Windows Server 2016’s April 2018’s Cumulative Quality Update, bringing the OS version to 14393.2214, offers three fixes for issues you might be experiencing on Windows Server 2016-based Active Directory Domain Controllers.
About Windows Server 2016 Updates
Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.
On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.
In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016. This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.
Active Directory Domain Services fixes
Authentication Policy Auditing Mode blocks NTLM
The first fix addresses an issue that blocks failed NTLM authentications instead of only logging them when using an authentication policy with audit mode turned on. Netlogon.log may show the following:
SamLogon: Transitive Network logon of <domain>\<user> from <machine2> (via <machine1>) Returns 0xC0000413
SamLogon: Transitive Network logon of <domain>\<user> from <machine2> (via <machine1>) Entered
NlpVerifyAllowedToAuthenticate: AuthzAccessCheck failed for A2ATo 0x5. This can be due to the lack of claims and compound support in NTLM
Restoring invalid backlink attribute logic
The second fix addresses an issue that prevents you from modifying or restoring Active Directory objects that have invalid backlink attributes populated in their class. The error you receive is:
Error 0x207D An attempt was made to modify an object to include an attribute that is not legal for its class.
Running the Administrative Center with PowerShell Transcripting enabled
The third fix addresses an issue that prevents the Active Directory Administrative Center (dsac.exe) from running on a client that has PowerShell Transcripting enabled. The following error appears:
Cannot connect to any domain. Refresh or try again when connection is available.
The PowerShell transcript feature is an effective way to log, audit and trace back malicious code run through PowerShell on Domain Controllers. System-wide PowerShell Transcripting can be enabled through Group Policy, Desired State Configuration and through the Start-Transcript PowerShell Cmdlet.
Call to action
When you experience any one of these issues, you are invited to install Windows Server 2016’s April 2018’s Cumulative Quality Update (KB4093120) on your Active Directory Domain Controllers to resolve them.
There are no known issues with this update, to date.