Incorrect results in LDAP query, domain controller restarts, or user logons are denied in Windows Server 2012 R2

This article describes three unrelated issues that may occur on a Windows Server 2012 R2-based domain controller. You can fix these issues by using the update in this article. Before you install this update, see the Prerequisites section and the Restart requirement section.

Issues fixed in this update

Issue 1

If you run a date-based Lightweight Directory Access Protocol (LDAP) query that includes comparison on a time-typed attribute (LDAP Syntax 2.5.5.11), Active Directory Domain Services may return incorrect results.

For example, an LDAP query with a query filter like (&(objectClass=*)(whenChanged<=19410404161039.0Z)) that queries for any object class modified prior to calendar year 1941 that predates the release of the operating system incorrectly returns all entries for ObjectClass=*. The expected result is that such a query should return 0 objects.

Issue 2

A domain controller restarts automatically. This issue occurs because the Local Security Authority Server Service (LSASS) process crashes if universal group membership caching is enabled. At the time of the domain controller restart, an event ID 1173 similar to the following one is logged:The significant data items in the event are the exception code and the "Internal ID". It is likely to be this problem when the three starting digits are "e00" and the lower four digits are close to "03fb".

Issue 3

Users can't log on to the computer after their password is changed. This issue occurs because of a latency in password synchronization between the branch domain controller and the primary domain controller (PDC).

How to get this update

You can get this update through Windows Update and the Microsoft Download Center. Even though this issue is observed only in Windows Server 2012 R2, this update also applies to Windows 8.1.

Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Method 1: Windows Update

This update is provided as a Recommended update on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update.

Method 2: Microsoft Download Center

The following files are available for download from the Microsoft Download Center.

Operating system

Update

All supported x86-based versions of Windows 8.1

Download Download the package now.

All supported x64-based versions of Windows 8.1

Download Download the package now.

All supported x64-based versions of Windows Server 2012 R2

Download Download the package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Update detail information

Prerequisites

To apply this update, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed on Windows 8.1 or Windows Server 2012 R2.

Registry information

To apply this update, you don't have to make any changes to the registry.



Restart requirement

You have to restart the computer after you apply this update.



Update replacement information

This update doesn't replace a previously released update.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

The following table is a non exhaustive-list of Active Directory and Exchange attributes that follow the 2.5.5.11 syntax. 

LDAP Display Name

Attribute Common Name

Syntax

createTimeStamp

Create-Time-Stamp

2.5.5.11

dSCorePropagationData

DS-Core-Propagation-Data

2.5.5.11

dXAConfReqTime

ms-Exch-DXA-Conf-Req-Time

2.5.5.11

dXAImpSeqTime

ms-Exch-DXA-Imp-Seq-Time

2.5.5.11

dXAReqSeqTime

ms-Exch-DXA-Req-Seq-Time

2.5.5.11

dXASvrSeqTime

ms-Exch-DXA-Svr-Seq-Time

2.5.5.11

dXATemplateTimeStamp

ms-Exch-DXA-Template-TimeStamp

2.5.5.11

expirationTime

ms-Exch-Expiration-Time

2.5.5.11

fRSTimeLastCommand

FRS-Time-Last-Command

2.5.5.11

fRSTimeLastConfigChange

FRS-Time-Last-Config-Change

2.5.5.11

gWARTLastModified

ms-Exch-GWART-Last-Modified

2.5.5.11

meetingEndTime

meetingEndTime

2.5.5.11

meetingStartTime

meetingStartTime

2.5.5.11

modifyTimeStamp

Modify-Time-Stamp

2.5.5.11

msDFS-LastModifiedv2

ms-DFS-Last-Modified-v2

2.5.5.11

msDS-DateTime

ms-DS-Date-Time

2.5.5.11

msDS-Entry-Time-To-Die

ms-DS-Entry-Time-To-Die

2.5.5.11

msDS-LocalEffectiveDeletionTime

ms-DS-Local-Effective-Deletion-Time

2.5.5.11

msDS-LocalEffectiveRecycleTime

ms-DS-Local-Effective-Recycle-Time

2.5.5.11

msExchAuthNextEffectiveDate

ms-Exch-Auth-Next-Effective-Time

2.5.5.11

msExchChatStartTime

ms-Exch-Chat-Start-Time

2.5.5.11

msExchDeletionPeriod

ms-Exch-Deletion-Period

2.5.5.11

msExchELCExpirySuspensionEnd

ms-Exch-ELC-Expiry-Suspension-End

2.5.5.11

msExchELCExpirySuspensionStart

ms-Exch-ELC-Expiry-Suspension-Start

2.5.5.11

msExchFirstSyncTime

ms-Exch-First-Sync-Time

2.5.5.11

msExchGalsyncLastSyncRun

ms-Exch-Galsync-Last-Sync-Run

2.5.5.11

msExchLastExchangeChangedTime

ms-Exch-Last-Exchange-Changed-Time

2.5.5.11

msExchLastUpdateTime

ms-Exch-Last-Update-Time

2.5.5.11

msExchLitigationHoldDate

ms-Exch-Litigation-Hold-Date

2.5.5.11

msExchMailboxAuditLastAdminAccess

ms-Exch-Mailbox-Audit-Last-Admin-Access

2.5.5.11

msExchMailboxAuditLastDelegateAccess

ms-Exch-Mailbox-Audit-Last-Delegate-Access

2.5.5.11

msExchMailboxAuditLastExternalAccess

ms-Exch-Mailbox-Audit-Last-External-Access

2.5.5.11

msExchOABLastTouchedTime

ms-Exch-OAB-Last-Touched-Time

2.5.5.11

msExchOrganizationUpgradePolicyDate

ms-Exch-Organization-Upgrade-Policy-Date

2.5.5.11

msExchPolicyLastAppliedTime

ms-Exch-Policy-Last-Applied-Time

2.5.5.11

msExchRelocateTenantStartLockdown

ms-Exch-Relocate-Tenant-Start-Lockdown

2.5.5.11

msExchRelocateTenantStartRetired

ms-Exch-Relocate-Tenant-Start-Retired

2.5.5.11

msExchRelocateTenantStartSync

ms-Exch-Relocate-Tenant-Start-Sync

2.5.5.11

msExchServer1LastUpdateTime

ms-Exch-Server1-Last-Update-Time

2.5.5.11

msExchServer2LastUpdateTime

ms-Exch-Server2-Last-Update-Time

2.5.5.11

msExchSetupTime

ms-Exch-Setup-Time

2.5.5.11

msExchShadowWhenSoftDeletedTime

ms-Exch-Shadow-When-Soft-Deleted-Time

2.5.5.11

msExchStsRefreshTokensValidFrom

ms-Exch-Sts-Refresh-Tokens-Valid-From

2.5.5.11

msExchTeamMailboxExpiration

ms-Exch-Team-Mailbox-Expiration

2.5.5.11

msExchWhenMailboxCreated

ms-Exch-When-Mailbox-Created

2.5.5.11

msExchWhenSoftDeletedTime

ms-Exch-When-Soft-Deleted-Time

2.5.5.11

msTSExpireDate

MS-TS-ExpireDate

2.5.5.11

msTSExpireDate2

MS-TS-ExpireDate2

2.5.5.11

msTSExpireDate3

MS-TS-ExpireDate3

2.5.5.11

msTSExpireDate4

MS-TS-ExpireDate4

2.5.5.11

promoExpiration

ms-Exch-Promo-Expiration

2.5.5.11

schemaUpdate

Schema-Update

2.5.5.11

spaceLastComputed

ms-Exch-Space-Last-Computed

2.5.5.11

whenChanged

When-Changed

2.5.5.11

whenCreated

When-Created

2.5.5.11

References

Learn about the terminology that Microsoft uses to describe software updates.

File Information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Be aware that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.

Notes

  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    Version

    Product

    Milestone

    Service branch

    6.3.960 0.18xxx

    Windows 8.1 and Windows Server 2012 R2

    RTM

    GDR

  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.

  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed in the "Additional file information" section. MUM, MANIFEST, and the associated security catalog (.cat) files, are very important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.

x86 Windows 8.1

File name

File version

File size

Date

Time

Platform

Ntdsa.mof

Not applicable

227,765

18-Jun-2013

12:21

Not applicable

Ntdsai.dll

6.3.9600.18189

2,590,208

06-Jan-2016

16:39

x86

x64 Windows 8.1 and Windows Server 2012 R2

File name

File version

File size

Date

Time

Platform

Ntdsa.mof

Not applicable

227,765

18-Jun-2013

14:45

Not applicable

Ntdsai.dll

6.3.9600.18189

3,683,328

06-Jan-2016

16:51

x64


x86 Windows 8.1

File property

Value

File name

Update.mum

File version

Not applicable

File size

1,591

Date (UTC)

07-Jan-2016

Time (UTC)

20:27

Platform

Not applicable

File name

X86_76f4217c1bfaaa3b92bc5b2e31e5a579_31bf3856ad364e35_6.3.9600.18189_none_04823c4b449d3f37.manifest

File version

Not applicable

File size

712

Date (UTC)

07-Jan-2016

Time (UTC)

20:27

Platform

Not applicable

File name

X86_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.3.9600.18189_none_856ad689d4b81184.manifest

File version

Not applicable

File size

3,352

Date (UTC)

06-Jan-2016

Time (UTC)

18:54

Platform

Not applicable

x64 Windows 8.1 and Windows Server 2012 R2

File property

Value

File name

Amd64_8d850ef1841aabf615a693755ed5496a_31bf3856ad364e35_6.3.9600.18189_none_f20164ebddec8658.manifest

File version

Not applicable

File size

716

Date (UTC)

07-Jan-2016

Time (UTC)

20:27

Platform

Not applicable

File name

Amd64_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.3.9600.18189_none_e189720d8d1582ba.manifest

File version

Not applicable

File size

3,356

Date (UTC)

06-Jan-2016

Time (UTC)

19:48

Platform

Not applicable

File name

Update.mum

File version

Not applicable

File size

2,052

Date (UTC)

07-Jan-2016

Time (UTC)

20:27

Platform

Not applicable


Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×