Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : All About Sun Microsystems -- Ignore unavailable to you. Want to Upgrade?

To: Charles Tutt who wrote (30304)	4/8/2000 12:05:00 AM
From: A.L. Reagan	Respond to of 64865

Bug knocks Active Directory for a loop IP address issue can wipe out directory services. By John Fontana Network World, 04/06/00 Users have uncovered a bug in Windows 2000 that could leave them without the ability to access or manage Active Directory. The bug is linked to the number of IP addresses that are assigned to a single network interface card (NIC) or multiple NICs in a Win 2000 server that is acting as a domain controller. On servers hosting more than 51 IP addresses, all of the objects in Active Directory will disappear. In addition, the server will return an error message saying it is not operational when administrators try to access Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services. "Clients are locked out from authentication and administrators are locked out from management," says Brian Bergin, president of Terabyte Computers, a consulting firm in Boone, N.C. Bergin brought the bug to Microsoft's attention after it was discovered by another user. Officials at the BugNet Web site also were able to recreate the bug, with a slight difference. They said they were able to log on to Active Directory and browse the network, but could not see directory entries. They also said they could no longer manage users and resources in Active Directory. BugNet also is investigating whether the bug affects the Domain Name System in Win 2000, but has yet to reach any conclusions. Microsoft has confirmed the bug and is working on a hotfix, according to a Knowledge Base article on its Web site. Microsoft has not said when patch will be available. "This issue is relatively arcane, given that most organizations deploying multi-homed servers supporting many IP addresses would deploy domain controllers on separate machines for greater fault tolerance and higher availability," says a Microsoft spokesman. The inclusion of 51 IP addresses on a single domain controller is not a common occurrence for most users, but could be an issue in a variety of scenarios. Large enterprises with multiple subnets could conceivably have more than 51 IP addresses "bound" to a single network interface card, or multiple NICs, in their domain controller servers. "The most common applications using more than one IP address would be mail servers, multiple or virtual Web site hosting on Internet Information Server, or subnetting," says Eric Bowden, general manager of BugNet. Bowden said ISPs and Web hosting firms are most likely to have more than 51 IP addresses on a single server. Bowden said the bug also could affect Dynamic Host Configuration Protocol services, and application service providers, which would be limited in the number of customers serviced from a single Win 2000 server. The limitations seem odd, given that Unix and Linux systems can host hundreds of IP addresses on a single machine. Bergin ran into the problem in an installation for a customer that was hosting its user authentication (through Active Directory) and an FTP service on the same domain controller. While Bergin admits that might not be the best configuration, he says Microsoft's advice to set up a separate server just for authentication is not always feasible for some users. "Microsoft can't assume everyone can put up, or should put up, multiple boxes just to authenticate users, especially when there isn't a load issue," Bergin says. "For a smaller company, that can be a major expenditure. And for Microsoft to say 'just set up another server' is a blowoff." For now, Bergin is going to set up an extra server to solve the issue. "But this causes enough problems with Active Directory that I have to ask what else is wrong," he says. Bergin says it's not so much the bug that bothers him as the way Microsoft handled the problem. He says it took nearly a week for Microsoft to even test the bug in the lab after it was reported on March 23. At first, Microsoft told him it was a "resource problem." When BugNet contacted Microsoft, the company said no one had reported the bug even though it had heard from Bergin four days earlier. Microsoft told BugNet it would take it "very seriously" if someone did report the bug. Microsoft is now taking it seriously and says the problem lies in its Lightweight Directory Access Protocol API (wldap32.dll), according to the Knowledge Base article at support.microsoft.com/support/kb/articles/q258/8/11.asp. In the interim before a hotfix is available, Microsoft is advising users to remove enough IP addresses from the domain controller so the total number does not exceed 51. nwfusion.com