In a recent update, Microsoft has rolled out security enhancements that, while intended to bolster system integrity, have inadvertently introduced complications for some Windows Server users. The update, identified as KB5065426, not only includes essential security fixes but also new features. However, it has led to a notable issue concerning Active Directory.
Active Directory Synchronization Challenges
Microsoft has issued an advisory titled “Directory synchronization fails for AD security groups exceeding 10,000 members,” outlining the core of the problem. According to the company, applications utilizing the Active Directory directory synchronization (DirSync) control for on-premises Active Directory Domain Services (AD DS)—particularly those employing Microsoft Entra Connect Sync—are experiencing incomplete synchronization for large AD security groups that surpass 10,000 members. This issue is specifically affecting Windows Server 2025 following the installation of the September 2025 security update or subsequent updates.
Applications that use the Active Directory directory synchronization (DirSync) control for on-premises Active Directory Domain Services (AD DS), such as when using Microsoft Entra Connect Sync, can result in incomplete synchronization of large AD security groups exceeding 10,000 members. This issue occurs only on Windows Server 2025 after installing the September 2025 Windows security update (KB5065426), or later updates.
While Microsoft has not disclosed the number of users impacted by this issue, the company is actively working towards a resolution. In the meantime, a workaround has been provided for those affected. Users can modify their registry settings to disable the changes introduced by the recent update.
Affected customers can apply the following registry key to disable the feature change.
Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. For more information, see Windows registry for advanced users.
The necessary registry tweak is outlined as follows:
Path: ComputerHKEYLOCALMACHINESYSTEMCurrentControlSetPoliciesMicrosoftFeatureManagementOverrides
Name: 2362988687
Type: REG_DWORD
Value: 0
Additionally, Microsoft has acknowledged this issue in the Known Issues section of the KB5065426 update, reiterating that applications utilizing DirSync for AD DS may face synchronization challenges for large security groups exceeding the specified member count.
A comprehensive solution is anticipated to be released in the near future, as Microsoft continues to address the concerns raised by this update.
Image credit: Davide Bonaldo / Dreamstime.com
