FRAMINGHAM (04/06/2000) - Users have uncovered a bug in Microsoft Corp.'s Windows 2000 operating system that could leave them without the ability to access or manage Active Directory.
The bug is linked to the number of IP (Internet Protocol) addresses that are assigned to a single NIC (network interface card) or multiple NICs in a Windows 2000 server that is acting as a domain controller.
On servers hosting more than 51 IP addresses, all of the objects in Active Directory will disappear. In addition, the server will return an error message saying it is not operational when administrators try to access Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services.
"Clients are locked out from authentication and administrators are locked out from management," says Brian Bergin, president of Terabyte Computers, a consulting firm in Boone, North Carolina. Bergin brought the bug to Microsoft's attention after it was discovered by another user.
Officials at the BugNet Web site also were able to re-create the bug, with a slight difference. They said they were able to log on to Active Directory and browse the network, but could not see directory entries. They also said they could no longer manage users and resources in Active Directory. BugNet also is investigating whether or not the bug affects the Domain Name System in Windows 2000, but has yet to reach any conclusions.
Microsoft has confirmed the bug and is working on a hot fix, according to a Knowledge Base article on its Web site.
Microsoft has not said when patch will be available. "This issue is relatively arcane, given that most organizations deploying multi-homed servers supporting many IP addresses would deploy domain controllers on separate machines for greater fault tolerance and higher availability," says a Microsoft spokesman.
The inclusion of 51 IP addresses on a single domain controller is not a common occurrence for most users, but could be an issue in a variety of scenarios.
Large enterprises with multiple subnets could conceivably have more than 51 IP addresses "bound" to a single network interface card, or multiple NICs, in their domain-controller servers.
"The most common applications using more than one IP address would be mail servers, multiple or virtual Web site hosting on Internet Information Server, or subnetting," says Eric Bowden, general manager of BugNet.
Bowden said ISPs and Web hosting companies are most likely to have more than 51 IP addresses on a single server. Bowden said the bug also could affect DHCP (Dynamic Host Configuration Protocol) services, and ASPs (application service providers), which would be limited in the number of customers serviced from a single Windows 2000 server.
The limitations seem odd, given that Unix and Linux systems can host hundreds of IP addresses on a single machine.
Bergin ran into the problem in an installation for a customer that was hosting its user authentication (through Active Directory) and an FTP service on the same domain controller.
Although Bergin admits that might not be the best configuration, he says Microsoft's advice to set up a separate server just for authentication is not always feasible for some users.
"Microsoft can't assume everyone can put up, or should put up, multiple boxes just to authenticate users, especially when there isn't a load issue," Bergin says. "For a smaller company, that can be a major expenditure. And for Microsoft to say 'just set up another server' is a blow-off."
For now, Bergin is going to set up an extra server to solve the issue. "But this causes enough problems with Active Directory that I have to ask what else is wrong," he says.
Bergin says it is not so much the bug that bothers him as the way Microsoft handled the problem. He says it took nearly a week for Microsoft to even test the bug in the lab after it was reported on March 23. At first, Microsoft told him it was a "resource problem."
When BugNet contacted Microsoft, the company said no one had reported the bug even though it had heard from Bergin four days earlier. Microsoft told BugNet it would take it "very seriously" if someone did report the bug.
Microsoft is now taking it seriously and says the problem lies in its LDAP API (wldap32.dll), according to the Knowledge Base article at http://support.microsoft.com/support/kb/articles/q258/8/11.asp.
In the interim before a hot fix is available, Microsoft is advising users to remove enough IP addresses from the domain controller so the total number does not exceed 51.