SP1 and Directory Services: What’s New
Updated to include SP1 being RTM and some last minute fixes that were included post RCHi all, Ned here again. Back in October I joined the Windows Server 2008 R2 Service Pack 1 beta support team. Our job is to support customers in a special early adopters program. As SP1 has now released, I’m frequently asked about what changes were added for Directory Services. Today I address some specifics:
- What does “Support for Managed Service Accounts (MSAs) in secure branch office scenarios” mean, as stated in the SP1 "notable changes" doc?
- What does “Support for increased volume of authentication traffic on domain controllers connected to high-latency networks” mean, as stated in the SP1 "notable changes" doc?
- What other updates are included in SP1 for Directory Services?
Remember, the QFEs listed below are all publically available, so if you are skimming the list and have a “oh heck, we’re having that issue” moment you can install anytime. Some of these issues are preventable as well so use your best judgment – an update to prevent NTFS corruption doesn’t fix the damaged files, after all.
Release the Kraken!
The MSA thing
This scenario referenced by the release notes refers to:
You cannot create or delete managed service accounts in a perimeter network in Windows 7 or in Windows Server 2008 R2 - https://support.microsoft.com/kb/978836
In this case you have RODCs in a network that users can directly access, but those same users cannot access writable DCs (a DMZ or oddly configured branch office). After you apply SP1 the RODC will know how to forward the request on to a writable DC for MSA operations.
To fix it is install SP1 (or that hotfix) on all your RODCs.
The authentication thing
This scenario referenced by the release notes refers to:
A time-out error occurs when many NTLM authentication requests are sent from a computer that is running Windows Server 2008 R2, Windows 7, Windows Server 2008, or Windows Vista in a high latency network - https://support.microsoft.com/kb/975363
This one is more complicated. Netlogon has a "throttle" that controls the maximum number of simultaneous calls over a secure channel. On DCs this includes the secure channels of external trusted domains (i.e. not Kerberos forest trusts). On member computers this is to authenticating DCs for intra-forest requests or requests to other domains/forests. On high latency networks with a ton of NTLM authentication, applications could start having issues authenticating, ranging from slow performance to errors. MaxConcurrentAPI controls this through a registry value:
Key path: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters
Value Name: MaxConcurrentApi
Data Type: REG_DWORD
The default value if this registry value name does not exist is 1 if a DC, 2 if a member server, and 1 if a client – it has been since NT 4.0 and that has never changed. Until this update is applied, the maximum value is 10. After the update is installed, the maximum value is 150. Generally speaking, since DCs are authenticating users and most companies are not heavily using local member accounts, it only needs to be set on domain controllers.
For all those folks that got scared when we recommended setting the value to 10 in order to fix your issue, this is the proof that you were being paranoid. :) You will see more DC memory usage when you raise the value, but your alternative is obviously far worse.
This has no effect on Kerberos at all and Kerberos is not restricted in this fashion. If you’re using NTLM unnecessarily (misconfigured app, older version app, crummy app, external trust instead of forest trust, etc.) then getting Kerberos in gear is a much better solution than registry band-aids.
Other updates
There are 795 public fixes that were rolled into SP1 and they’re all listed here:
Hotfixes and Security Updates included in Windows 7 and Windows Server 2008 R2 Service Pack 1.xls
Of these, 104 can be considered “pure” Directory Services updates if you go off the list of what gets supported by the DS team here in Microsoft. Another 59 updates fix things that victimize DS – stuff like networking, file system, SMB, or backups. There are other fixes in SP1 as well. Sometimes issues never get public attention or a QFE would be too expensive or risky; service pack testing is far more comprehensive. I’m not including security updates, you already have those from Windows Update (right?! )
There are some fairly interesting new things here besides the two arbitrary ones in the release notes, I recommend giving these tables a look. For example:
- 977542 - A hotfix is available to block standard users from logging on to a Window 7-based or Windows Server 2008 R2-based computer in safe mode
- 979294 - The Dcdiag.exe tool takes a long time to run in Windows Server 2008 R2 and in Windows 7
- 980254 - The "dsget user -memberof -expand" command returns incorrect results in Windows Server 2008 R2 and in Windows 7
- 980360 - Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2
Pure DS updates
| KB Article | KB Title |
| 969851 | Instead of the specified startup program, the whole desktop is started on a remote desktop connection when you change the "Terminal Services Profile" setting for the user account |
| 969867 | FIX: You cannot import or paste some group policies across domains by using the "Group Policy Management" MMC snap-in |
| 970840 | Some settings in Group Policy Preferences for Internet Explorer 7 do not deploy correctly to computers that are running Windows Server 2008 or Windows Vista |
| 971277 | You cannot access an administrative share on a computer that is running Windows Vista or Windows Server 2008 after you set the SrvsvcDefaultShareInfo registry entry to configure the default share permissions for a network share |
| 971338 | The terminal server roaming profile of a user account is not loaded correctly on a terminal server that is running Windows Server 2008 R2 or Windows Server 2008 after the user password is changed during session logon |
| 972069 | A terminal server that is running Windows Server 2008 cannot obtain terminal licenses from a Terminal Server license server that is running Windows Server 2008 after you enable the "License Server Security Group" Group Policy setting |
| 974893 | FIX: An unexpected Failure Audit event is logged for the local credential when you run a .NET Framework 2.0-based application that tries to connect to a remote computer |
| 975142 | You cannot install Active Directory Domain Services on a member server that is running Windows Server 2008 or Windows Server 2008 R2 in a branch office if the DNS and LDAP communication between the branch office and the forest root domain is blocked |
| 975363 | A time-out error occurs when many NTLM authentication requests are sent from a computer that is running Windows Server 2008 R2 or Windows 7 in a high latency network |
| 976398 | LDAP filters in the Group Policy preference settings do not take effect on a computer that is running Windows Server 2008 R2 or Windows 7 |
| 976399 | FIX: You cannot apply Group Policy settings on a computer that is running Windows 7 or Windows Server 2008 R2 when security group filters are used in Group Policy preference settings |
| 976424 | Error code when the kpasswd protocol fails after you perform an authoritative restore: "KDC_ERROR_S_PRINCIPAL_UNKNOWN" |
| 976494 | Error 1789 when you use the LookupAccountName function on a computer that is running Windows 7 or Windows Server 2008 R2 |
| 976586 | Error in Windows 7 or Windows Server 2008 R2 when unlocking a computer or switching users |
| 976655 | You cannot perform a system state restore in the Directory Service Restore mode on a read-only domain controller that is running Windows Server 2008 R2 if DFS Replication is used to replicate the SYSVOL folder |
| 977180 | Error message when an application or a service tries to query for any deleted objects by using a well-known GUID in a Windows Server 2008 R2-based domain if paged search is used: "0x8007202c Critical extension is unavailable" |
| 977184 | You cannot install Active Directory on an iSCSI boot computer that is running Windows Server 2008 R2 |
| 977222 | No private key is associated with a certificate after you successfully install the certificate on a computer that is running Windows 7 or Windows Server 2008 R2 |
| 977229 | You are unable to update the target location of offline file shares in the Offline File client side cache without administrative permission in Windows Server 2008 R2 or in Windows 7 |
| 977346 | The Welcome screen may be displayed for 30 seconds during the logon process after you set a solid color as the desktop background in Windows 7 or in Windows Server 2008 R2 |
| 977353 | A Group Policy Immediate Task preference item does not run on a client computer that is running Windows 7 or Windows Server 2008 R2 |
| 977397 | The icon of an offline file that you changed in offline mode always indicates that synchronization is successful even when the synchronization fails on a client computer that is running Windows 7 |
| 977542 | A hotfix is available to block standard users from logging on to a Window 7-based or Windows Server 2008 R2-based computer in safe mode |
| 977579 | Error message when you try to open a 3DES encrypted file that is migrated from Windows XP to Windows 7 or to Windows Server 2008 R2: "Access Denied" |