Windows Server 2016’s October 2018’s Cumulative Quality Update, bringing the OS version to 14393.2580, offers a total of three fixes for issues you might be experiencing on your Windows Server 2016-based Domain Controllers and Active Directory Federation Services (AD FS) Servers.
About Windows Server 2016 Updates
Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.
On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.
In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016. This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.
Active Directory Domain Services
AccountName for EventID 7 appears Corrupted
The first AD DS fix addresses an issue in which the AccountName in the Event Log entry for the Microsoft-Windows-Kerberos-Key-Distribution-Center source and EventID 7 sometimes appears corrupted.
This event log entry is created when the security account manager (SAM) fails a Key Distribution Center (KDC) request in an unexpected way.
Promotion of a RODC fails
The second AD DS fix addresses an issue that causes the promotion of a Read-only Domain Controller (RODC) to fail. This might occur if application partitions are defined, but the DNS name resolution failed with the “Name error”. The errors are
While promoting Read-only Domain Controller, the expected state objects could not be found.
More data is available (error code 234).
Active Directory Federation Services
The fix for Active Directory Federation Services (AD FS) addresses interoperation issues between Active Directory Federation Services (AD FS) Extranet Smart Lockout (ESL) and Alternate Login ID.
When Alternate Login ID is enabled, calls to AD FS PowerShell cmdlets, Get-AdfsAccountActivity and Reset-AdfsAccountLockout, return the following error:
Account not found
When Set-AdfsAccountActivity is called, a new entry is added instead of editing an existing one.
Call to action
When you experience any one of these issues, you are invited to install Windows Server 2016’s October 2018’s Cumulative Quality Update (KB4462928) on your Active Directory Domain Controllers and Active Directory Federation Services (AD FS) Servers to resolve them.
After installing this update, installing Window Server 2019 Key Management Service (KMS) host keys (CSVLK) on Window Server 2016 KMS hosts does not work as expected.