Full Report
Microsoft has confirmed a new known issue affecting Windows Server 2016 systems that causes domain controller lookups to fail after installing the KB5087537 May 2026 security update. [...]
Analysis Summary
# Vulnerability: Windows Server 2016 Domain Controller Lookup Failure
## CVE Details
- **CVE ID**: N/A (Confirmed Functional Issue/Bug resulting from Security Update)
- **CVSS Score**: N/A
- **CWE**: CWE-1284 (Improper Validation of Specified Quantity) - *Inferred based on the 15-character hostname constraint.*
## Affected Systems
- **Products**: Windows Server 2016
- **Versions**: OS Build 14393.9140 (after installing KB5087537)
- **Configurations**: Systems where the NetBIOS/Host name is **exactly 15 characters** long.
## Vulnerability Description
Following the installation of the May 2026 security update (KB5087537), a regression in the `DCLocator` process prevents Windows Server 2016 from discovering Domain Controllers. Technically, calls to locate a DC (such as `nltest /dsgetdc`) trigger an `ERROR_INVALID_PARAMETER` (Error 87) specifically when the hostname meets the 15-character NetBIOS limit. This suggests a "off-by-one" error or a null-terminator handling issue introduced in the update's handling of maximum-length legacy hostnames.
## Exploitation
- **Status**: Not exploited (Functional regression/Denial of Service)
- **Complexity**: N/A
- **Attack Vector**: Local (Triggered by system configuration and update installation)
## Impact
- **Confidentiality**: None
- **Integrity**: Low (May impact administrative consistency)
- **Availability**: **High** (Prevents domain-dependent services, DFS Namespace management, and administrative tools from functioning; potential identity/authentication failures for local services).
## Remediation
### Patches
- **Status**: Under investigation. Microsoft has not yet released a formal fix for this regression as of May 26, 2026.
- **Affected Update**: KB5087537 (May 12, 2026).
### Workarounds
- **Hostname Modification**: Change the server hostname to be shorter than 15 characters (e.g., 14 characters or less) to bypass the `DCLocator` logic error.
- **Rollback**: Uninstalling KB5087537 will restore functionality, though this leaves the system vulnerable to the security flaws the update originally intended to patch.
## Detection
- **Indicators of Compromise**: N/A (Non-malicious flaw).
- **Detection methods and tools**:
- Run the command: `nltest /dsgetdc: /pdc`
- **Failure Sign**: The command returns `Status = 87 0x57 ERROR_INVALID_PARAMETER`.
- Check for Event ID errors related to "DFS Namespace management" or "Domain Controller discovery" in the System/Application event logs.
## References
- **Vendor Advisory**: hxxps[://]support[.]microsoft[.]com/en-us/topic/may-12-2026-kb5087537-os-build-14393-9140-2ef98591-73f0-4517-9fa0-12764b51858f
- **BleepingComputer**: hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/microsoft-domain-controller-lookup-may-fail-on-windows-server-2016/
- **Microsoft Lifecycle**: hxxps[://]learn[.]microsoft[.]com/en-us/lifecycle/products/windows-server-2016