Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Address AD object renaming issues when success auditing is enabled

Address AD object renaming issues when success auditing is enabled

View products that this article applies to.

Not sure if this is the right fix? We've added this issue to our memory dump diagnostic which can confirm.

↑ Back to the top

Symptoms

Consider the following scenario:
  • Domain Controller operating on Windows Server 2012 R2.
  • Advanced auditing is configured for "success audit" for "directory service changes."
  • Auditing is enabled for certain objects in the AD (user, group, OU).
  • An "auditing enabled" object is successfully renamed.
In this situation, the DC crashes in Local Security Authority Subsystem Service (LSASS) and restarts unexpectedly.

↑ Back to the top

Resolution

To resolve this issue, install update rollup 2928680, or install the hotfix that is described in this article.

Update information

For more information about how to obtain update rollup 2928680, click the following article number to view the article in the Microsoft Knowledge Base:
2928680 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: March 2014

Hotfix information

A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites

To apply this hotfix, you must be running Windows 8.1 or Windows Server 2012 R2.

Registry information

To apply this hotfix, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.
File information
The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows 8.1 or Windows Server 2012 R2 file information notes
Important Windows 8.1 hotfixes and Windows Server 2012 R2 hotfixes are included in the same packages. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    VersionProductMilestoneService branch
    6.3.960 0.16xxxWindows 8.1 and Windows Server 2012 R2RTMGDR
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows 8.1 and Windows Server 2012 R2" section. MUM, MANIFEST, and the associated security catalog (.cat) files, are very important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows 8.1
File nameFile versionFile sizeDateTimePlatform
Ntdsai.dll6.3.9600.165172,556,92817-Jan-201416:46x86
For all supported x64-based versions of Windows 8.1 and Windows Server 2012 R2
File nameFile versionFile sizeDateTimePlatform
Ntdsai.dll6.3.9600.165173,652,60817-Jan-201417:00x64

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
The following tools are known to trigger object renames operation:
  • Active Directory Users and Computers (ADUC or DSA.MSC)
  • Active Directory Administrative Center (ADAC or DSAC.EXE)
  • Active Directory Sites and Services (DSSITE.MSC)
  • ADSIEDIT.MSC
  • DNS Manager (DNSMGMT.MSC) when changing zone scopes and possibly other operations like deleting DNS zones
  • Microsoft Exchange 2007 Management console
  • LDP.EXE
  • Rename-AdoObject PowerShell commandlet
For an example of the logged events, see the following event log information:

Application Error Event ID 1000
Log Name: Application
Event Source: Application Error
Event ID 1000
Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
Exception code: 0xc0000005
Fault offset: 0x000000000019e45d
Faulting process id: 0x214
Faulting application start time: 0x01cefa6743edbeec
Faulting application path: C:\Windows\system32\lsass.exe
Faulting module path: C:\Windows\system32\ntdsai.dll
Report Id: d4cd7581-665c-11e3-80d7-005056984a2b
Faulting package full name:
Faulting package-relative application ID:


Microsoft-Windows-Wininit Event 1015
Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 22.01.2014 13:43:47
Event ID: 1015
Description: A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.
Additional file information

Additional file information for Windows 8.1 and Windows Server 2012 R2

Additional files for all supported x86-based versions of Windows 8.1
File propertyValue
File nameX86_99153ad436a1df0f36665dd886da0c0a_31bf3856ad364e35_6.3.9600.16517_none_9411b57a5f5b2d15.manifest
File versionNot applicable
File size712
Date (UTC)18-Jan-2014
Time (UTC)06:23
PlatformNot applicable
File nameX86_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.3.9600.16517_none_85b4ba91d480dc99.manifest
File versionNot applicable
File size3,352
Date (UTC)17-Jan-2014
Time (UTC)22:27
PlatformNot applicable
Additional files for all supported x64-based versions of Windows 8.1 and Windows Server 2012 R2
File propertyValue
File nameAmd64_834f935bdff3212878df07ff93d59a7f_31bf3856ad364e35_6.3.9600.16517_none_8cd7c1227151bd5b.manifest
File versionNot applicable
File size716
Date (UTC)18-Jan-2014
Time (UTC)06:22
PlatformNot applicable
File nameAmd64_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.3.9600.16517_none_e1d356158cde4dcf.manifest
File versionNot applicable
File size3,356
Date (UTC)18-Jan-2014
Time (UTC)00:30
PlatformNot applicable

↑ Back to the top

Keywords: kb, kbmdd, kbqfe, kbfix, kbsurveynew, kbexpertiseadvanced, kbautohotfix, kbhotfixserver

↑ Back to the top

Article Info
Article ID : 2914387
Revision : 1
Created on : 1/7/2017
Published on : 10/9/2014
Exists online : False
Views : 949