A Terminal Services Print Fix, Two Win2K AD Bug Fixes, a Chkdsk Problem, and More

Windows Server 2003 and Windows 2000 Server Terminal Services Print Fix
The Terminal Services service on Windows Server 2003 and Windows 2000 servers becomes confused when two users log on and one user has a more recent driver for the same network printer than the other user. When the user with the older print driver attempts to print a document, the server responds with an error message instructing the user to install a new printer. If the user then follows the message's instructions for installing a printer, the Print and Apply buttons for the default printer aren't available. The problem occurs because when the user with the newer print driver logs on, the terminal server generates a new spool file for the first user (the user with the older print driver), formatted according to the second user’s more current print-driver instructions. When the server attempts to print the spool file, the format isn't compatible with the older driver, which causes the server to respond with the error message No printers installed or a similar error message. Microsoft Product Support Services (PSS) has a patch for both Windows 2003 and Win2K platforms. The patch updates 21 files, most of which have a file release date of November 20, 2003. This problem is documented in the Microsoft article "You receive an error message when you try to print to a shared network printer in a terminal server session" (http://support.microsoft.com/?kbid=831754).

Win2K AD Bug Fix
The Local Security Authority Service (lsass.exe) performs client and server authentication and user and machine authentication and drives Active Directory (AD). A timing synchronization problem between a DNS scavenger thread and lsass.exe can delay the response to AD operations, including domain joins and object queries, for up to 60 seconds. Lsass performs DNS queries to locate network systems, including domain controllers (DCs), for authentication and access purposes. To maintain a valid list of names and addresses, the DNS service runs a scavenger thread that queries each system listed in the global DNS address list. During the maintenance cycle, the scavenger thread locks the address list, which increases the time Lsass takes to complete DNS queries. If you initiate an AD operation while the DNS scavenger thread is running and AD isn't responsive, this bug might be the cause. Microsoft released a fix for this Win2K-specific problem in mid-December 2003. The hotfix contains 27 files, including several core OS components: three Kerberos DLLs, lsass.exe and associated DLL, and Netlogon. If you experience these symptoms on your Win2K servers, call PSS and ask for the hotfix that the Microsoft article "It takes up to one minute to complete an Active Directory task on your Windows 2000 server" (http://support.microsoft.com/?kbid=824037) documents.

Win2K Chkdsk Utility Resets ACLs on High-Capacity Disks
If you run servers with high-capacity disks and you have more than 4,194,303 files on an individual volume or the Master File Table (MFT) for the volume is larger than 4GB, don't run Chkdsk in fix mode on the disk until you get the latest version of the disk cleanup utility. The new, large drives apparently overflow a Chkdsk counter that counts the number of files processed, with the result that after scanning 4,194,303 files, the utility resets file ACLs to their default values. After this reset occurs, users might not be able to access files until an administrator resets ACLs to their previous values. If you don’t carefully document online storage security controls, resetting ACLs might be a problem. If the files on the volume are sensitive, the Chkdsk bug might require you to restore the affected hard disk with a known good backup. The new version of Chkdsk updates seven files and is available only from PSS. When you call PSS, cite the Microsoft article "The CHKDSK utility incorrectly identifies and deletes in-use security descriptors" (http://support.microsoft.com/?kbid=831375) as a reference.

Win2K AD Index Bug Might Crash DCs
The AD service uses a directory information tree as an index to the AD database. A bug in how the index propagates security descriptor information might cause the index to increase in size 50 percent in less than 24 hours, potentially consuming all free space on the hard disk. When this happens, the affected system crashes. Microsoft explains that a system can experience the same rapid growth in the ntds.dit file as the result of a legitimate operation in which you change the ACLs on a parent object with many child objects. Before you call PSS for the post-Win2K Service Pack 4 (SP4) bug fix, you should verify that the file growth isn't the result of such a legitimate operation. If you determine that you need the bug fix, cite the Microsoft article "The Active Directory DIT file grows too fast" (http://support.microsoft.com/?kbid=829755). Most of the files in this patch have a release date of October 29, 2003.

Win2K Dell OpenManage System Failure
Dell ships many servers with the company’s OpenManage or OpenManage IT Assistant administrative software. If you decide to remove this software, be aware that the uninstallation procedure doesn't remove references to the application’s filter driver. The faulty uninstallation causes the server to fail with a stop code of 0x0000007B when you attempt to restart the system. To clear out the driver reference that causes the system to crash during start-up, you might need to install a second copy of the OS, boot to the copy, use regedt32.exe to load the system hive of the installation that crashes, delete references to the filter driver, and change the driver’s startup type from automatic to none. After you clean up the OpenManage references and save the system hive, you should be able to boot the original installation without problems. For specific directions about the necessary registry modifications, see the Microsoft article "'Stop 0x0000007B' error message after you remove Dell OpenManage software in Windows 2000 Server" (http://support.microsoft.com/?kbid=826901). The documentation doesn't state whether the faulty uninstallation affects all versions of OpenManage or just a particular version. Before you potentially jeopardize a production server by removing the software, I recommend that you call Dell for more information about the problem and ask about the availability of a new, improved OpenManage uninstallation utility.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.