Windows Updates seem to get even more dangerous, like I described in previous posts.

This time I was updating all Windows 2016 servers manually with patch KB3197954, which was necessary to make the servers load updates from WSUS again.

It looks like this update can cause a lot of trouble, especially on AD domain controllers.

Symptoms

  • The DCs do not recognize they are in the default LAN domain network topology, but in a public or private network.
  • This causes FSMO errors, DCs do not sync any more, startup scripts do not work, DFS issues, etc.
  • You also see this behaviour in Windows Firewall. The domain is not recognized, so the public profile is loaded.

Solution

For whatever reason, the update modified the startup behaviour of important services.

On the most machines (not all) the following services were not started:

Common Service Name
Service Name (German)
Wrong state
Correct state
WAS Windows-Prozessaktivierungsdienst Deactivated Manual
Net Tcpport Sharing Net. TCP-Portfreigabedienst Deactivated Manual
Netlogon Anmeldedienst Manual Automatic

Note: Netlogon is the most important one. E.g. the WAS service is not always needed.

In other network scenarios there could be other services affected. If not sure, have a look at the Windows event log.

 

Update 2017-05:

Besides, if the firewall loads the wrong profile even if all services are started, a wrong gateway could also be the cause.

E.g. if you mainly use IPv4 and do not need IPv6 in your LAN, try to disable IPv6 in the network adapter’s properties. Reference

Share This:

  [email protected]