Windows Server 2012 R2 patch breaks domain controllers and Hyper-V

Windows Server 2012 R2 patch breaks domain controllers and Hyper-V

The latest security update for Windows Server 2012 R2 can cause a boot loop in domain controllers running on Windows Server 2012, 2016 and 2019. Multiple sysadmins report that their domain controllers are rebooting endlessly since installing the update.

The sysadmins raised the issue via Reddit and Borncity (security blog). Microsoft neither confirmed nor addressed the concern. According to the sysadmins, domain controllers on Windows Server 2012, 2016 and 2019 get stuck in a boot loop after installing the latest security update for Windows Server 2012 R2.

Software module ‘lsass.exe’ triggers an error message, after which the domain controller automatically and endlessly reboots. Systems running Windows Update have automatically received the security patch, making the problem unavoidable for some.

Domain controllers and USN rollbacks

A domain controller is a server that authenticates network users. Servers with a combination of Microsoft Active Directory and Windows Server are a popular form.

The boot loop caused by the security patch is problematic. Domain controllers rarely work alone. To ensure that network access never depends on a single server, it’s standard practice to synchronize the database of multiple domain controllers. Hence, multiple domain controllers are affected by the patch.

It can be tempting to undo the update by installing an older snapshot of the environment, but that creates the risk of a USN rollback. A USN rollback occurs when one of the synchronized domain controllers is running on an outdated version. The synchronization between the servers stops, databases deviate, and recovery takes a hefty toll.

It is tremendously important to synchronize updates and rollbacks of domain controllers. Because affected domain controllers are stuck in a boot loop, that’s easier said than done.

One of the affected sysadmins solved the problem by rolling back the update in pairs of two domain controllers. Disable one of the two controllers, restore the other and repeat the process to avoid desynchronization. Until Microsoft addresses the problem, that’s the best option you have.

Hyper-V and Microsoft Exchange

Domain controllers aren’t the only applications affected by the patch. A sysadmin of Exchange 2016 servers on Windows Server 2012 R2 reported that the update changed all ReFS volumes to RAW. Multiple sysadmins informed BleepingComputer (website) that Hyper-V no longer boots on servers running the OS.