Recent Windows 2000 Hotfixes

I haven’t written much about Windows 2000 lately, so today I offer information about some important Win2K hotfixes. These hotfixes apply to Win2K Server and Win2K Professional.

If a user is a member of many Active Directory (AD) groups (the number varies, but is around 70 to 80 groups) either directly or by membership in other groups, Group Policy may not be applied to the user. A limitation in the token size field of a Kerberos packet is responsible for this bug.

When a user logs on, Win2K adds the SID for each group to which a user belongs to the user's access token and sends the token via a Kerberos packet to the authenticating domain controller. When a user belongs to a large number of groups, the token required to represent all the group SIDs grows beyond the maximum token size of 8KB that Kerberos currently supports. When the token exceeds the maximum size, Win2K can't successfully establish the user context and the user can't access any network resources. Microsoft article Q263693 indicates that you must call Microsoft Product Support Services to get the hotfix. The hotfix contains two files—kerberos.dll, which has a release date of June 7, and ksecdd.sys, which has a release date of May 26.

Group Policy Corrupts Long "Run Only Allowed Applications" List
Here’s another group policy bug that can wreak havoc on your Win2K network. If you add files with long filenames to the "Run Only Allowed Applications" list in an organizational unit (OU) group policy, the list becomes corrupted after the total number of characters exceeds 1024. You encounter this problem if, for example, your list of allowed applications contains 10 applications, each with a path name of 103 characters. Microsoft article Q263179 documents this bug and indicates that you must call Microsoft Support for the hotfix, which updates one file, gptext.dll. The file has a release date of May 31.

Non-Administrators Can't Change System Font Size This font-size problem is an annoying glitch that affects both Win2K Server and Win2K Pro. Microsoft article Q258702 indicates that only administrators can change the display font size. To see this bug for yourself, log on to a Win2K system as an ordinary user. Right-click the desktop and select Properties to pull up the Display Properties dialog box. Click the Settings tab, and then click Advanced. Notice that the font size field is grayed out. If you want to let your users change the display font size, you must install the desk.cpl bug fix released on April 11. You have to get the bug fix directly from Microsoft Support.

Sysprep Might Not Install Non-Native Signed Drivers
If you work with Sysprep to clone Win2K systems, you might have encountered the following Plug-and-Play (PnP) bug. You create a system with a third-party or non-native driver, but when you try to upgrade the image with a signed or test-signed driver using the OEMPnPDriversPath entry in the systprep.inf file, Windows doesn't install the new signed driver. According to Microsoft article Q260319, Sysprep incorrectly reverts to the original driver .inf file. The article states that you should experience this Sysprep behavior only with a signed or test-signed driver. If you update your builds with signed drivers, call Microsoft Support for the new version of syssetup.dll released on May 11.

Can't Clear a DNS Server's Cache
The Win2K DNS server has a bug that prevents you from flushing the DNS name cache. When you try to clear the cache with DNS Administrator, the utility responds with the error message, "The server cache cannot be cleared. DNS zone already exists in the directory service." When you try to clear the cache from the command line with the dnscmd /clearcache command, you might receive the error message "failed: status = 9718 (0x000025f6)." Call Microsoft Support for an update that lets you clear the DNS server’s cache. Microsoft article Q257828 indicates that the hotfix updates one file, dns.exe. The new file has a release date of April 7.

IPConfig Hangs Services.exe
The IPconfig command includes two useful switches that you can use to troubleshoot local name resolution problems. The /displaydns switch returns the list of all cached DNS names, and the /flushdns switch clears the cache. When the cache contains many names and you run ipconfig.exe with either of these switches, enumerating the cache entries causes services.exe to hang.

Microsoft article Q262637 indicates that the services.exe hang occurs on systems with a DNS cache that contains 2000 or more entries. The problem occurs only when you examine the cache from the command line. To recover from the services.exe hang, you probably have to reboot the affected system. If IPconfig is one of your favorite troubleshooting tools, you should call Microsoft Product Support Services to get the Ipconfig hotfix. The hotfix updates two components, dnsapi.dll and dnsrslvr.dll. The new files have May 19 release dates.

Inetinfo Access Violation During IISAdmin Shutdown
Have you experienced an Inetinfo access violation on a Win2K system running Microsoft IIS 5.0? Microsoft article Q264628 indicates that Inetinfo might fail with an access violation or stop at a debug break point when the IISAdmin service is shutting down. The Inetinfo failure results from attempts to access nonexistent memory locations at shutdown. Call Microsoft Product Support Services to obtain the hotfix, which eliminates the invalid memory references. The hotfix updates coadmin.dll and metadata.dll. The new files have June 8 release dates.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.