Microsoft Confirms KB5087537 Update Breaks Domain Controller Discovery on Windows Server 2016
Microsoft has confirmed that the May 2026 security update KB5087537 causes domain controller locator failures on Windows Server 2016 systems with 15-character hostnames, disrupting authentication and administrative tools.
Microsoft has confirmed a new known issue affecting Windows Server 2016 systems that causes domain controller lookups to fail after installing the KB5087537 May 2026 security update. The bug specifically impacts servers with hostnames exactly 15 characters long, preventing DCLocator calls such as `nltest /dsgetdc:<domain> /pdc` from succeeding and returning ERROR_INVALID_PARAMETER instead.
The issue, detailed in an updated Microsoft support document, disrupts the ability of applications and administrative tools to locate a domain controller on the network. This can lead to failures in authentication, group policy processing, and other directory-dependent operations. Microsoft noted that administrative scenarios requiring domain controller access—such as DFS Namespace management—may also be affected.
Windows Server 2016 reached the end of mainstream support in January 2022, though Microsoft has extended its extended support end date by five years to facilitate migration to newer versions. The KB5087537 update is part of the May 2026 Patch Tuesday cycle, which fixed over 120 vulnerabilities across Windows and other Microsoft products, but introduced this compatibility regression for a specific configuration.
Microsoft is currently investigating the domain controller lookup failures and has not yet provided a timeline for a fix. Administrators are advised to monitor the Windows release health dashboard for updates. The company has not offered a workaround beyond cautioning against using 15-character hostnames on affected systems.
This issue adds to a string of recent Windows Server headaches. In recent weeks, Microsoft confirmed Windows Update failures after the January 2026 optional non-security preview update in restricted network environments, as well as Windows 11 security update deployment failures due to insufficient space on the EFI System Partition. Last month, Microsoft released emergency out-of-band updates to fix a bug causing Windows Server 2025 systems to boot into BitLocker recovery, and addressed a restart loop issue on domain controllers.
In April, Microsoft finally resolved a long-standing bug that had caused Windows Server 2019 and Windows Server 2022 systems to unexpectedly upgrade to Windows Server 2025 since September 2024. The new DCLocator failure underscores the ongoing challenge of maintaining stability in legacy server environments that receive only extended security updates.
For administrators running Windows Server 2016, the immediate risk is operational disruption rather than a security vulnerability. However, the inability to authenticate or process group policy could create secondary security gaps if systems fail to receive policy updates. Microsoft has not indicated whether a fix will arrive via an out-of-band update or be rolled into the next cumulative update.