| "Access Denied" Error
Message During Active Directory Promotion of
Replica Domain Controller
Microsoft Knowledge Base Article: 250874 - During
Active Directory promotion of a replica domain
controller, the following error message may
be displayed: The operation failed because: Failed to modify the necessary
properties for the machine account %computername%$
"Access Denied"
Access Violation
in sbTableGetDSName Causes Global Catalog to
Crash
Microsoft Knowledge Base Article: 253868
- A Windows 2000 Global Catalog server may stop
responding (crash) with the following call stack:
Active Directory
DNSHostName Property Does Not Include Subdomain
Microsoft Knowledge Base Article: 240942 - When
a computer joins an Active Directory domain
(for example, MICROSOFT.COM), Active Directory
stores the fully qualified domain dame (FQDN)
of the computer with the computer account in
a property called DNSHostName.
Active Directory
Integrated Reverse Zones Do Not Load on DNS
Servers
Microsoft Knowledge Base Article: 252314 - Active
Directory integrated zones may not update their
reverse zone information to their DNS servers
unless you stop and restart the DNS service
(although the reverse zone information is correctly
listed in Active Directory).
"Active Directory
Installation Failed" Error Message When You
Use Dcpromo.exe to Promote a Server
Microsoft Knowledge Base Article: 259567 - When
you attempt to use Dcpromo.exe to promote a
Windows 2000 Server-based computer to a domain
controller, you may receive the following error
message: Active Directory
Installation Failed The operation failed with
the following error. The network location cannot
be reached. For further information about network
troubleshooting, see Windows Help. This
problem can occur if the network cable is not
plugged into a hub or other network device.
Active Directory
MMC Tools Are Slow to Initialize
Microsoft Knowledge Base Article: 270915 - Active
Directory Microsoft Management Console (MMC)
utilities may be slow to initialize and run.
They may also stop responding (hang) during
the initialization procedure.
Active Directory
Objects May Be Modified Programmatically
Microsoft Knowledge Base Article: 259401 - If
a user has permission to modify an attribute
in an object, it may be possible programmatically
to also modify attributes in the same object
to which the person does not have permissions
to modify.
Active Directory
Replication and Knowledge Consistency Checker
Fail without Trusted Domain Object
Microsoft Knowledge Base Article: 257844 - In
the event log of a Windows 2000 domain controller,
one of the following error messages may appear:
The Directory Service received
a failure while trying to perform an authenticated
RPC call to another Domain Controller. The failure
is that the desired Service Principal Name (SPN)
is not registered on the target server.
Active Directory
Users and Computers Snap-in Always Contacts
PDC When User Properties Is Opened
Microsoft Knowledge Base Article: 270643 - Each
time a user properties dialog box is opened,
Windows 2000-based computers that are running
the Active Directory Users and Computers snap-in
contact the PDC FSMO role owner by using a LSARPC
pipe.
Authoritative Restore
Triggers Communication Error on Bridgehead Servers
Microsoft Knowledge Base Article: 289901 - After
you perform an authoritative restore operation
(a database restore) on a domain controller
in the forest, event IDs 1311 and 1566 may occur
every 15 minutes on the forest's inter-site
topology generator servers.
Backup and Restore
of Directory Service on Domain Controller Causes
Duplicate SIDs
Microsoft Knowledge Base Article: 289154 - When
you back up and then restore the Directory Service
on a domain controller, duplicate Security ID
(SID) events may appear in Event Viewer.
Cannot Completely
Hide an Object in Active Directory
Microsoft Knowledge Base Article: 276679 - Active
Directory in Windows 2000 supports a security
model that prevents you from completely hiding
an object. When you attempt to hide an object,
the hidden object is displayed in the member
list, but the client computer cannot retrieve
any additional information on this object.
Cannot Create an
Organizational Unit in the Parent Domain with
the Same Name as a Child Domain in Windows 2000
Microsoft Knowledge Base Article: 240147 - You
cannot create an organizational unit (OU) in
a parent domain with the same name as a child
domain in Windows 2000 because a name conflict
is created.
Cannot Delete Cloned
User Accounts that Include Security Identifier
History from Local Groups
Microsoft Knowledge Base Article: 278693 - When
you use a tool, such as, the Active Directory
Migration Tool (ADMT), to migrate user accounts
from a Microsoft Windows NT 4.0 domain to a
Microsoft Windows 2000-based system, and then
you add these users to a Local group, the accounts
cannot be deleted, and you may receive the following
error message: The specified
account Name is not a member of the local group.
Cannot Publish a
Printer to Active Directory from a Cluster in
a Child Domain
Microsoft Knowledge Base Article: 286254 - If
you have a cluster in a child domain and the
Cluster Service account exists in the parent
domain, you cannot publish to Active Directory
a printer that is shared on the cluster virtual
node. The following event will be posted to
the System event log: Event ID 38
Source: Print PrintQueue
printer CN name was successfully deleted
from container LDAP://container
Cannot Remove Active
Directory from a Replica Domain Controller
Microsoft Knowledge Base Article: 263624 - When
you attempt to promote a replica domain controller
by using the Dcpromo.exe tool, you may receive
the following error message:
Cannot Remove Active
Directory from a Replica Domain Controller
Microsoft Knowledge Base Article: 263624 - When
you attempt to promote a replica domain controller
by using the Dcpromo.exe tool, you may receive
the following error message: The operation failed because: The directory service
failed to replicate off changes made locally.
The DSA operation is unable to proceed because
of a DNS lookup failure.
Cannot
Repair the Active Directory Database by Using
the Ntdsutil Tool
Microsoft Knowledge Base 305500 - When you try
to use the Ntdsutil tool to repair the Active
Directory database (the Ntds.dit file), you
may not be able to perform an integrity check
or to repair the database successfully. You
may receive error messages similar to the following:.
Cannot Set Up Trust
in Window 2000 Domain from Windows NT 4.0
Microsoft Knowledge Base Article: 255551 - When
you are using User Manager for Domains from
Microsoft Windows NT 4.0 to establish a trust
from a Windows 2000-based domain to any other
domain, you may receive an error message. When
you are adding a domain name to "Trusted Domains,"
the error message is "Parameter is Incorrect."
When you are adding a domain name to "Trusting
Domains," the error message is: Access
Denied
Cannot Turn Off "User
Cannot Change the Password" Option After Windows
2000 Upgrade
Microsoft Knowledge Base Article: 253512 - When
you upgrade your Microsoft Windows NT 4.0 domain
to Windows 2000 Active Directory and you click
to clear the User cannot change the password
check box in Active Directory, the user may
still be unable to change his or her password.
In addition, the Active Directory user interface
shows that the check box is cleared, but the
user cannot change the password.
Dcpromo Does Not
Allow All-Numeric Label in a Domain Name
Microsoft Knowledge Base Article: 258101 - The
Active Directory Installation Wizard (Dcpromo)
may display the following error message: The syntax of the domain name 111.edu is incorrect.
In general, acceptable naming conventions for
domain names include the use of alphanumeric
characters (the letters A through Z and numerals
0 through 9) and the hyphen (-). A period (.)
in a domain name is always used to separate
the discrete parts of a domain name commonly
known as labels. Each domain label can be no
longer than 63 bytes. The first label may not
be a number.
DFS Site Information
Is Not Updated When You Move Server to a New
Active Directory Site
Microsoft Knowledge Base Article: 260857 - After
you move a server that is a replica member of
a Domain Distributed File System (DFS), client
computers that connect through the DFS namespace
seem to disregard the relocation of a server
to a different Active Directory site.
Dial-In Options Unavailable
with Active Directory in Mixed Mode
Microsoft Knowledge Base Article: 193897 - Some
dial-in options for user accounts in the Active
Directory may be unavailable. This occurs when
Active Directory is in Mixed mode.
Directory Service
Does Not Start If Disk Is Full
Microsoft Knowledge Base Article: 259278 - The
following error message may occur when you start
a Windows 2000-based Active Directory domain
controller:
Directory Service
Stops Responding on Heavily Loaded Domain Controller
Microsoft Knowledge Base Article: 313657 - A
heavily loaded domain controller may stop responding
to client requests. You may be able to confirm
a network connection to the domain controller
by using the Ping.exe utility, but when a client
tries to view or connect to a share, you receive
network error 58
DNS Server Generates
Event 4011
Microsoft Knowledge Base Article: 252695 - In
certain rare cases, you may find the following
entries in the Event log on a Windows 2000-based
Active Directory-integrated DNS server: Event
ID: 4011 The DNS server was unable to add or
write an update of domain name _ldap in zone
name.com to the Active Directory. OR
The DNS server was unable to add or write an
update of domain name _gc in zone name.com
to the Active Directory. OR The DNS server was
unable to add or write an update of domain name
gc in zone name.com to the Active Directory.
Duplicate Certificate
Templates Appear in Active Directory
Microsoft Knowledge Base Article: 264589 - Duplicate
certificate templates may appear in Active Directory
when you attempt to create or modify an Automatic
Certificate Request, Public-Key Policy.
Duplicate Connections
Appear in the Active Directory Sites and Services
Snap-in
Microsoft Knowledge Base Article: 292592 - On
a computer that runs Windows 2000 Server, when
you view the Active Directory Sites and Services
snap-in for Microsoft Management Console (MMC),
you see numerous duplicate connections that
were created over a period of time. (updated
4/11/2001)
Error Message: "Active
Directory Installation Failed: The Network Location
Could Not Be Reached"
Microsoft Knowledge Base Article: 271750 - When
you use the Dcpromo.exe tool to install Active
Directory, the following error message may be
displayed: Active Directory installation failed:
The network location could not be reached. This
behavior can occur because the server's network
adapter is not securely attached to a hub nor
to a switch with a network cable.
Error Message: Object
Picker Cannot Open Because no Locations from
Which to Choose Objects Can Be Found
Microsoft Knowledge Base Article: 263231 - When
you try to select objects from an Active Directory
domain, you may receive the following error
message: Object Picker cannot open because no locations from
which to choose objects can be found.
Error Messages When
Windows 2000 Client in Windows 2000 Domain Attempts
to Open Active Directory Snap-in
Microsoft Knowledge Base Article: 261203 - A
Windows 2000 client in a Windows 2000 domain
may not be able to open any Active Directory
snap-ins. When the client attempts to open a
snap-in, the following error messages may be
displayed:
Dial-In Options Unavailable
with Active Directory in Mixed Mode
Microsoft Knowledge Base Article: 193897 - Some
dial-in options for user accounts in the Active
Directory may be unavailable. This occurs when
Active Directory is in Mixed mode.
Directory Service
Stops Responding on Heavily Loaded Domain Controller
(Q313657)
Microsoft Knowledge Base Article: 313657 - A
heavily loaded domain controller may stop responding
to client requests. You may be able to confirm
a network connection to the domain controller
by using the Ping.exe utility, but when a client
tries to view or connect to a share, you receive
network error 58
DNS Server Does Not
Start with DBCS Domain Names
Microsoft Knowledge Base Article: 258072 - A
Windows 2000-based Domain Name System (DNS)
server that is integrated with Active Directory
may not start if you are using a double-byte
character set (DBCS) domain name. When this
issue occurs, you may see an error messages
Domain Controller
Server Object Not Removed After Demotion
Microsoft Knowledge Base Article: 216364 - After
you demote a domain controller to a server,
the object that represents the server in the
Active Directory Sites and Services Manager
snap-in remains.
GUID of Pre-Staged
Computer Appears Different Than as Typed
Microsoft Knowledge Base Article: 228905 - When
you pre-stage a computer to Active Directory
using the Active Directory Users and Computers
Microsoft Management Console (MMC) snap-in and
you select the "This is a managed computer"
option, you must type the computer's globally
unique identifier (GUID). A pre-staged system
with a GUID entered in this way refers to the
clients that will be using the Remote Install
service (RIS) to install Windows 2000. Pre-staging
ensures that only clients that have been pre-staged
by the administrative staff can use this service.
When you view the GUID of the pre-staged computer,
the GUID may be different from the GUID you
entered.
Large Numbers of
ACEs in ACLs Impair Directory Service Performance
Microsoft Knowledge Base Article: 271876 - The
performance of Active Directory can be severely
impaired by an overly complex access control
policy. For maximum performance, you should
minimize the number of Active Directory objects
to which you assign specific access control
lists
LDIFDE Does Not Import
Users from Trusted Domains
Microsoft Knowledge Base Article: 279259 - When
you use the LDIFDE utility (Ldifde.exe) to export
and import users or groups for Windows 2000-based
domains, users from trusted domains do not get
added back to the Windows 2000 domain groups.
When you run the import command using the the
Verbose mode, you may receive the following
message, and LDIFDE may skip the object: The
object does not exist.
Lsass.exe Stops Working
Intermittently on a Domain Controller or Global
Catalog
Microsoft Knowledge Base Article: 300621 - When
Lsass.exe is running on a domain controller,
Lsass.exe may generate an access violation.
The server reboots automatically after the access
violation. This problem may occur on a domain
controller that is a global catalog and is also
the target of the Recipient Update service from
Microsoft Exchange 2000 Server.
Malformed Request
to Domain Controller Can Cause Memory Exhaustion
Microsoft Knowledge Base Article: 294391 -
A core service that runs on all Windows 2000
domain controllers (but not on any other computers),
contains a memory leak that can be triggered
when the service attempts to process a certain
type of invalid service request. By repeatedly
sending such a request, an attacker could deplete
the available memory on the server. If memory
were sufficiently depleted, the domain controller
(DC) could become unresponsive, which would
prevent it from processing logon requests or
issuing new Kerberos tickets. Note that an affected
computer could be restored to service by rebooting
Maximum of 854
DHCP Servers in Active Directory
Microsoft Knowledge Base Article: 264631
- You can define a maximum of 854 DHCP servers
in Active Directory. If you try to authorize
additional DHCP servers, you receive an error
message
Mixed Mode Active
Directory Users Denied Access to Exchange 2000
Public Folder
Microsoft Knowledge Base Article: 252470 - Active
Directory users are unable to gain access to
public folders.
MSDSS May Delete
a User Account
Microsoft Knowledge Base Article: 323738 - When
Microsoft Directory Synchronization Services
(MSDSS) reverse synchronization does not read
a GUID from the Novell Directory Services (NDS)
tree, MSDSS may delete the account from Active
Directory.
MSDSS Migration of
Users from NDS Does Not Finish Successfully
Microsoft Knowledge Base Article: 291134 - When
you use Microsoft Directory Synchronization
Services (MSDSS) to migrate users from Novel
Directory Services (NDS) to Active Directory,
the migration may not finish successfully and
you may receive an error message that is similar
to: MSDSS did not initialize
the reverse synchronization or migration session
- not enough storage is available.
MSDSS Migration Does
Not Work If Multiple Naming Attributes Are Present
for an Object Microsoft Knowledge Base
Article: 270159 - When you perform a migration
from Novell Directory Services (NDS) to Active
Directory by using Microsoft Directory Synchronization
Services (MSDSS), the migration process may
stop unexpectedly and you may receive the following
error message
Mixed Mode Active
Directory Users Denied Access to Exchange 2000
Public Folder
Microsoft Knowledge Base Article: 252470
- Active Directory users are unable to gain
access to public folders.
More Than 15 IP Addresses
Assigned to Server Causes Active Directory-Related
Problems
Microsoft Knowledge Base Article: 258960 - After
you add 16 or more IP addresses to a domain
controller and then try to apply Group Policy,
events similar to the following events are recorded
in the Application log and the policy settings
are not applied:
More Than 15 IP Addresses
Assigned to Server Cause Active Directory Problems
Microsoft Knowledge Base Article: 261197 - Adding
more than 15 IP addresses to a Windows 2000-based
domain controller causes Group Policy to stop
being refreshed. The following system events
are reported simultaneously in the Application
Service log:
MSDSS Migration Does
Not Work If Multiple Naming Attributes Are Present
for an Object
Microsoft Knowledge Base Article: 270159 - When
you perform a migration from Novell Directory
Services (NDS) to Active Directory by using
Microsoft Directory Synchronization Services
(MSDSS), the migration process may stop unexpectedly
and you may receive the following error message:
Windows cannot run the initial reverse synchronization
or migration session, the ADSI path was not
found. This problem occurs when MSDSS
encounters an object with multiple naming attributes
set
MSDSS Migration of
Users from NDS Does Not Finish Successfully
Microsoft Knowledge Base Article: 291134 - When
you use Microsoft Directory Synchronization
Services (MSDSS - to migrate users from Novel
Directory Services (NDS - to Active Directory,
the migration may not finish successfully and
you may receive an error message that is similar
to:
Ntbackup.exe Does
Not Truncate Active Directory Logs During a
System-State Backup
Microsoft Knowledge Base Article: 272425 - When
you create a system-state backup on a domain
controller (DC), the NTDS logs are not cleaned
up. The NTDS logs are being copied from the
Edb.log file to an Edbxxxxx.log file
each time backup runs, but the Edbxxxxx.log
files are not deleted. The log files would normally
be deleted by the circular logging nature of
the DS. However, because some environments do
not incur many changes, circular logging may
appear to not work because it takes a long time
to purge these files and disk space is wasted
during this time.
On-Line Restoration
of Active Directory Is Not Supported in Windows
2000
Microsoft Knowledge Base Article: 296257 - This
article provides information about the Microsoft
policy regarding technical support for products
from Independent Software Vendors (ISVs) that
perform on-line restoration of selected objects
(such as user objects) within Active Directory
Permissions for Distribution
Group Are Not in the Standard Format
Microsoft Knowledge Base Article: 290801 - When
you use Active Directory Users and Computers
to view permissions for a distribution group
whose membership is hidden, the Special Security
message box is displayed. The following
message is displayed in the message box:
Problems Changing
Nested Global Group Scope to Universal Group
Microsoft Knowledge Base Article: 268277 - In
the Active Directory Users and Computers tool,
you can change a nested global group's scope
to a universal group in Native mode. You should
not do this because global groups can only contain
users from the group's domain or other global
group.
"Run Only Allowed
Applications" List in Organizational Unit GPO
Becomes Corrupted
Microsoft Knowledge Base Article: 263179 - If
you add long file names in the "Run Only Allowed
Applications" list in an organizational unit
group policy, the list becomes corrupted after
the total number of characters exceeds 1,024.
Server for NIS Cannot
Process Commas in User's Display Name
Microsoft Knowledge Base Article: 298831 - With
Windows 2000, new users are added by using the
Active Directory Users and Computers tool. The
display name field for a user is normally formatted
as "FirstName LastName". However, depending
on what other software you have installed, the
display names may be formatted as "LastName,
Firstname" . Note that Microsoft Exchange is
an example of a program that may format the
displays differently.
Time Synchronization
May Not Work Properly on Domain Controllers
on the Same Site as the Child Domain PDC
Microsoft Knowledge Base Article: 297025 - If
you have a Windows 2000 Active Directory architecture
with a parent domain and a child domain, the
default time-synchronization mechanism may not
work if a domain controller in the child domain
is used for synchronization because it is closest,
even though the parent domain controller is
available for synchronization.
Unable to Add More
Than One User or Object with the Same Name to
Active Directory
Microsoft Knowledge Base Article: 234051 - When
you attempt to add a new user or object to the
Active Directory (AD), you are unable to do
so and one of the following error messages may
be displayed:
Unable to Establish
an Explicit Trust Between Windows 2000-Based
Domains
Microsoft Knowledge Base Article: 312003 - When
you attempt to establish an explicit trust between
two Windows 2000-based domains that are in different
forests, you may receive the following error
message:
Unable to Obtain
Home Directory Drive Connection in a Mixed Environment
Microsoft Knowledge Base Article: 262890 - When
a user's environment is mixed with Microsoft
Windows NT 4.0 BDCs and Windows 2000 DCs while
the LmCompatibilityLevel registry entry is in
use for higher security, the home directory
drive connection may not appear on the Windows
2000 Professional client computer.
Unsuccessful Replication
Without Partner Listed
Microsoft Knowledge Base Article: 232538 - Any
of the following situations may occur with Active
Directory replication: 1) A replication connection
object to a domain controller, either in the
same domain or a trusted domain, is not created
because the remote domain controller is not
listed in the Active Directory Sites and Services
Find Domain Controllers dialog box. 2) A replication
connection is not automatically established
between a local domain controller and a remote
domain controller, either in the same or a trusted
domain, because the necessary NTDS Settings
object does not appear for the server in the
Active Directory Sites and Services administrative
tool.
Users Cannot Log
On to the Domain After Password Changes on a
Remote Domain Controller
Microsoft Knowledge Base Article: 318364 - After
you change a user account password on a remote
domain controller that holds the primary domain
controller (PDC) Flexible Single Master Operation
(FSMO) role, the user may not be able to log
on to a local domain controller by entering
the new password. However, the user may still
be able to log on to the domain by using their
previous password
Windows 2000 Cluster
Service Does Not Publish Clustered Printers
in Active Directory
Microsoft Knowledge Base Article: 300896 - The
Cluster service supports the clustering of printer
resources to provide highly-available printers
to users. The Cluster service is not Active
Directory aware and because of this, it does
not use Kerberos authentication. If the Cluster
service is unable to do this, access is not
allowed. When clustered printers are published
to Active Directory, they may not be registered
properly, and because of this, may not be returned
on a search (depending on the choices that are
made during the Dcpromo.exe process).
Windows 2000 Directory
Service Agent Fails to Maintain Exclusive Control
of Port 389
Microsoft Knowledge Base Article: 266657 - If
you install an application on a Domain Controller
(DC) that binds to port 389 with a listener,
multiple failures are seen on the DCs. These
include failures running dcpromo, startup failures
with Inter-Site Messaging service, as well as
NTFRS preventing a machine from becoming a DC.
This can usually be detected by using Ldp.exe
from the Support Tools to confirm that you are
succeeding in connecting to the Active Directory
on each DC.
You Cannot Update
the SID History for Group with the Active Directory
Migration Tool
Microsoft Knowledge Base Article: 269352 - When
you migrate groups with the Active Directory
Migration tool, you may receive the following
error message in the Active Directory Migration
log file: SID History cannot
be updated for <group> because the SID
for <group> already exists in the forest.
rc=8539. A net helpmsg for 8539 yields
the following error text: The
source object's SID already exists in destination
forest. |
