Windows 2016 server Domain controllers January 2026 patches causing sync issues

Hi Bruce Crossley Admin,

Thank you very much for following up, and I’m really sorry for the continued disruption this issue is causing in your environment. I completely understand how frustrating it is to still experience AD replication, LDAP, and RPC instability after applying both the January and February 2026 updates.

We have checked internally and also reviewed the latest public Microsoft communications. At this time, there is no newly released Out‑of‑Band (OOB) update for Windows Server 2016 that specifically addresses the LSASS memory growth and related AD sync issues beyond the February 2026 cumulative update. Microsoft has not yet published an additional OOB or workaround targeted at this scenario. [support.mi...rosoft.com]

Given the current situation, there are two practical paths you can consider:

Option 1 – Observe and collect evidence on the current patch level

If you prefer to stay on the latest updates for security reasons, we recommend closely monitoring the behavior of the domain controllers:

• Track the Private Bytes (or Working Set) of the lsass.exe process using Performance Monitor to confirm whether memory usage continues to grow over time.
• If the issue persists, opening a Microsoft Support case would be the best next step so the product team can review memory dumps and logs specific to your environment. You can raise a support ticket here: https://support.serviceshub.microsoft.com/supportforbusiness/onboarding (Please note that each support case should focus on a single issue for proper investigation.)

Option 2 – Roll back to the previous stable update (temporary mitigation)

Several customers have reported that rolling back to the pre‑January 2026 update stabilizes LSASS memory usage on domain controllers. If you confirm that the issue does not occur after the rollback, you may remain on that version temporarily while waiting for Microsoft to release an updated fix or OOB patch. This approach should be weighed against your organization’s security requirements.

I sincerely apologize that there isn’t a definitive fix available yet, and I truly appreciate your patience while Microsoft continues to investigate this behavior. Please let me know which direction you’d like to take, or if you have any question or further assistance - I'm here happy to help.

If you found this answer helpful, please click "Accept Answer" to share the love with everyone! 💖😊🌸✨

Thank you again for your patience and support!

Kind regards,

Ivy

Hi,

This is what you sent the last time. this is the Key we adjusted.

Microsoft has acknowledged this leak, and while a permanent fix is being integrated into the February 2026 cumulative update, an Out-of-Band (OOB) update has been released to mitigate this immediately. You should look for the specific KB article corresponding to your OS version (e.g., KB5049512 for Server 2022 or equivalent for 2016/2019). Before applying the OOB patch, you can verify the leak by monitoring the Private Bytes counter for the LSASS process in Performance Monitor. If you can't immediately patch, a temporary mitigation involves setting the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\EnableReferrals to 0, though this may impact cross-forest authentication and should be tested in staging first.

Hi Bruce Crossley Admin,

Rolling back the January 2026 Cumulative Update on a Domain Controller primarily impacts your security posture by re-exposing the environment to the specific vulnerabilities (CVEs) addressed in that release. Operationally, uninstalling the update via wusa is a supported workflow that safely reverts the lsass.exe binary to its previous stable version, effectively resolving the memory exhaustion without compromising the integrity of the Active Directory database (ntds.dit). While running Domain Controllers at different patch levels is supported for short durations, this rollback should be treated as a temporary triage measure to restore critical replication and authentication services until the corrected OOB update is applied.

Regarding the registry modification you attempted, I need you to specify exactly which key and value you altered before proceeding further. Non-standard workarounds, often involving parameters under HKLM\SYSTEM\CurrentControlSet\Control\Lsa or HKLM\System\CurrentControlSet\Services\Netlogon\Parameters, can introduce persistent security gaps or silent authentication failures that linger even after the OS is corrected. Please provide the exact registry path you changed, along with your specific Windows Server version (e.g., Server 2022) and the KB number currently installed. This data is required to ensure that the manual configuration does not conflict with the rollback process or the eventual official fix.

Hello Bruce Crossley Admin, the symptoms you are experiencing, specifically the Local Security Authority Subsystem Service (LSASS) process consuming excessive memory, leading to replication failures and the stopping of RPC services, are indicative of a memory leak regression introduced in the January 2026 Security Updates. This type of regression typically occurs when the update modifies how the Domain Controller handles specific authentication loads or LDAP queries, causing non-paged pool memory to be allocated but not released. Moving your virtual machines to a single ESX host was a logical troubleshooting step to rule out physical network latency, but it will not resolve this issue because the fault lies within the lsass.exe code path on the OS level, not the underlying infrastructure.

regarding the Out-of-Band (OOB) update, Microsoft releases these specific patches to address critical regressions that occur between standard monthly cycles. You generally will not find OOB updates through the standard "Check for Updates" mechanism or automatic WSUS synchronization. To acquire the OOB update, you must identify the specific Knowledge Base (KB) number assigned to the fix for your specific Windows Server version (e.g., Server 2022 or Server 2025). You then need to navigate to the Microsoft Update Catalog website, search for that specific KB number, and download the standalone .msu installer. Once downloaded, you can install it manually on your Domain Controllers or import it into WSUS for broader distribution.

If you are unable to immediately locate the confirmed OOB patch for this specific January regression, the most immediate and reliable "best practice" solution to restore service stability is to uninstall the January 2026 Cumulative Update. You can execute this by running the command wusa /uninstall /kb:[KB_Number_Of_Jan_Update] from an elevated command prompt on the affected Domain Controllers. This will revert the system binaries to their December state, effectively stopping the memory leak. Once the official OOB or the February cumulative update (which will include the fix) is validated, you can then proceed with patching.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

VP