Windows Server: April Update Can Trigger Domain Controller Reboot Loops

What happens

Microsoft describes a relevant Active Directory known issue in the April 2026 Windows Server updates: in multi-domain forests that use Privileged Access Management (PAM), domain controllers that are not Global Catalog servers can run into repeated restarts during boot because LSASS fails during startup.

For affected environments, this is operationally critical. Domain controllers are part of the authentication and directory-service foundation. A reboot loop can interrupt logons, service authentication and dependent business processes.

What matters now

• Validate rollout on PAM forests in a test wave first, especially for non-GC domain controllers.
• If already affected, plan and deploy the relevant out-of-band (OOB) update for the server version in use.
• Patch domain controllers in controlled batches, never as one unobserved wave.
• Ensure console, iLO, iDRAC or equivalent out-of-band access before patching.
• Verify recovery paths and restore procedures for domain controllers before maintenance starts.
• Check BitLocker recovery processes where applicable, because some configurations can require recovery-key handling after servicing.

Für Projekte relevant

This is a good reminder that domain controller patching is not just a monthly routine. For security-critical environments, it should be treated as a small change package with:

• version-specific known-issue review,
• staged deployment,
• authentication-flow checks,
• rollback planning,
• post-patch monitoring.

Bottom line

For Active Directory, patch speed and operational control must go together. The right response is not to avoid updates, but to patch domain controllers with staged validation, visibility and a tested recovery path.