Active Directory-related KnowledgeBase articles for November 2011
While days are getting shorter in my part of the world, Microsoft relentlessly continues to address issues in Active Directory. Between November 1, 2011 and November 30, 2011 Microsoft introduced one Active Directory-related KnowledgeBase article with information, seven Active Directory-related KnowledgeBase articles with hotfixes, one KnowledgeBase article linked to a Active Directory-related Security Bulletin and five revised Active Directory-related KnowledgeBase articles.
New informational KnowledgeBase articles
2200187 Troubleshooting Active Directory operations that fail with error 1256: The remote system is not available.
This article describes the symptoms, cause, and resolution steps for cases when Active Directory replication fails with error 1256: The remote system is not available.
New hotfixes to address issues
2561285 You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer
When you deploy Group Policy preferences (GPP) to a client computer, running Windows 7 or Windows Server 2008 R2, using item-level targeting using security groups, a user of the client computer experiences a long domain logon time. This issue occurs because item-level targeting uses recursive group membership queries to determine which groups the computer is a member of. Also, when you apply a Group Policy Preference by using item level targeting for security groups, local ports are leaked in an OPEN_WAIT state and the computer stops responding. A hotfix is available.
2618669 An update is available to detect and prevent too much consumption of the global RID pool on a domain controller that is running Windows Server 2008 R2
To enable each Active Directory domain controller to create new security principals, each domain controller is allocated current and standby RID pools from the RID master. Under certain rare circumstances, a domain controller may issue recurring requests for RIDs from the global RID pool every 30 seconds. A hotfix is available.
2581608 Logon scripts take a long time to run in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2
An issue has been identified in the boxing feature that speeds up the startup experience in the above Operating Systems. This feature runs applications that are started from common startup locations at a reduced priority for the first 60 seconds after you start the computer. Additionally, the feature runs applications that you start manually at an increased priority. This behavior normally results in a faster startup experience. However, some logon scripts must be run asynchronously. These logon scripts are boxed and have a very low I/O priority. Therefore, these logon scripts take a long time to run. A hotfix is available.
2616886 Group membership is emptied on a Windows Server 2008 R2-based RODC after the group is converted from a universal group into a global domain group or a local domain group
This issue occurs because member links are removed incorrectly from the RODC when they are removed from the global catalog (GC) during the conversion from a universal group into a global or local domain group. It only affects Read-only Domain Controllers. A hotfix is available.
2577917 Unlocking a user account fails when using ADAC or the Unlock-ADAccount cmdlet in Windows 7 or Windows Server 2008 R2 even if sufficient permissions are granted
This issue occurs because the user account does not have the write access to the UserAccountControl attribute. In ADAC and the Unlock-ADAccount cmdlet, a different method to unlock a user account is implemented. This method requires write access to the UserAccountControl attribute. Therefore, this issue occurs if the user account does not have the necessary write access. A hotfix is available.
2625430 Private key permissions are reset to the default values if a machine certificate is renewed by the Certificate Autoenrollment feature in Windows 7 or in Windows Server 2008 R2
In an Active Directory domain with the Certificate Autoenrollment feature enabled, after you’ve changed the private key permission on a previously autoenrolled machine certificate, the private key permissions on the machine certificate are reset to the default values. (Local System: Full Control & Administrators: Full Control) when the certificate gets renewed. A hotfix is available to correct the problem.
2625735 DNS queries for external domains are not resolved when you use Conditional Forwarding in Windows Server 2008
When you use the Conditional Forwarding feature on a DNS server that is running Windows Server 2008 to forward DNS queries for external domains, the DNS server may not resolve the DNS queries for external domains. This issue occurs because the DNS queries time out if the traffic from delegations is blocked by a firewall. A hotfix is available.
Revised KnowledgeBase articles
914387 How to configure daylight saving time for Microsoft Windows Operating Systems
975697 An LDAP client authentication request fails when the Digest-MD5 SASL subsequent authentication mechanism is used
977346 The Welcome screen may be displayed for 30 seconds during the logon process after you set a solid color as the desktop background in Windows 7 or in Windows Server 2008 R2
942219 You are prompted for user credentials when you try to access a business application that is configured to use the Single Sign-On (SSO) feature on a Windows Vista-based client computer
975808 All IP addresses are registered on the DNS servers when the IP addresses are assigned to one network adapter on a computer that is running Windows Server 2008 SP2 or Windows Vista SP2