P1 · Active Directory

Windows Server Domain Controllers Enter Reboot Loop After April 2026 Cumulative Update

Windows Server domain controllers (2016, 2019, 2022, 2025) enter a continuous reboot loop after installing the April 2026 cumulative or security updates, rendering Active Directory services unavailable. Microsoft has acknowledged the issue and released out-of-band updates as the primary remediation path. Where out-of-band updates are not yet available or cannot be applied, resolution requires booting into Safe Mode or DSRM to uninstall the offending update, or restoring from a pre-patch backup. All domain controllers should have further updates paused until the corrected patch has been validated in the environment.

Indicators

Domain controller reboots repeatedly and does not remain stable after applying April 2026 updates
Active Directory services become unavailable due to continuous domain controller restart cycle
Domain controllers fail to complete boot sequence and enter a reboot loop post-update
Users receive 'No logon servers available' or 'The trust relationship between this workstation and the primary domain failed' errors
BSOD or stop error may be briefly visible on console before automatic restart
Group Policy application failures across client machines and member servers due to DC unavailability

Likely causes

April 2026 Windows Update introduces a compatibility defect causing a crash or stop error on systems running the Active Directory Domain Services role
A patched system component critical to domain controller boot or NTDS service startup causes an unrecoverable fault during initialisation
Update installation completed with errors leaving the system in an inconsistent state that manifests only on reboot

Diagnostic steps

Access the domain controller via out-of-band console (iDRAC, iLO, Hyper-V/VMware console). Observe the exact point in the boot sequence where the reboot occurs and note any stop error (BSOD) code displayed on screen.

Identifies whether the reboot loop is caused by a kernel stop error, a crashing service, or a failed startup repair, and captures any error code for further analysis.
Boot the domain controller into Safe Mode or Directory Services Restore Mode (DSRM) by pressing F8 during startup. If F8 does not work, boot from WinPE/recovery media and run: `bcdedit /set {current} safeboot minimal`

Determines whether the reboot loop is caused by a service or driver loaded during normal boot that is not loaded in safe mode, isolating the April 2026 update as the trigger.
Once in a stable environment (Safe Mode, DSRM, or Windows Recovery Environment), review the System Event Log for critical errors: `Get-WinEvent -LogName System -MaxEvents 100 | Where-Object {$_.LevelDisplayName -eq 'Critical' -or $_.LevelDisplayName -eq 'Error'} | Select TimeCreated, Id, Message | Format-List`

Identifies specific Event IDs, faulting modules, or stop codes generated at the time of the crash to confirm the April 2026 update as the root cause.
Check the list of installed updates to confirm which April 2026 KB articles are present: `Get-HotFix | Where-Object {$_.InstalledOn -gt '2026-04-01'} | Select HotFixID, InstalledOn, Description | Sort InstalledOn`

Provides the exact KB numbers installed during the April 2026 update cycle so the correct update can be targeted for removal.
Review CBS logs for update installation errors: examine `C:\Windows\Logs\CBS\CBS.log` and `C:\Windows\Logs\DISM\dism.log` for failure markers around the April 2026 update installation timestamps.

Determines if the April 2026 update installed incompletely or with errors, which can cause boot-time failures on domain controllers.
From a working machine, check other domain controllers in the environment to determine scope: `Get-ADDomainController -Filter * | Select Name, Site, OperatingSystem, IsGlobalCatalog`

Establishes whether the issue is isolated to a single DC or environment-wide, which determines urgency and whether directory services can be maintained on unaffected DCs.
Check Microsoft Learn and the Microsoft Update Catalog for out-of-band KB numbers released for each affected Server version (2016, 2019, 2022, 2025) and confirm package availability before beginning resolution.

Ensures the correct out-of-band remediation packages are identified and downloadable for each OS version present in the environment prior to remediation.
Check NETLOGON and NTDS service status on any accessible DC: `Get-Service NTDS, Netlogon | Select Name, Status`

Confirms whether core AD services are running or have crashed, helping characterise the failure mode and confirm recovery after remediation.

Resolution path

1. If the domain controller can reach Safe Mode or DSRM: Open elevated command prompt and uninstall the April 2026 update using DISM: `dism /online /remove-package /packagename:<PACKAGE_NAME>` — obtain package name from `dism /online /get-packages | findstr KB` or use WUSA: `wusa /uninstall /kb:<KB_NUMBER> /quiet /norestart`
2. If the domain controller cannot reach Safe Mode: Boot from Windows Server installation media or WinPE, access the recovery command prompt. Identify the OS volume (typically D: in recovery). Run: `dism /image:D:\ /remove-package /packagename:<PACKAGE_NAME>` then reboot normally.
3. If update removal fails or system remains unstable: Restore the domain controller from a pre-update system state backup using `wbadmin start systemstaterecovery -version:<VERSION>` or restore from VM snapshot via the hypervisor console.
3a. If out-of-band updates are available from Microsoft: obtain the applicable out-of-band package for each affected Server version (2016/2019/2022/2025) from the Microsoft Update Catalog. Boot the affected DC into DSRM or WinRE and apply the out-of-band fix package, then reboot normally. This is the preferred path over manual update removal where the out-of-band fix is available.
4. Once one domain controller is stabilised, immediately pause Windows Update on all remaining domain controllers: Set Windows Update service to Disabled via `Set-Service wuauserv -StartupType Disabled` or apply GPO to defer updates until Microsoft releases a fix.
5. Verify AD replication health from a recovered DC: `repadmin /replsummary` and `repadmin /showrepl` — address any replication errors before considering the environment stable.
6. Monitor Microsoft's support channels (Windows Release Health dashboard, Microsoft Update Catalog) for a revised April 2026 update or out-of-band hotfix before re-applying updates to domain controllers.
7. Post-remediation verification: confirm the DC completes a full reboot and remains stable; verify AD replication with `repadmin /replsummary`; confirm authentication and LDAP services are responsive and domain clients can log in successfully.
8. Post-OOB-update verification: confirm DC does not reboot unexpectedly for 30+ minutes; verify NETLOGON and NTDS services are running (`Get-Service NTDS, Netlogon | Select Name, Status`); confirm clients can authenticate and Group Policy applies without errors.
9. If the OOB update fails to stabilise a DC and wusa uninstallation is not possible, use System Restore (if enabled) or restore from a pre-patch VM snapshot or system state backup. Do NOT re-apply the April 2026 security update until Microsoft confirms the OOB fix is validated for the specific Server version.

Prevention

Implement staged update deployment: apply cumulative updates to a non-production or pilot domain controller first and observe stability for 24–48 hours before rolling out to all domain controllers
Snapshot or back up all domain controllers (system state or full VM snapshot) immediately before applying any monthly update cycle, ensuring a clean rollback point is always available
Subscribe to the Microsoft Windows Release Health dashboard (https://learn.microsoft.com/en-us/windows/release-health/) and Windows Server update advisories to receive early warning of known issues
Configure Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager with approval workflows so updates cannot be applied to domain controllers without explicit administrator sign-off
Maintain at least two domain controllers per site so that one can be kept at the previous patch level while the other is used to validate new updates, preserving directory service availability during testing
Subscribe to Microsoft Security Update Guide email notifications in addition to the Windows Release Health dashboard so defective-update advisories are received promptly before broad DC deployment
Configure WSUS or deployment tooling to defer automatic DC patching by at least 7 days from Patch Tuesday release, providing a window for Microsoft and the community to surface critical regressions before DCs are affected

Tools

DISM (Deployment Image Servicing and Management — update removal from online or offline OS)
WUSA (Windows Update Standalone Installer — uninstall specific KB packages)
BCDEdit (Boot Configuration Data editor — configure safe mode boot)
repadmin (Active Directory replication diagnostics and health checks)
Get-HotFix / Get-WinEvent (PowerShell cmdlets for update inventory and event log review)
wbadmin (Windows Server Backup — system state backup and restore)
Windows Recovery Environment / WinPE (offline repair when OS cannot boot)
Out-of-band management console (iDRAC, iLO, Hyper-V Manager, VMware vSphere — console access during boot loop)
Event Viewer (GUI-based log review — alternative to Get-WinEvent for reviewing System/Application logs in DSRM)

References

windows-serverdomain-controlleractive-directorypatch-managementreboot-loopapril-2026-updatewindows-updatecumulative-updateP1infrastructureAD-replicationDSRMrollbackDISMsafe-modeout-of-band-updateserver-2016server-2019server-2022server-2025AD-outagesecurity-update-regression