Bug knocks Active Directory for a loop

The bug is linked to the number of IP (Internet Protocol) addresses that are assigned to a single NIC (network interface card) or multiple NICs in a Windows 2000 server that is acting as a domain controller.

On servers hosting more than 51 IP addresses, all of the objects in Active Directory will disappear. In addition, the server will return an error message saying it is not operational when administrators try to access Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services.

"Clients are locked out from authentication and administrators are locked out from management," says Brian Bergin, president of Terabyte Computers, a consulting firm in Boone, North Carolina. Bergin brought the bug to Microsoft's attention after it was discovered by another user.

Officials at the BugNet Web site also were able to re-create the bug, with a slight difference. They said they were able to log on to Active Directory and browse the network, but could not see directory entries. They also said they could no longer manage users and resources in Active Directory. BugNet also is investigating whether or not the bug affects the Domain Name System in Windows 2000, but has yet to reach any conclusions.

Microsoft has confirmed the bug and is working on a hot fix, according to a Knowledge Base article on its Web site.

Microsoft has not said when patch will be available. "This issue is relatively arcane, given that most organisations deploying multi-homed servers supporting many IP addresses would deploy domain controllers on separate machines for greater fault tolerance and higher availability," says a Microsoft spokesman.

The inclusion of 51 IP addresses on a single domain controller is not a common occurrence for most users, but could be an issue in a variety of scenarios.

Large enterprises with multiple subnets could conceivably have more than 51 IP addresses "bound" to a single network interface card, or multiple NICs, in their domain-controller servers.

"The most common applications using more than one IP address would be mail servers, multiple or virtual Web site hosting on Internet Information Server, or subnetting," says Eric Bowden, general manager of BugNet.

Bowden said ISPs and Web hosting companies are most likely to have more than 51 IP addresses on a single server. Bowden said the bug also could affect DHCP (Dynamic Host Configuration Protocol) services, and ASPs (application service providers), which would be limited in the number of customers serviced from a single Windows 2000 server.

The limitations seem odd, given that Unix and Linux systems can host hundreds of IP addresses on a single machine.

Bergin ran into the problem in an installation for a customer that was hosting its user authentication (through Active Directory) and an FTP service on the same domain controller.

Although Bergin admits that might not be the best configuration, he says Microsoft's advice to set up a separate server just for authentication is not always feasible for some users.

"Microsoft can't assume everyone can put up, or should put up, multiple boxes just to authenticate users, especially when there isn't a load issue," Bergin says. "For a smaller company, that can be a major expenditure. And for Microsoft to say 'just set up another server' is a blow-off."

For now, Bergin is going to set up an extra server to solve the issue. "But this causes enough problems with Active Directory that I have to ask what else is wrong," he says.

Bergin says it is not so much the bug that bothers him as the way Microsoft handled the problem. He says it took nearly a week for Microsoft to even test the bug in the lab after it was reported on March 23. At first, Microsoft told him it was a "resource problem."

When BugNet contacted Microsoft, the company said no one had reported the bug even though it had heard from Bergin four days earlier. Microsoft told BugNet it would take it "very seriously" if someone did report the bug.

Microsoft is now taking it seriously and says the problem lies in its LDAP API (wldap32.dll), according to the Knowledge Base article at http://support.microsoft.com/support/kb/articles/q258/8/11.asp.

In the interim before a hot fix is available, Microsoft is advising users to remove enough IP addresses from the domain controller so the total number does not exceed 51.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Fontana

PC World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?