Address AD object renaming issues when success auditing is enabled

Not sure if this is the right fix? We've added this issue to our memory dump diagnostic which can confirm.

Symptoms

Consider the following scenario:

  • Domain Controller operating on Windows Server 2012 R2.

  • Advanced auditing is configured for "success audit" for "directory service changes."

  • Auditing is enabled for certain objects in the AD (user, group, OU).

  • An "auditing enabled" object is successfully renamed.

In this situation, the DC crashes in Local Security Authority Subsystem Service (LSASS) and restarts unexpectedly.

Resolution

To resolve this issue, install update rollup 2928680, or install the hotfix that is described in this article.

Update information

For more information about how to obtain update rollup 2928680, click the following article number to view the article in the Microsoft Knowledge Base:

2928680 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: March 2014

Hotfix information

A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft website:

http://support.microsoft.com/contactus/?ws=supportNote In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites

To apply this hotfix, you must be running Windows 8.1 or Windows Server 2012 R2.

Registry information

To apply this hotfix, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

Windows 8.1 or Windows Server 2012 R2 file information notesImportant Windows 8.1 hotfixes and Windows Server 2012 R2 hotfixes are included in the same packages. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.

  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    Version

    Product

    Milestone

    Service branch

    6.3.960 0.16xxx

    Windows 8.1 and Windows Server 2012 R2

    RTM

    GDR

  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows 8.1 and Windows Server 2012 R2" section. MUM, MANIFEST, and the associated security catalog (.cat) files, are very important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows 8.1

File name

File version

File size

Date

Time

Platform

Ntdsai.dll

6.3.9600.16517

2,556,928

17-Jan-2014

16:46

x86

For all supported x64-based versions of Windows 8.1 and Windows Server 2012 R2

File name

File version

File size

Date

Time

Platform

Ntdsai.dll

6.3.9600.16517

3,652,608

17-Jan-2014

17:00

x64


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates The following tools are known to trigger object renames operation:

  • Active Directory Users and Computers (ADUC or DSA.MSC)

  • Active Directory Administrative Center (ADAC or DSAC.EXE)

  • Active Directory Sites and Services (DSSITE.MSC)

  • ADSIEDIT.MSC

  • DNS Manager (DNSMGMT.MSC) when changing zone scopes and possibly other operations like deleting DNS zones

  • Microsoft Exchange 2007 Management console

  • LDP.EXE

  • Rename-AdoObject PowerShell commandlet

For an example of the logged events, see the following event log information:

Application Error Event ID 1000
Log Name: Application
Event Source: Application Error
Event ID 1000
Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
Exception code: 0xc0000005
Fault offset: 0x000000000019e45d
Faulting process id: 0x214
Faulting application start time: 0x01cefa6743edbeec
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ntdsai.dll
Report Id: d4cd7581-665c-11e3-80d7-005056984a2b
Faulting package full name:
Faulting package-relative application ID:


Microsoft-Windows-Wininit Event 1015
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 22.01.2014 13:43:47
Event ID: 1015
Description: A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

Additional file information for Windows 8.1 and Windows Server 2012 R2

Additional files for all supported x86-based versions of Windows 8.1

File property

Value

File name

X86_99153ad436a1df0f36665dd886da0c0a_31bf3856ad364e35_6.3.9600.16517_none_9411b57a5f5b2d15.manifest

File version

Not applicable

File size

712

Date (UTC)

18-Jan-2014

Time (UTC)

06:23

Platform

Not applicable

File name

X86_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.3.9600.16517_none_85b4ba91d480dc99.manifest

File version

Not applicable

File size

3,352

Date (UTC)

17-Jan-2014

Time (UTC)

22:27

Platform

Not applicable

Additional files for all supported x64-based versions of Windows 8.1 and Windows Server 2012 R2

File property

Value

File name

Amd64_834f935bdff3212878df07ff93d59a7f_31bf3856ad364e35_6.3.9600.16517_none_8cd7c1227151bd5b.manifest

File version

Not applicable

File size

716

Date (UTC)

18-Jan-2014

Time (UTC)

06:22

Platform

Not applicable

File name

Amd64_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.3.9600.16517_none_e1d356158cde4dcf.manifest

File version

Not applicable

File size

3,356

Date (UTC)

18-Jan-2014

Time (UTC)

00:30

Platform

Not applicable


Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×