VeriSign Mistakenly Issued Certificates
On January 29 and 30, VeriSign issued two VeriSign Class 3 code-signing digital certificates to an individual who claimed to be a Microsoft employee. According to Microsoft, your computer won't automatically trust the certificates even if you previously chose to trust all content from Microsoft. This doesn't protect you from people who accept the certificates, but it does prevent your system from automatically accepting the certificates.
See Microsoft article Q293818 for more information about the certificates, how to recognize them, and what VeriSign and Microsoft are doing about the problem. Microsoft article Q293816 explains how to determine whether you've already mistakenly trusted the bogus certificates and how to stop trusting them if you have. (Notice the discrepancy in dates; Microsoft article Q293818 has two different dates for the certificates' issuance, but I checked with Microsoft and the correct dates are January 29 and 30.)
Modifying the Personal Directory
When you save email messages or attachments in Microsoft Outlook 97 and the Exchange client, the software takes you to the \personal directory in your profile directory, instead of to your home directory, as specified in the terminal server's User Manager. Microsoft article Q190234 explains how to edit the registry to resolve this problem, both for previously created user accounts and for the default settings for new accounts.
How to Lock Down a Win2K Terminal Server Session
You can use Group Policies to lock down a terminal server session on a Windows 2000-based computer so that even the Administrator's account has restricted access. Microsoft article Q278295 explains how to configure these settings, including the procedure for creating a new organizational unit (OU) for the locked-down accounts (as Microsoft recommends).
Desktop Doesn't Load for Any User
If the Win2K Server Terminal Services service account is configured to log on with any account other than the System account (as it should be by default), users won't be able to log on to the terminal server either from the console or from a terminal session. Microsoft article Q287654 describes the symptoms and explains how to resolve the problem.
Error Message: The System Can't Log You On (573)
If you use a Not for Resale (NFR) version of Win2K (or installed the retail version starting from NFR floppies) and you get a "the system cannot log you on" error message, you could be out of licenses. Regardless of the client OS or the type of domain you're in (Win2K or Windows NT), NFR Win2K servers will only accept up to 10 connections. See Microsoft article Q286272 to learn how to identify an NFR version you might have mistakenly installed.
Can't Automatically Log On Remotely to Terminal Server with Long User Name or Password
Although you can set up an RDP client connection to automatically log on to a terminal server without presenting users with a logon screen, this capability is limited. According to Microsoft article Q290706, the RDP client can't remotely pass long usernames or long passwords. If you try to make the client do so, you'll get a "the system could not log you on" error message. Retyping the same username and password will work, however. The article identifies this as a known bug.
Contacting the Microsoft Clearinghouse
If you need to get in touch with the Microsoft Clearinghouse to get licenses for your Win2K Server Terminal Services server and can't find a telephone number, see Microsoft article Q2911795 for instructions.
Post-SP1 Issues with Profile Loading
Because of a handle leak in the registry (see Microsoft article Q289564 for the exact key), a Terminal Services server might not be able to unload a user profile—or to reload it when the user tries to connect again to the terminal server. See the article for more information about this problem, how to identify it, and how to get a fix.
Post-Service Pack Fixes for Printing-Generated Bluescreens
When you try to print from an RDP client in a Win2K Terminal Services session, the terminal server can crash with a Stop error message if the spooler tries to display a dialog box to the client desktop but the desktop handle isn't available. Microsoft article Q261322 lists the Stop error and explains how to get a fix for the problem. Another printing-generated blue screen of death involves post-Service Pack 6 (SP6) terminal servers. According to Microsoft article Q282215, using user-mode print drivers will crash the terminal server.
Post-SP6 Problem with tcpip.sys
When you run a post-SP6 version of tcpip.sys that's dated February 22, 2000 through May 26, 2000, the terminal server could blue-screen because of a regression introduced in the hotfix for the UDP broadcast attack when IpRoute.c changed. See Microsoft article Q276404 for a fix.
ICA Clients Can't Map Drives After You Install Zero Administration Kit On Terminal Server
According to Microsoft article Q291428, when you install the Zero Administration Kit (ZAK) on an NT Server 4.0, Terminal Server Edition (TSE) server with Citrix MetaFrame installed, ICA clients can't map network drives. To resolve the problem, log on to the server as the administrator, then assign Read permissions to loadwc.exe, icabar.exe, and ctxlogon.exe. If one of your terminal servers is also a WINS or DHCP server, you might want to look at Microsoft article Q145881 to learn how to use jetpack.exe to compact WINS or DHCP databases.
