Windows Server 2016’s March 2018’s Cumulative Quality Update, bringing the OS version to 14393.2155, offers two fixes for issues you might be experiencing on Windows Server 2016-based Active Directory Domain Controllers.
About Windows Server 2016 Updates
Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.
On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.
In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016. This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.
Active Directory Domain Services fixes
LSASS faults with exception code 0xc0000005, status code 255
The first fix addresses an issue where a Windows Server 2016 Domain Controller may periodically restart after a Local Security Authority Subsystem Service (LSASS) module faults with exception code 0xc0000005. This interrupts applications and services bound to the Domain Controller at that time.
The following events may be logged:
Application Error event ID 1000
The faulty module mentioned is NTDSATQ.dll with exception code 0xc0000005.
User32 event ID 1074
Microsoft-Windows-Wininit event ID 1015
Both these error events indicate that lsass.exe failed with status code 255.
AdminSDHolder trips over deleted members in protected groups
The second fix addresses an issue where the AdminSDHolder task fails to run when a protected group contains a member attribute that points to a deleted object.
Additionally, Event 1126 is logged that contains the following text:
Active Directory Domain Services was unable to establish a connection with the global catalog. Error value: 8430. The directory service encountered an internal failure. Internal ID: 320130e.
Call to action
When you experience any one of these issues, you are invited to install Windows Server 2016’s March 2018’s Cumulative Quality Update (KB4088889) on your Active Directory Domain Controllers to resolve them.
There are no known issues with this update, to date.