If you haven't paid attention to Windows 2000 hotfixes since Microsoft released Service Pack 1 (SP1), this article will prepare you for the next round of Win2K updates. As of mid-August, Microsoft had listed 70 Win2K post-SP1 hotfixes on its Web site. Although many of the Win2K Professional hotfixes also apply to Win2K Server and Win2K Advanced Server, I don't cover hotfixes released only for Win2K Server versions. (If you're just now thinking about installing SP1, see Paul Thurrott, "Win2K Service Pack 1," November 2000.)
To help you evaluate this large collection of hotfixes, I've organized them into categories: desktop, DNS, Dr. Watson, group policy, hardware, memory leaks, Windows NT 4.0 interoperability, and networking. (See the sidebar "Important Security Hotfixes," page 62, for information about post-SP1 security hotfixes.) I include each hotfix's URL as a reference. However, I've taken editorial license with the official hotfix titles and, in many cases, modified the titles so that they better describe the problem that the hotfix corrects.
Generally, you should install hotfixes only for problems you experience on your systems. If the hotfix you want isn't available for public download (and most of them aren't), you must call Microsoft Product Support Services (PSS) to obtain the update. Before you call PSS, Microsoft expects you to document the problem your system is experiencing and to verify that your system's behavior is consistent with the documented bug.
Nonadministrator users can't change system font size. The Microsoft article at http://support.microsoft.com/support/ kb/articles/q258/7/02.asp reports that only Administrators can change the display font size from large to small or small to large in both the workstation and server versions of Win2K. To see this bug, log on to a Win2K system as an ordinary user. Right-click the desktop, and select Properties to open the Display Properties dialog box. Click the Settings tab, then click Advanced. You'll see that the Font Size field is unavailable. If you want to permit users to change the display font size, you need to install the desk.cpl bug fix released on April 11. You must obtain the bug fix directly from PSS.
Sysprep might not install nonnative signed drivers. If you work with Sysprep to clone Win2K systems, you might already have encountered the following Plug and Play (PnP) bug. When you create a system with a third-party or nonnative driver and try to upgrade the image with a signed or test-signed driver by using the OEMPnPDriversPath entry in the sysprep.inf file, Windows doesn't install the new signed driver. According to the Microsoft article at http://support .microsoft.com/support/kb/articles/q260/3/19.asp, Sysprep incorrectly reverts to the original driver .inf file. If you update your builds with signed drivers (as opposed to unsigned drivers), you need to call PSS for the new version of syssetup.dll released on May 11.
Screen saver doesn't run if the console is locked. Do you have screen-saver problems on a Win2K system configured as a member of a workgroup? If so, read on for one possible source of the problem and two potential solutions. Win2K Graphical Identification and Authentication (GINA) displays a screen saver when one is defined. But when you configure a Win2K system as a member of a workgroup, the OS disables GINA's ability to display the Computer Locked dialog box, preventing the screen saver from running. To verify that your system has this problem, enable a password-protected screen saver, press Ctrl+Alt+Del, and press Enter to lock the console. If you see the Unlock Computer dialog box instead of the Computer Locked dialog box, you have the screen-saver problem. To obtain the hotfix, call PSS and ask for the version of msgina.dll dated April 2.
You can work around this problem by manually enabling the Computer Locked dialog box in the Winlogon section of the Registry. Go to the HKEY_LOCAL_ MACHINE\SOFTWARE\Microsoft\Win- dows NT\CurrentVersion\Winlogon subkey and add the value entry DisableCAD of REG_DWORD data type 0x1. If you set the DisableCAD value entry to 0 (0x0), rather than 1 (0x1), GINA won't display the Computer Locked dialog box and you're right back where you started. The Microsoft article at http://support .microsoft.com/support/kb/articles/q254/ 5/00.asp documents this problem.
DNS suffix incorrect after NT 4.0 to Win2K upgrade. When you upgrade an NT 4.0 system to Win2K, the upgrade procedure clears the Change primary DNS suffix when domain membership changes check box on the Network Identification tab of the System Properties screen. This detail becomes a problem when you upgrade an NT 4.0 system to a Win2K domain controller because you can't, by definition, change the computer name or DNS suffix after the domain controller is running. This upgrade problem prevents the domain controller from registering itself in Active Directory (AD) because the DNS suffix doesn't match the AD domain name. If your system has this problem, you'll see the message Attempt to update DNS Host Name of the computer object in Active Directory failed. The following error occurred: The parameter is incorrect with event ID 5789 in the System event log.
Microsoft has a hotfix, a new version of netcfgx.dll released on May 18, that corrects this problem. You can also fix the problem manually: After the Win2K upgrade finishes and Dcpromo runs, quit Dcpromo, go to My Computer, and select Properties. Select the Network Identification tab, select the Change primary DNS suffix when domain membership changes check box, and run Dcpromo again.
Can't clear the cache on a DNS server. The Win2K DNS server has a bug that prevents you from flushing the DNS name cache. When you attempt to clear the cache with DNS Administrator, the utility responds with the error message The server cache cannot be cleared. DNS zone already exists in the directory service. When you attempt to clear the cache from the command line with the dnscmd /clearcache command, you might receive the error message failed: status = 9718 (0x000025f6).
Call PSS for an update that lets you clear the DNS server's cache. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q257/8/28.asp says that the hotfix is an update of dns.exe and has a release date of April 7.
Invalid DNS records not removed. If you build a Win2K site without a domain controller and later add a local domain controller, the following bug could be a problem. When you create a site that doesn't have a domain controller, Win2K assigns domain controllers from other sites to cover the site. After you install the local domain controller, you need to remove the DNS records that point to the domain controllers at the other sites to ensure that only local domain controllers authenticate logons. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q262/2/89.asp states that a bug in Netlogon causes the invalid DNS entries to remain in the database after you install a local Win2K domain controller. Call PSS for the update of netlogon.dll released on May 6.
DHCP clients and dynamic DNS updates. If you have a non-Microsoft DHCP server providing addresses for Win2K DHCP clients, the third-party server might not support dynamic DNS (DDNS). To avoid problems, Microsoft recommends that you add the value entry DisableDynamicUpdate to the system's TCP/IP parameters in the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Tcpip\Parameters Registry subkey to globally disable a Win2K DHCP client's ability to send DDNS registrations. However, a bug in the Win2K DHCP client code causes the system to ignore this global setting, so Microsoft's recommended action doesn't work—the client continues to send dynamic registrations. If you need to globally disable DDNS updates on Win2K systems, call PSS for the hotfix, a new version of dhcpcsvc.dll, released on May 18.
To work around this problem, which the Microsoft article at http://support .microsoft.com/support/kb/articles/q263/5/50.asp describes, disable the dynamic update feature on each network interface. Open the Properties screen for the network connection, double-click Internet Protocol (TCP/IP), click Advanced, click the DNS tab, and clear the Register this connection's address in DNS check box.
Dr. Watson Hotfixes
Ipconfig hangs services.exe. Did you know that the Ipconfig command has two useful switches you can employ to troubleshoot local name-resolution problems? The /displaydns switch returns the list of all cached DNS names, and the /flushdns switch clears the cache. When many names exist in the cache and you run ipconfig.exe with either of these switches, enumerating the cache entries causes services.exe to hang.
The Microsoft article at http://support.microsoft.com/ support/kb/articles/q262/6/37 explains that the services.exe hang occurs on systems with a DNS cache that contains 2000 or more entries and that the problem occurs only when you examine the cache from the command line. To recover from the services.exe hang, you'll most likely need to reboot the affected system. If Ipconfig is one of your favorite troubleshooting tools, call PSS and ask for the Ipconfig hotfix. The hotfix updates two components, dnsapi.dll and dnsrslvr.dll, which have a May 19 release date.
Inetinfo access violation during IISAdmin shutdown. Have you experienced an Inetinfo access violation on a Win2K system running Microsoft IIS 5.0? If so, here's the explanation. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q264/6/28.asp reveals that Inetinfo might fail with an access violation or stop at a debug breakpoint when the IISAdmin service is shutting down. The Inetinfo failure is the result of attempts to access nonexistent memory locations at shutdown. Call PSS to obtain the hotfix that eliminates the invalid memory references. The hotfix updates two files, coadmin.dll and metadata.dll, which have a release date of June 8.
Terminal Services client causes Explorer access violation. When you create a connection with Connection Manager for a Win2K Server Terminal Services client, then copy the icon to the desktop, an access violation might occur in explorer.exe. The Microsoft article at http://support.microsoft.com/support/kb/articles/q262/1/37.asp says you can eliminate the access violation by installing an updated version of conman.exe, released on May 6. You must obtain the update directly from PSS.
Win32k.sys blue screen. An unusual programming sequence causes a win32k.sys blue screen with a Stop Code of 0x0000001e. This problem occurs when a program creates a windowstation handle and copies data to the Clipboard, then quits. While processing the program exit, the 32-bit subsystem references a W32Thread after the OS has deleted the thread. See the Microsoft article at http://support.microsoft.com/ support/kb/articles/q269/5/93.asp for a description of this problem. Call PSS for the fix, which includes updates of win32k.sys, winsrv.dll, user32.dll, and gdi32.dll. The updated files have release dates on and between May 31 and August 1.
Win2K multiprocessor hang. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q266/1/32.asp describes a situation in which Win2K might hang on multiprocessor computers during startup while the Preparing Network Connections screen is displayed. When this problem occurs, you might find that the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AuditBaseObjects of REG_DWORD data type 1 entry has appeared in the Registry. The article doesn't explain how or when this value appears in the Registry, but it does say that the value makes isasrv.dll enter an infinite loop. To correct this problem, call PSS for a new version of isasrv.dll, released on June 22.
Group Policy Hotfixes
Group Policy might not be applied to users who belong to more than 70 groups. Does your AD database have users who are members of more than 70 groups? If so, you need to apply a hotfix to all Win2K domain members as soon as possible. When a user logs on, Win2K adds the SID for each group to which the user belongs to the user's access token and sends the token in a Kerberos packet to the authenticating domain controller. When a user is a member of more than 70 to 80 groups, the token required to represent all the group SIDs grows beyond the maximum Kerberos-supported token size of 8KB. When the token exceeds the maximum size, Win2K can't successfully establish the user context, which means the user can't access any network resources.
The Microsoft article at http://support.microsoft.com/ support/kb/articles/q263/6/93.asp reports that you must call PSS to obtain this problem's hotfix. The hotfix contains two files: kerberos.dll, with a release date of June 7, and ksecdd.sys, with a release date of May 26.
Group Policy corrupts long Run Only Allowed Applications list. Here's another Group Policy bug that can wreak havoc on your Win2K network. If you add long filenames in the Run Only Allowed Applications list in an organizational unit's (OU's) Group Policy, the list becomes corrupted after the total number of characters exceeds 1024. So, for example, you'll encounter this problem if your list of allowed applications contains 10 applications, each with a pathname about 100 characters long. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q263/1/79.asp documents this bug and advises you to call PSS for the hotfix. The hotfix updates gptext.dll and has a release date of May 31.
Modems misbehave with the Modem Sharing service. When you use the Win2K Internet Connection Sharing (ICS) service to connect to a modem pool, the modem might not respond or might respond incorrectly by not dialing or dialing only in pulse mode. An incompatibility between the Modem Sharing client and the standard Unimodem driver causes the client to send a corrupted initialization string to the modem. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q263/6/43.asp documents this problem and directs you to call PSS for the hotfix, a new version of modem.sys, released on May 17.
Toshiba PC Card controller might power 3.3-volt R2 PC Card at 5 volts. If you have Toshiba laptops or notebooks, be aware that the Win2K PC Card bus driver pcmcia.sys uses an incorrect voltage for R2 PC cards. This bug causes Win2K to supply 5 volts of power to R2 PC cards, which are designed for 3.3 volts. If you don't want to fry your R2 card, call PSS for the hotfix that corrects the voltage problem. The hotfix updates the pcmcia.sys file and has a release date of June 21. The Microsoft article at http://support.microsoft.com/support/kb/ articles/q265/2/96.asp documents this problem.
Support for ATA-100 (Mode 5) in Win2K. The Win2K disk driver manages all ATA-100 (Mode 5) IDE hard drives in ATA-66 (Mode 4). If you want to run IDE disks in ATA-100, you need to call PSS for a new version of the atapi.sys driver that supports Mode 5 hard drive operation. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q260/2/33.asp reports that the hotfix contains four files—atapi.sys, intelide.sys, pciide.sys, and pciidex.sys—and all four have a release date of April 27. The article states that after you apply the hotfix, you might notice a PIO value displayed on the Advanced Settings tab for an IDE device in Device Manager. This value doesn't mean that the device is functioning in programmed I/O mode—Win2K is displaying an incorrect value.
USB devices disappear after hibernation. When a computer resumes operation after hibernation, Device Manager might not recognize connected USB devices. After hibernation, Win2K issues a global reset and then a port reset to the USB controller. If the port reset isn't successful, the USB controller becomes unresponsive to commands. This behavior is most likely to occur if the motherboard uses the 440BX/443BX chipset with the PIIX4(E) chipset. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q26/6/43.asp implies that Microsoft has extended the functionality of uhcd.sys to accommodate the PIIX4(E) chipset. You can get an update of this module from PSS.
PS/2 keyboard not recognized when plugged into a running system. Is anybody out there installing PS/2-compatible keyboards on Win2K systems? To ensure Win2K recognizes these keyboards, you typically must plug them in before you boot the OS. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q262/7/98.asp says you can install a hotfix that will cause Win2K to recognize a PS/2 keyboard when you connect the keyboard to a running system, but only if the computer's BIOS supports this hot-plug feature. Be warned that some PS/2 controllers might not handle hot plugging a device, and some might short devices out. If you can't live without plugging keyboards into a running system, call PSS and ask for the new i8042prt.sys driver with a release date of May 18.
Memory Leak Hotfixes
Potential OHCI1394 driver memory leak. If you configure systems with an Open Host Controller Interface (OHCI) 1394 compatible controller, a specific set of conditions causes the OHCI driver to leak memory from the nonpaged pool. OHCI is an implementation of an IEEE standard that defines a high-performance (i.e., 100MB, 200MB, or 400MB) serial-bus technology for connecting digital camcorders and other high-speed video devices to a PC. The driver doesn't release memory during an asynchronous write operation when two arguments exceed a specific threshold. To eliminate this potential memory leak, call PSS and ask for the updated ohci1394.sys driver released on April 24. If you want to know the names and threshold of the arguments to the write operation, you can read the gory details in the Microsoft article at http://support.microsoft.com/support/kb/articles/q260/0/55.asp.
Potential Registry quota leak. In certain cases, a specific set of Registry operations causes Win2K to incorrectly compute the Registry's size. When a system has adequate expansion space for the Registry, the miscalculation doesn't pose a serious problem. However, the Microsoft article at http://support.microsoft.com/ support/kb/articles/q260/2/41.asp explains that when the miscalculation returns a value equal to the maximum Registry size limit, Win2K can't expand the Registry, and this can wreak havoc with a running system. The article says you can call PSS for a bug fix that updates four kernel files: ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe, and ntoskrnl .exe. The files have a release date of April 21.
NT 4.0 Interoperability Hotfixes
NT 4.0 logon hour restrictions prevent NT 4.0 users from accessing Win2K resources. Here's the scenario: You have a legacy NT 4.0 network and an NT 4.0 PDC, and your users access shared resources on Win2K servers. In the NT 4.0 domain, you restrict logon hours for user accounts and enable the Forcibly disconnect remote users from server when logon hours expire option. But when you set both these features, nonadministrative users logged on to NT 4.0 systems during valid logon hours can't access shared resources on the Win2K systems. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q263/0/06.asp says PSS has a hotfix that corrects this problem. The hotfix contains an updated srv.sys file with a release date of May 18.
Win2K redirector bug prevents connection to NT 4.0 servers with Server Message Block signing enabled. When a Win2K client attempts a connection to an NT 4.0 server with Server Message Block (SMB) signing enabled, the client might experience connection problems. If the client uses an invalid password during its initial attempt to connect to the NT 4.0 server, the Win2K redirector incorrectly returns the error message Network name is no longer available, when it should respond with a prompt to enter the correct password.
The Microsoft article at http://support.microsoft.com/ support/kb/articles/q259/6/98.asp advises you to call PSS for a hotfix that eliminates the redirection bug. The hotfix contains updates to two Win2K components, mrxsmb.sys and rdbss.sys; both files have a release date of August 4. To temporarily work around the problem, you can turn off NT 4.0 SMB signing (or warn Win2K users they must enter a valid password the first time they connect to the NT 4.0 server).
Netware File and Print Services update. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q264/5/10.asp describes an update that corrects the following problems in Microsoft File and Print Services for NetWare (FPNW) 5.0.
- When you configure a user account with an enabled NetWare-compatible logon option and include any characters from the double-byte character set (DBCS) in the home directory path, the home directory path isn't stored correctly.
- If the logon script contains DBCS characters and you try to click OK or Apply to close a user's properties in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, you might receive the error message Windows cannot update the login scripts file due to error: The data area passed to a system call is too small.
- When you use the Active Directory Users and Computers snap-in or the MMC Local Users and Groups snap-in to create a new user in FPNW 4.0, Win2K creates a subfolder (named with the user's object ID) in the SysvolMail folder. In FPNW 5.0, Win2K doesn't create this subfolder until you edit the user's logon script.
- When you change an account that isn't Novell NetWare-enabled to NetWare-enabled and simultaneously force password expiration, the account becomes NetWare-enabled but the password-expiration setting isn't saved.
- If you change the Grace Logins Remaining option in the NetWare Services properties dialog box to 0 and click OK, Win2K accepts the 0 value. If you click Accept, Win2K automatically changes the 0 value to 1.
To fix these bugs, call PSS for the FPNW 5.0 hotfix. The fix contains two files, dsprop.dll and localsec.dll, with the release date May 31.
Multiple Net Send commands expose Messenger service bug. Here's a Messenger service bug that applies to all Win2K versions. When you use the Net Send command to send several messages in quick succession to a target computer, the command might respond with the error message The message alias could not be found on the network. The Messenger service doesn't listen for 5 seconds after responding to a request; any message sent within the 5-second window causes the error message to be displayed. This problem occurs only when you send multiple messages to the same computer in quick succession and if the destination system has correctly registered the <03> NetBIOS name. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q259/7/50.asp documents this problem and states that you can call PSS for a Messenger service hotfix. The hotfix updates the msgsvc.dll file and has a release date of May 26.
AD hotfix eliminates maximum of 854 DHCP servers. AD supports a maximum of 854 DHCP servers. When you add the 855th server, AD responds with the message Administration limit for this request has been exceeded. Although it's hard to imagine managing a network with even 500 DHCP servers, if you think you need more than 854, you can call PSS for the hotfix that removes the limit. The Microsoft article at http://support.microsoft.com/ support/kb/articles/q264/6/31.asp states that this hotfix updates one file, dsauth.dll. The article doesn't specify a release date for the file.
A Word to the Wise
By the time this article appears in print, I'm sure Microsoft will have released many additional hotfixes for Win2K Pro. Before you finalize the set of hotfixes to install on your systems, go to Microsoft's Knowledge Base search page at http://search.support.microsoft.com/ kb/c.asp?fr=0&sd=tech, select Windows 2000 in the Product field, and enter the search string Win2000PostSP1fix. This sequence will produce a current list of hotfixes. You can also check out the Win2K download page at http://www.microsoft.com/windows2000/downloads/default.asp. This page contains updates and hotfixes for security vulnerabilities you can download without calling PSS.