Disconnected Sessions Retain the Original clientname Variable
Programs or scripts that rely on the clientname variable might not work when you establish a session on one computer, disconnect, then reconnect to that session from a different computer with a different name. According to Microsoft article Q281981, the only thing you can do about this problem is terminate (i.e., log off) the terminal services session and log back on.

Problems with MetaFrame Drive Remapping on a Win2K Domain Controller
If your domain controller (DC) runs Windows 2000 Server Terminal Services in Application Server mode and you've installed Citrix MetaFrame, you could run into problems with the File Replication Service (FRS). The problem lies with server drive remapping, which prevents users from confusing their local drive letters with the letters on the server. When you remap the drive, FRS doesn't work correctly because it looks for drive letters that no longer exist. See Microsoft article Q264607 for more information.

Memory Leak on Master Browser
Here's one more reason you shouldn't make terminal servers DCs. According to Microsoft article Q262386, a server that acts as a master browser (commonly a PDC in Windows NT 4.0) will leak nonpaged pool memory if a string associated with Browser Master Announcements isn't properly freed. See the article to get a hotfix for this problem.

Security Hotfix Available for TSE
If you've enabled SNMP on a Windows NT Server 4.0, Terminal Server Edition (TSE) terminal server, read this. After you create the PermittedManagers and ValidCommunities registry keys for the SNMP service, any user can read the contents of the keys. (The keys should only be accessible to administrators.) A new Microsoft tool corrects the permissions for several NT 4.0 registry values. See Microsoft article Q265714 for more information.

Fixes to Java Virtual Machine in SP1
Microsoft article Q265889 contains a list of changes to the Microsoft Virtual Machine (VM) that are included with Win2K Service Pack 1 (SP1), including a problem that could cause a deadlock when you use Java/COM objects in long-running, high-stress environments. In rare cases the VM could fault at shutdown when you use java/lang/Runtime.exit() to terminate the process and java.net.Socket to check Internet Explorer's (IE's) proxy bypass list when the Microsoft VM connects through a SOCKS server. See the article for more information.

Error Message Occurs When You Start the Windows Installer Service
When you attempt to start the Windows Installer Service (WIS) computer that's installed on an NTFS volume on a TSE terminal server (or other NT-based computer), you could receive an error message that says the server couldn't start WIS because it couldn't find the environment option you entered. According to Microsoft article Q288903, this can happen if you modify the default access control list (ACL) on the %SystemRoot%\Installer working folder WIS operates under the context of the System security account, and this account must have Full Control permissions to the Installer folder. To correct this problem, make sure the System account has Full Control permissions.

NT 4.0 Clients Take Multiple TSCALs

Access to a Windows terminal server is licensed on a per-seat basis. However, incorrectly applied permissions can make an NT 3.51, NT 4.0, or TSE computer connected to a Terminal Services machine take a Terminal Services Client Access License (TSCAL) token for each user. Because you could easily recover these TSCALs until very recently, this is a serious problem. TSCALs are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing. To store a license there, members of the Users group need Full Control of this registry key and all its subkeys. When you grant the Users group Full Control, make sure you select the Replace Permissions on Existing Subkeys check box and click Yes when the system prompts you to verify the permission replacement. See Microsoft article Q291936 for more information.

Terminal Window After Dialing Doesn't Work in Terminal Services Session
If you configure a dial-up connection to display a terminal window after dialing, the terminal window doesn't appear in a Terminal Services session and the following error message appears: "Cannot load dialog. Error 2." Win2K's RRAS contains a named object used with the terminal window that appears after dialing. This object is named for the Terminal Services session namespace, but the code that supports the terminal window looks for the object in the global namespace. See Microsoft article Q277561 for a fix.

SP1 Install Doesn't Appear in Registry on Upgraded Terminal Server
If you use a slipstreamed installation to upgrade a computer from TSE to Win2K SP1, the version information in the registry might not indicate that SP1 is installed. This behavior raises issues for programs that require SP1. Edit the server's registry to add the value that indicates the service pack version, as explained in Microsoft article Q289215.

Event ID 2005 Message Occurs When You Print to a Line Printer
If you use the Line Print Remote (LPR) utility to set up a line printer from NT 4.0 or TSE, you might receive an error message in the Event Viewer that says the LPR print monitor failed to open a temporary file when it spooled output to port IP addresses. This can happen because: 1) You don't have the appropriate permissions to the spool folder that is located at %SystemRoot%\System32\Spool\Printers by default, 2) You added a print component such as TCP/IP printing and didn't reapply the service pack and the spooler files are mismatched, or 3) The Everyone group doesn't have Read permissions. See Microsoft article Q245033 to resolve these problems.

Unable to Add Users to Win2K Domain from TSE/NT 4.0
When you try to add users from a Win2K-based domain to an ACL or a group on an NT 4.0-based system, you could receive an error message that says you can't browse the selected domain because access is denied. This issue occurs when an NT 4.0-based system attempts to enumerate the list of users from a Win2K-based domain. According to Microsoft article Q257942, NT 4.0 first attempts to connect to the Win2K-based domain controller with the account used to log on to the NT 4.0-based system. If this account isn't a member of the Win2K-based domain or trusted domain, the connection will fail. NT 4.0 then tries a null connection, which also fails. To resolve this issue, use the net localgroup command to add the Everyone group to the "Pre-Windows 2000 Compatible Access" group on the Win2K-based DC, then reboot all DCs.

Add/Remove Programs Tool Incorrectly Displays Installed Programs
If you uninstall an application and its uninstaller incorrectly removes Windows and the Add/Remove Programs registry entries, Add/Remove Programs could display installed programs strangely. According to Microsoft article Q266668, you can resolve this problem by running REGSVR32 APPWIZ.CPL from the command prompt or by editing the registry as the article describes.

Win2K Printer Redirection Hotfix Available
Maintaining printer drivers for client-side printers remapped to terminal servers can be entertaining if you use OEM drivers instead of the printer drivers that come with Win2K. As Microsoft article Q275495 describes, you might not be able to install the driver on the server if the driver on the client has a different name from the one required on the server. See the article for Microsoft's hotfix and the registry edits you need to make it work.

Hotfix for MMC Resizing Access Violation
When you resize the left and right panes in Microsoft Management Console (MMC) 1.2 (the version used in Win2K), an access violation might occur. Microsoft now has a hotfix for this problem; Microsoft article Q285900 explains how to get it. Notice that this hotfix resolves an error that SP1 doesn't address.

NUM LOCK Key Always Disabled When Terminal Services is Installed
When you log on to Win2K Server with Terminal Services installed, the NUM LOCK key is always disabled. Even if you enable the NUM LOCK key, then log off, the NUM LOCK key is disabled again when you log on to the server. According to Microsoft article Q290176, Microsoft did this deliberately so that NUM LOCK would be disabled for terminal server laptop users.

Update Available to Revoke Fraudulent Microsoft Certificates Issued by VeriSign
As discussed in a previous issue of Application Service Provider UPDATE, in March VeriSign announced that it had mistakenly issued two digital certificates to someone who claimed to work for Microsoft. VeriSign has revoked these certificates; to make sure your browser won't accept them you need to apply a hotfix to Internet Explorer (IE). See Microsoft article Q293811 to learn how to do this.