Windows Server 2003 and Windows 2000 Server let an administrator enforce complex passwords. When a user changes his or her password and the complexity option is enabled, passwords must include a combination of uppercase or lowercase letters, digits, and nonalphabetic characters, usually punctuation. If the user selects a new password that doesn't meet the complexity rules, the system responds with a message stating that the password isn't acceptable but doesn't clearly state why the password is invalid. If your users complain that they don't understand why the system gives them an error message when they attempt to change their passwords, you can install a patch that clearly explains the complexity rules. Microsoft Product Support Services (PSS) has a patch available for Windows 2003, Windows XP, and Win2K platforms—a new version of msgina.dll with a file release date between May 27 and June 2, depending on the platform. When you call PSS, cite the Microsoft article "Users Receive a Password Complexity Requirements Message That Does Not Specify Character Group Requirements for a Password" (http://support.microsoft.com/?kbid=821425) as a reference.

Account and Expired Password Bug Fix
When a user account is disabled and the account’s password has also expired, the system processes these events in the wrong order. The net result is that the user of a disabled account is first prompted to change the expired password. After a successful password change, the system informs the user that his or her account is disabled. PSS has a fix for this problem on Windows 2003 and Win2K. The Microsoft article "User of a Disabled Account Is Prompted to Change the Password Before the 'Account Has Been Disabled' Message Appears" (http://support.microsoft.com/?kbid=826133) says that the Windows 2003 patch is a new version of kdcsvc.dll with a file release date of August 12 but provides no details about the equivalent patch for Windows 2000, so you’ll need to ask PSS for information about the Win2K version.

Win2K Lsass Memory Leak
If your Win2K domain controllers (DCs) run for months without a reboot and you use Performance Monitor to track system activity, the monitor might introduce a Local Security Authority (LSA) service (lsass.exe) memory leak. As with all memory leaks, over time it can cause a system to respond slowly or not at all to logon requests. In this specific case, you might also see error messages in the System event log with event ID 1168 and a message stating that the system encountered an NT Directory Service (NTDS) Intersite Messaging error. You can always reboot to clear a system that fails from a memory leak. For a permanent solution, call PSS and ask for the bug fix. This fix is huge, comprising new versions of 37 files, most of which have file release dates of mid-September. The Microsoft article "Memory Leak in Lsass.exe" (http://support.microsoft.com/?kbid=828297) contains a list of all the modified files included in this patch.

Windows Server 2003 Lsass Failure
Windows 2003 has an obscure bug that can, in some cases, cause the LSA service to fail with an access violation. According to the Microsoft article "The Server Stops Responding and an Access Violation Occurs in Lsass.exe When the Server Reloads Certain Policy Parameters" (http://support.microsoft.com/?kbid=826819), when a DC reloads Lightweight Directory Access Protocol (LDAP) policy while it's processing a Simple Authentication and Security Layer (SASL) connection, the system might incorrectly block a Scheduler service thread, which in turn causes the lsass.exe access violation. PSS has a patch for this problem, a new version of secure32.dll, with a file release date of August 23.

Windows Server 2003 Streaming Media Problem
When you have a switch that controls network bandwidth for Windows 2003 systems, you might see a degradation in the performance of streaming-media applications. The Microsoft article "Network Throttling Setting Results in Lower Network Transmission Speed" (http://support.microsoft.com/?kbid=825030) states that when a switch throttles back available bandwidth, Windows 2003 slows down more than Win2K. The delay occurs because Windows 2003 uses a larger minimum transmission timeout value than Win2K; the larger timeout means more time elapses between transmission attempts, and this delay negatively impacts the delivery of high bandwidth streaming-media applications. PSS has a bug fix for Windows 2003 that contains a new version of tcpip.sys and four additional supporting files, with file release dates of August 26.

Windows Server 2003 Redirector Bug Fix
When you use a Windows 2003 system to host files that are accessed concurrently by multiple users, you need to add a redirector bug fix to your list of required updates. This bug appears when two users request write access to the same file or perform another operation that requires each client to have a lock on the file. When the system is processing the file lock requests, a subtle timing problem might prevent the OS from responding to the client quickly enough, at which point the client redirector times out and cancels the connection. PSS has new versions of the two core redirector components, mrxsmb.sys and rdbss.sys, which eliminate this timing problem and the cancelled connection. The new components have a file release date of August 25. When you call PSS, cite the Microsoft article "The Windows Redirector May Cancel a Session During a Long-Lasting Locking Operation" (http://support.microsoft.com/?kbid=827546) as a reference.