.206), Active Directory Domain Services may return incorrect results.
For example, an LDAP query with a query filter like (&(objectClass=*)(whenChanged<=19410404161039.0Z)) that queries for any object class modified prior to calendar year 1941 that predates the release of the operating system incorrectly returns all entries for ObjectClass=*. The expected result is that such a query should return 0 objects.
A domain controller restarts automatically. This issue occurs because the Local Security Authority Server Service (LSASS) process crashes if universal group membership caching is enabled. At the time of the domain controller restart, an event ID 1173 similar to the following one is logged:
Log Name: Directory Service Source: Microsoft-Windows-ActiveDirectory_DomainService Event ID: 1173 Task Category: Internal Processing Level: Warning Keywords: Classic Description: Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
Additional Data Error value:7fffc0f924b3 Internal ID:e0003fb
The significant data items in the event are the exception code and the "Internal ID". It is likely to be this problem when the three starting digits are "e00" and the lower four digits are close to "03fb".
Users can't log on to the computer after their password is changed. This issue occurs because of a latency in password synchronization between the branch domain controller and the primary domain controller (PDC).
How to get this update
You can get this update through Windows Update and the Microsoft Download Center. Even though this issue is observed only in Windows Server 2012 R2, this update also applies to Windows 8.1.
Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
To apply this update, you don't have to make any changes to the registry.
You have to restart the computer after you apply this update.
Update replacement information
This update doesn't replace a previously released update.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
The following table is a non exhaustive-list of Active Directory and Exchange attributes that follow the 220.127.116.11 syntax.
LDAP Display Name
Attribute Common Name
Learn about the terminology that Microsoft uses to describe software updates.
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Be aware that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.
Windows 8.1 and Windows Server 2012 R2
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
Windows 8.1 and Windows Server 2012 R2
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed in the "Additional file information" section. MUM, MANIFEST, and the associated security catalog (.cat) files, are very important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.