According to Microsoft article Q292053, an Internet Authentication Service (IAS) and RRAS security hole lets users change passwords without the proper authorization. The article doesn't clearly explain the issue, but my interpretation is that the loophole might let users with expired passwords change those passwords without the proper authority or without first logging on. If you're running either of these services, I recommend that you contact your Microsoft Support representative for an update that eliminates the problem. The update comprises five files—lasrad.dll, lassam.dll, lassdo.dll, lasuserr.dll, and rasuser.dll. The files have release dates between May and June of this year.
Another password problem might prevent users from accessing network resources after they change their domain passwords on Macintosh systems. Microsoft article Q306485 states that when you change your password on a Macintosh machine that uses Services for Macintosh (SFM) to authenticate, SFM doesn't update all the password-specific hash values for the user account. When Netlogon authenticates a user’s credentials, it accesses and compares the hash value of the password you enter against the hash value of the stored password. When the hash values don’t match, Netlogon denies the user access. Apparently, this bug lets users log on but prevents them from connecting to shared network resources. You can temporarily work around the problem by changing the domain password from a non-Macintosh system. To permanently solve the problem, call Microsoft Support Services (MSS) and ask for the update released on October 14. The update consists of new versions of sfmsrv.sys and sfmsvc.exe. I expect that this version of sfmsrv.sys supercedes the version Microsoft released on September 6 to correct an erroneous blue screen.
Troubleshooting SP2 Integrated Installs
Windows 2000 Service Pack 2 (SP2) lets you use one setup operation to build a new Win2K system that includes the service pack. You do this by creating an integrated install directory that contains all the files from the original distribution media plus the expanded files from SP2. You might expect that you only need to copy the i386 directory from the distribution media to the integrated install directory. However, an integrated install expects to refresh every file on the distribution media and will fail if the additional directories and files aren't present. To ensure success, you must copy the entire distribution CD-ROM to the installation directory. If you don't include all the files from the CD-ROM, you’ll encounter the Win2K setup screen error "failed to copy some or all of the files necessary for integrated install."
Also, the "Command-Line Switches for w2ksp2.exe" section of the SP2 deployment guide contains an error. The documentation states "If wk2sp2.exe is started with any other command-line switches, it assumes that these commands are for update.exe and 'forwards' them to \Update\Update.exe accordingly." According to Microsoft article Q271371, this statement is incorrect. You can't use the /s option to successfully complete an integrated installation.
You’ll also encounter problems with an SP2 integrated install if you add post-SP1 (pre-SP2) updates or hotfixes to the install directory. Microsoft packages post-SP1 updates with the catalog file that's current for the older updates. When you slipstream an update or hotfix already included in SP2, the obsolete update will cause the installation to fail. SP2 includes a catalog file, sp2.cat, that contains a signature for each file that SP2 replaces. During setup, the Windows File Protection (WFP) code verifies that the signature on each SP2 file matches the signature in the catalog. If you add a post-SP1 update or hotfix to the install directory, the hotfix might overwrite the official release version of SP2’s catalog file with the outdated version from the hotfix. When WFP compares the signature on SP2 files with the signatures in the outdated catalog, the signatures don’t match and the installation fails. You can avoid this problem by slipstreaming (i.e., adding) only pre-SP3 updates and hotfixes to the integrated install directory. In most cases, the download filename for updates from Microsoft Support Services (MSS), as well as publicly available hotfixes, indicates the service pack level (e.g., the filename contains W2K_SP3). See Microsoft article Q290074 for more information.
Managing AD from Win2K Pro
Did you know that the Windows 2000 Server distribution CD-ROM contains a package of Active Directory (AD) administration tools that you can install on Win2K Professional? If you're managing a Win2K domain from a Win2K Pro system, you can install a comprehensive collection of AD tools in one easy operation. To install this package, find and double-click the file i386\adminpak.msi on the Win2K Server CD-ROM. When setup prompts you, click Next, and then click Finish. Setup then adds the following utilities to the Start menu's Administrative Tools group:
- AD Domains and Trusts
- AD Schema
- AD Sites and Services
- Active Directory Users and Computers
- Certification Authority
- Cluster Administrator
- Connection Manager Administration Kit
- Internet Authentication Service
- Internet Services Manager
- QoS Admission Control
- Remote Boot Disk Generator (part of Remote Installation Services)
- Remote Storage
- Win2K Server Terminal Services Manager, Licensing, and Client Connection Manager
You need a local administrator account to install and run Win2K Administration Tools, and you need a domain administrator account for the domain that contains the servers you'll remotely administer and manage. Also, the Win2K Pro system on which you load these tools must be a member of the Win2K domain that you want to administer. Microsoft article Q308196 documents this procedure in more detail.