Skip navigation

A Post-SP1 Hotfix; A RAS Bug Fix

Microsoft released a Windows 2000 post-Service Pack 1 (SP1) hotfix on September 8 that corrects two important problems. First, the update fixes a performance degradation that occurs when an application repeatedly allocates and releases heap memory. After several iterations of memory allocation and deallocation, heap memory blocks--both free and allocated--become fragmented, and the Win2K algorithm that identifies free space slows significantly. Second, the hotfix eliminates an authentication error that occurs after you reset a machine account password. When you use Win2K to reset your local machine account password and then attempt to read mail, Exchange fails to authenticate the new password and denies your logon request. Microsoft article Q271976 documents these issues and provides links to sites from which you can download the hotfix in several different languages.

Microsoft recommends that you apply the fix to all servers in your environment, including Microsoft Exchange 2000 Server computers, Microsoft Exchange 2000 conferencing server computers, Active Directory Connector (ADC) servers, and domain controller and Global Catalog (GC) servers. At a minimum, apply the fix to the domain controller and global catalog servers that your Exchange 2000 Server computers use.

Win2K Cached Credentials Logon Issue
When you attempt to log on to a domain from a Win2K-based workstation or member server and your system can't locate a domain controller, Win2K logs you on to the local computer using cached credentials without displaying an error message to alert you. When Win2K logs you on in this way, you lack access to items such as group policies, roaming profiles, home folders, or logon scripts--not exactly a desirable outcome!

Microsoft article Q242536 documents two registry modifications that instruct Win2K to display a message whenever it logs a user on with cached credentials. You must make these changes on each system where a warning is required. Launch a registry editor and add the value entry ReportControllerMissing:REG_SZ:TRUE to the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon, making sure that the string TRUE is uppercase. Make the second modification for each user for whom you want to display the "logged on with cached credentials" message. Add the value entry ReportDC:REG_DWORD:1 to the key HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon.

You can verify the logon type that your system performed by examining the environment variable LOGONSERVER after you log on. Type the SET command at a command prompt and find LOGONSERVER in the list the SET command displays. If LOGONSERVER is set to the name of your computer, you logged on with cached credentials; if LOGONSERVER is set to the name of a domain controller, you logged on to the domain.

Win2K RAS Cached Credentials Bug Fix
A cached credentials issue might also arise when a remote client attempts to log on to a Win2K RAS server via a DUN connection. Microsoft article Q269119 indicates that Win2K logs a remote client on with cached credentials when the remote client is configured to perform p-node or m-node NetBIOS name resolution. You can set the client’s NetBIOS name resolution method either manually or via a DHCP lease that sets DHCP to option 46.

As with the problem I discussed above, this issue can prevent logon scripts from running and prevent access to group policies, roaming profiles, and home folders. The article indicates that the local system logs you on with cached credentials because a timing issue prevents the RAS client from locating a logon server. If you have a client that experiences this problem, you will likely see the following message in the System event log:

"Event ID 5719: No Windows NT or Windows 2000 domain controller is available for domain \{domain name\} the following error occurred: There are currently no logon servers available to service the logon request." This message typically indicates that a logon with cached credentials has occurred.

To temporarily work around the problem, set the remote Win2K RAS client to use h-node NetBIOS name resolution. To permanently eliminate the RAS timing problem, call Microsoft Support for the bug fix, a new version of netbt.sys released August 24.

Win2K Internet Options Registry Entries
Here’s a tip that might come in handy when you configure Internet Explorer (IE). Microsoft article Q272449 explains that the registry key HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control contains values that enable and disable the display of the various tabs on the Internet Properties screen. For example, if the registry key contains the value entry "ConnectionsTab"=dword: 00000001, the Internet Properties screen won't display the Connections tab. You can enable displaying this tab by changing the "ConnectionsTab" value to zero or by deleting the whole entry. The Microsoft article contains two registry key paths, one that ends with Control and a another that ends with Control Panel. Because I don't have either of these entries on my Win2K Advanced Server (Win2K AS) system, I can’t verify whether the path names are correct. Let me know what you find!

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish