Incorrect results in LDAP query, domain controller restarts, or user logons are denied in Windows Server 2012 R2

This article describes three unrelated issues that may occur on a Windows Server 2012 R2-based domain controller. You can fix these issues by using the update in this article. Before you install this update, see the Prerequisites section and the Restart requirement section.

Issues fixed in this update

Issue 1
If you run a date-based Lightweight Directory Access Protocol (LDAP) query that includes comparison on a time-typed attribute (LDAP Syntax 2.5.5.11), Active Directory Domain Services may return incorrect results.

For example, an LDAP query with a query filter like (&(objectClass=*)(whenChanged<=19410404161039.0Z)) that queries for any object class modified prior to calendar year 1941 that predates the release of the operating system incorrectly returns all entries for ObjectClass=*. The expected result is that such a query should return 0 objects.

Issue 2
A domain controller restarts automatically. This issue occurs because the Local Security Authority Server Service (LSASS) process crashes if universal group membership caching is enabled. At the time of the domain controller restart, an event ID 1173 similar to the following one is logged:The significant data items in the event are the exception code and the "Internal ID". It is likely to be this problem when the three starting digits are "e00" and the lower four digits are close to "03fb".
Issue 3
Users can't log on to the computer after their password is changed. This issue occurs because of a latency in password synchronization between the branch domain controller and the primary domain controller (PDC).

How to get this update

You can get this update through Windows Update and the Microsoft Download Center. Even though this issue is observed only in Windows Server 2012 R2, this update also applies to Windows 8.1.

Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Method 1: Windows Update

This update is provided as a Recommended update on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update.

Method 2: Microsoft Download Center

The following files are available for download from the Microsoft Download Center.

Operating systemUpdate
All supported x86-based versions of Windows 8.1Download Download the package now.
All supported x64-based versions of Windows 8.1Download Download the package now.
All supported x64-based versions of Windows Server 2012 R2Download Download the package now.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Update detail information

Prerequisites

To apply this update, you must have April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) installed on Windows 8.1 or Windows Server 2012 R2.

Registry information

To apply this update, you don't have to make any changes to the registry.



Restart requirement

You have to restart the computer after you apply this update.



Update replacement information

This update doesn't replace a previously released update.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

The following table is a non exhaustive-list of Active Directory and Exchange attributes that follow the 2.5.5.11 syntax. 

LDAP Display NameAttribute Common NameSyntax
createTimeStampCreate-Time-Stamp2.5.5.11
dSCorePropagationDataDS-Core-Propagation-Data2.5.5.11
dXAConfReqTimems-Exch-DXA-Conf-Req-Time2.5.5.11
dXAImpSeqTimems-Exch-DXA-Imp-Seq-Time2.5.5.11
dXAReqSeqTimems-Exch-DXA-Req-Seq-Time2.5.5.11
dXASvrSeqTimems-Exch-DXA-Svr-Seq-Time2.5.5.11
dXATemplateTimeStampms-Exch-DXA-Template-TimeStamp2.5.5.11
expirationTimems-Exch-Expiration-Time2.5.5.11
fRSTimeLastCommandFRS-Time-Last-Command2.5.5.11
fRSTimeLastConfigChangeFRS-Time-Last-Config-Change2.5.5.11
gWARTLastModifiedms-Exch-GWART-Last-Modified2.5.5.11
meetingEndTimemeetingEndTime2.5.5.11
meetingStartTimemeetingStartTime2.5.5.11
modifyTimeStampModify-Time-Stamp2.5.5.11
msDFS-LastModifiedv2ms-DFS-Last-Modified-v22.5.5.11
msDS-DateTimems-DS-Date-Time2.5.5.11
msDS-Entry-Time-To-Diems-DS-Entry-Time-To-Die2.5.5.11
msDS-LocalEffectiveDeletionTimems-DS-Local-Effective-Deletion-Time2.5.5.11
msDS-LocalEffectiveRecycleTimems-DS-Local-Effective-Recycle-Time2.5.5.11
msExchAuthNextEffectiveDatems-Exch-Auth-Next-Effective-Time2.5.5.11
msExchChatStartTimems-Exch-Chat-Start-Time2.5.5.11
msExchDeletionPeriodms-Exch-Deletion-Period2.5.5.11
msExchELCExpirySuspensionEndms-Exch-ELC-Expiry-Suspension-End2.5.5.11
msExchELCExpirySuspensionStartms-Exch-ELC-Expiry-Suspension-Start2.5.5.11
msExchFirstSyncTimems-Exch-First-Sync-Time2.5.5.11
msExchGalsyncLastSyncRunms-Exch-Galsync-Last-Sync-Run2.5.5.11
msExchLastExchangeChangedTimems-Exch-Last-Exchange-Changed-Time2.5.5.11
msExchLastUpdateTimems-Exch-Last-Update-Time2.5.5.11
msExchLitigationHoldDatems-Exch-Litigation-Hold-Date2.5.5.11
msExchMailboxAuditLastAdminAccessms-Exch-Mailbox-Audit-Last-Admin-Access2.5.5.11
msExchMailboxAuditLastDelegateAccessms-Exch-Mailbox-Audit-Last-Delegate-Access2.5.5.11
msExchMailboxAuditLastExternalAccessms-Exch-Mailbox-Audit-Last-External-Access2.5.5.11
msExchOABLastTouchedTimems-Exch-OAB-Last-Touched-Time2.5.5.11
msExchOrganizationUpgradePolicyDatems-Exch-Organization-Upgrade-Policy-Date2.5.5.11
msExchPolicyLastAppliedTimems-Exch-Policy-Last-Applied-Time2.5.5.11
msExchRelocateTenantStartLockdownms-Exch-Relocate-Tenant-Start-Lockdown2.5.5.11
msExchRelocateTenantStartRetiredms-Exch-Relocate-Tenant-Start-Retired2.5.5.11
msExchRelocateTenantStartSyncms-Exch-Relocate-Tenant-Start-Sync2.5.5.11
msExchServer1LastUpdateTimems-Exch-Server1-Last-Update-Time2.5.5.11
msExchServer2LastUpdateTimems-Exch-Server2-Last-Update-Time2.5.5.11
msExchSetupTimems-Exch-Setup-Time2.5.5.11
msExchShadowWhenSoftDeletedTimems-Exch-Shadow-When-Soft-Deleted-Time2.5.5.11
msExchStsRefreshTokensValidFromms-Exch-Sts-Refresh-Tokens-Valid-From2.5.5.11
msExchTeamMailboxExpirationms-Exch-Team-Mailbox-Expiration2.5.5.11
msExchWhenMailboxCreatedms-Exch-When-Mailbox-Created2.5.5.11
msExchWhenSoftDeletedTimems-Exch-When-Soft-Deleted-Time2.5.5.11
msTSExpireDate MS-TS-ExpireDate2.5.5.11
msTSExpireDate2MS-TS-ExpireDate22.5.5.11
msTSExpireDate3MS-TS-ExpireDate32.5.5.11
msTSExpireDate4MS-TS-ExpireDate42.5.5.11
promoExpirationms-Exch-Promo-Expiration2.5.5.11
schemaUpdateSchema-Update2.5.5.11
spaceLastComputedms-Exch-Space-Last-Computed2.5.5.11
whenChangedWhen-Changed2.5.5.11
whenCreatedWhen-Created2.5.5.11

References

Learn about the terminology that Microsoft uses to describe software updates.

File Information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). Be aware that dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time bias. The dates and times may also change when you perform certain operations on the files.

Windows 8.1 and Windows Server 2012 R2
Additional file information
プロパティ

文書番号:3106637 - 最終更新日: 2016/03/08 - リビジョン: 1

フィードバック