Win2K Post-Service Pack 2 Bugs and Fixes

LSASS Access Violation on Win2k DCs
Microsoft article Q300621 offers a scanty description of what strikes me as a very serious problem. The article states that the Local Security Authority (LSA) service, lsass.exe, generates an access violation on a Windows 2000 domain controller (DC) that operates as a Global Catalog (GC) server when the DC also receives Recipient Updates from a Microsoft Exchange 2000 server. When lsass.exe fails, the server reboots automatically. The fix affects 10 crucial components that Win2K uses to perform authentication, including three Kerberos modules, three LSA components, the SAM service, and the client security (SecCli) service. The files, which have release dates ranging from May 29 through June 11, are available only from Microsoft Product Support.

Intellimirror Synchronization Bug Restores Deleted Files
Windows 2000's IntelliMirror feature lets you cache server-based files on a client to provide faster file access. To make sure that the client accesses a file's most current copy, Win2K compares the date and timestamp on the file in the client cache with the date and timestamp of the file on the server. When a more current version exists on either end, the automatic synchronization component copies the most recent version from the client to the server, or vice versa. However, a bug in the synchronization algorithm produces an unexpected result. When you delete a file on the server and an identical version of the deleted file also exists in the client file cache, Win2K copies the locally cached file back to the server during the next synchronization pass. This action effectively restores the deleted file, which is hardly the desired result. Over time, this loophole can generate a long list of files that you thought you'd already deleted. Call Microsoft Product Support for a hotfix that eliminates the file buildup; the update is a new version of cscui.dll with a March 15 release date.

After you install this hotfix, Win2K doesn't restore local files that you attempt to delete from the server. If a more recent version of the file exists in the client cache and you delete the older version of the same file on the server, the synchronization code correctly transfers the more recent version of the file in the client’s cache to the server. Microsoft article Q291270 documents this problem in more detail.

Heavy Winsock Use Exhausts Non-Paged Pool
Here’s a potentially serious problem that affects Windows 2000 and Windows NT 4.0 systems. A program that makes heavy use of Winsock calls that manage Out-of-Band (MSG_OOB) and TCP/IP traffic can, over time, cause a system to hang when afd.sys consumes all the available pages in the system’s non-paged pool. Microsoft article Q296265 states that this problem generates several error messages and causes a gradual system slowdown before the system hangs. To diagnose this situation, look for two specific error messages from the Server service in the Event log: Event ID 2019 with the text "The server was unable to allocate from the system non-paged pool because the pool was empty" and Event ID 2000 with the text "The server’s call to a system service failed." Microsoft Product Support has a bug fix that contains new versions of afd.sys, msafd.dll, tcpip.sys, tdi.sys, and wshtcpip.dll. The files have release dates of April 16.

SNMP Returns Old Information
When you start the SNMP service, the service queries devices and stores the results in a cache. However, because SNMP updates the cache at service startup only, subsequent information requests might return out-of-date information. Microsoft article Q295587 states that when you ask SNMP to report on the amount of free space on a disk, SNMP returns the cached value, not the current value. If you haven’t restarted the SNMP service for days or weeks, the cached values reflect very old—and most certainly inaccurate—information. You can force SNMP to update the cache by restarting the service. Call Microsoft Support for the bug fix, a new version of hostmib.dll with a May 18 release date.

Kernel Debugger
If you've spent any time with the kernel debugger, you’ve probably noticed that when you reboot while the debugger is active, you lose the debugger connection to the system. Microsoft article Q298188 ( indicates that a synchronization error in the apci.sys driver causes the system to enumerate the COM port as a standard serial device, which can be frustrating if you’re trying to debug a kernel-mode driver. Microsoft Support has a new version of apci.sys that remembers the COM port after system restarts; the file has a May 18 release date.

Pokey IPsecpol Monitor
IPSecMon is a built-in Windows 2000 utility that monitors active IP Security (IPSec) connections. IPSecPol is a Win2K Resource Kit command-line tool that duplicates the functions of the Microsoft Management Console (MMC) IPSec Policies snap-in. Using IPSecPol, you can configure IPSec policies in Active Directory (AD) or for a remote system. Unlike the MMC snap-in, this utility operates in two different modes. Dynamic mode is handy for testing changes on a limited basis, without making policy changes at the AD level. When you create thousands of objects with IPSecPol, the utility slows to a crawl. To save the frustration, call Microsoft Support and ask for the new version that maintains adequate performance. The new version contains two files, Ipsecpol.exe and text2pol.dll, and has a March 22 release date. See Microsoft article Q275187 for more information.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.