Bug knocks Active Directory for a loop

The bug is linked to the number of IP (Internet Protocol) addresses that are assigned to a single NIC (network interface card) or multiple NICs in a Windows 2000 server that is acting as a domain controller.

On servers hosting more than 51 IP addresses, all of the objects in Active Directory will disappear. In addition, the server will return an error message saying it is not operational when administrators try to access Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services.

"Clients are locked out from authentication and administrators are locked out from management," says Brian Bergin, president of Terabyte Computers, a consulting firm in Boone, North Carolina. Bergin brought the bug to Microsoft's attention after it was discovered by another user.

Officials at the BugNet Web site also were able to re-create the bug, with a slight difference. They said they were able to log on to Active Directory and browse the network, but could not see directory entries. They also said they could no longer manage users and resources in Active Directory. BugNet also is investigating whether or not the bug affects the Domain Name System in Windows 2000, but has yet to reach any conclusions.

Microsoft has confirmed the bug and is working on a hot fix, according to a Knowledge Base article on its Web site.

Microsoft has not said when patch will be available. "This issue is relatively arcane, given that most organisations deploying multi-homed servers supporting many IP addresses would deploy domain controllers on separate machines for greater fault tolerance and higher availability," says a Microsoft spokesman.

The inclusion of 51 IP addresses on a single domain controller is not a common occurrence for most users, but could be an issue in a variety of scenarios.

Large enterprises with multiple subnets could conceivably have more than 51 IP addresses "bound" to a single network interface card, or multiple NICs, in their domain-controller servers.

"The most common applications using more than one IP address would be mail servers, multiple or virtual Web site hosting on Internet Information Server, or subnetting," says Eric Bowden, general manager of BugNet.

Bowden said ISPs and Web hosting companies are most likely to have more than 51 IP addresses on a single server. Bowden said the bug also could affect DHCP (Dynamic Host Configuration Protocol) services, and ASPs (application service providers), which would be limited in the number of customers serviced from a single Windows 2000 server.

The limitations seem odd, given that Unix and Linux systems can host hundreds of IP addresses on a single machine.

Bergin ran into the problem in an installation for a customer that was hosting its user authentication (through Active Directory) and an FTP service on the same domain controller.

Although Bergin admits that might not be the best configuration, he says Microsoft's advice to set up a separate server just for authentication is not always feasible for some users.

"Microsoft can't assume everyone can put up, or should put up, multiple boxes just to authenticate users, especially when there isn't a load issue," Bergin says. "For a smaller company, that can be a major expenditure. And for Microsoft to say 'just set up another server' is a blow-off."

For now, Bergin is going to set up an extra server to solve the issue. "But this causes enough problems with Active Directory that I have to ask what else is wrong," he says.

Bergin says it is not so much the bug that bothers him as the way Microsoft handled the problem. He says it took nearly a week for Microsoft to even test the bug in the lab after it was reported on March 23. At first, Microsoft told him it was a "resource problem."

When BugNet contacted Microsoft, the company said no one had reported the bug even though it had heard from Bergin four days earlier. Microsoft told BugNet it would take it "very seriously" if someone did report the bug.

Microsoft is now taking it seriously and says the problem lies in its LDAP API (wldap32.dll), according to the Knowledge Base article at http://support.microsoft.com/support/kb/articles/q258/8/11.asp.

In the interim before a hot fix is available, Microsoft is advising users to remove enough IP addresses from the domain controller so the total number does not exceed 51.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Fontana

PC World
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?