April 2016 - kb3103709 contains five AD hotfixes for Windows Server 2012 R2

Update 6-28-2016: Security update MS16-081 (June 2016) described in kb3160352, has the latest AD binaries and includes the updates described below.

We have just published KB3103709 on Windows Update for Windows Server 2012 R2 containing five AD-related fixes. So yes, it specifically applies to Windows 2012 R2, and not to older operating systems. Let's take a quick look:

  1. Faster inserts to Active Directory change notification queue delays servicing of Asynchronous Thread Queue (ATQ) thread pool, LDAP queries, and notification based replication. This means that the DC becomes unresponsive. It seems like Exchange 2010 can trigger this.
  2. Renames of domain-joined SQL server member computers fails with error "The directory service is busy" . If you have SQL on a machine, and the rename of that machine is processed by a 2012 R2 DC, the rename may fail.
  3. A single logon attempt on the website is counted as two logon attempts in Active Directory. Therefore, count of incorrect password increases by two instead of by one. This will hurt you especially if your lockout threshold has old-fashioned values like 3 or 5.
  4. LSASS occurs access violation together with error "0xc0000005" on Windows Server 2012 R2 DCs targeted by Azure AD Connect identity sync clients that run "Full Import" . The symptom is that the DC boots sometimes during the full Import Operation. The most prominent cause is AAD Connect, but it could be more widespread. Speculating, all variations of the AAD Connect sync engine could trigger the problem: AAD Sync, ILM, FIM, MIM with AD Management Agents. You need to have the AD Recycle Bin turned off for this to happen. Yes, that's a hint.
  5. Lsass.exe crashes on DC when a user runs a recursive Lightweight Directory Access Protocol (LDAP) query against an Active Directory group. So this also causes a reboot. It seems to be a rare issue, but the nasty part is that any authenticated user could issue such a query.

This update gives you the latest version of the core AD DLL called ntdsai.dll, containing all fixes and optimizations up to now (April 2016), including the five discussed here. After installing it you will need to reboot. The update is classified as "optional" and it's not a security update, so most organizations will not automatically approve it. But, if you run a serious AD you will want to apply this one.