Bug knocks Active Directory for a loop

The bug is linked to the number of IP (Internet Protocol) addresses that are assigned to a single NIC (network interface card) or multiple NICs in a Windows 2000 server that is acting as a domain controller.

On servers hosting more than 51 IP addresses, all of the objects in Active Directory will disappear. In addition, the server will return an error message saying it is not operational when administrators try to access Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services.

"Clients are locked out from authentication and administrators are locked out from management," says Brian Bergin, president of Terabyte Computers, a consulting firm in Boone, North Carolina. Bergin brought the bug to Microsoft's attention after it was discovered by another user.

Officials at the BugNet Web site also were able to re-create the bug, with a slight difference. They said they were able to log on to Active Directory and browse the network, but could not see directory entries. They also said they could no longer manage users and resources in Active Directory. BugNet also is investigating whether or not the bug affects the Domain Name System in Windows 2000, but has yet to reach any conclusions.

Microsoft has confirmed the bug and is working on a hot fix, according to a Knowledge Base article on its Web site.

Microsoft has not said when patch will be available. "This issue is relatively arcane, given that most organisations deploying multi-homed servers supporting many IP addresses would deploy domain controllers on separate machines for greater fault tolerance and higher availability," says a Microsoft spokesman.

The inclusion of 51 IP addresses on a single domain controller is not a common occurrence for most users, but could be an issue in a variety of scenarios.

Large enterprises with multiple subnets could conceivably have more than 51 IP addresses "bound" to a single network interface card, or multiple NICs, in their domain-controller servers.

"The most common applications using more than one IP address would be mail servers, multiple or virtual Web site hosting on Internet Information Server, or subnetting," says Eric Bowden, general manager of BugNet.

Bowden said ISPs and Web hosting companies are most likely to have more than 51 IP addresses on a single server. Bowden said the bug also could affect DHCP (Dynamic Host Configuration Protocol) services, and ASPs (application service providers), which would be limited in the number of customers serviced from a single Windows 2000 server.

The limitations seem odd, given that Unix and Linux systems can host hundreds of IP addresses on a single machine.

Bergin ran into the problem in an installation for a customer that was hosting its user authentication (through Active Directory) and an FTP service on the same domain controller.

Although Bergin admits that might not be the best configuration, he says Microsoft's advice to set up a separate server just for authentication is not always feasible for some users.

"Microsoft can't assume everyone can put up, or should put up, multiple boxes just to authenticate users, especially when there isn't a load issue," Bergin says. "For a smaller company, that can be a major expenditure. And for Microsoft to say 'just set up another server' is a blow-off."

For now, Bergin is going to set up an extra server to solve the issue. "But this causes enough problems with Active Directory that I have to ask what else is wrong," he says.

Bergin says it is not so much the bug that bothers him as the way Microsoft handled the problem. He says it took nearly a week for Microsoft to even test the bug in the lab after it was reported on March 23. At first, Microsoft told him it was a "resource problem."

When BugNet contacted Microsoft, the company said no one had reported the bug even though it had heard from Bergin four days earlier. Microsoft told BugNet it would take it "very seriously" if someone did report the bug.

Microsoft is now taking it seriously and says the problem lies in its LDAP API (wldap32.dll), according to the Knowledge Base article at http://support.microsoft.com/support/kb/articles/q258/8/11.asp.

In the interim before a hot fix is available, Microsoft is advising users to remove enough IP addresses from the domain controller so the total number does not exceed 51.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Fontana

PC World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?