SP1 and Directory Services: What’s New

Updated to include SP1 being RTM and some last minute fixes that were included post RC

Hi all, Ned here again. Back in October I joined the Windows Server 2008 R2 Service Pack 1 beta support team. Our job is to support customers in a special early adopters program. As SP1 has now released, I’m frequently asked about what changes were added for Directory Services. Today I address some specifics:

What does “Support for Managed Service Accounts (MSAs) in secure branch office scenarios” mean, as stated in the SP1 "notable changes" doc?
What does “Support for increased volume of authentication traffic on domain controllers connected to high-latency networks” mean, as stated in the SP1 "notable changes" doc?
What other updates are included in SP1 for Directory Services?

Remember, the QFEs listed below are all publically available, so if you are skimming the list and have a “oh heck, we’re having that issue” moment you can install anytime. Some of these issues are preventable as well so use your best judgment – an update to prevent NTFS corruption doesn’t fix the damaged files, after all.

Release the Kraken!

The MSA thing

This scenario referenced by the release notes refers to:

You cannot create or delete managed service accounts in a perimeter network in Windows 7 or in Windows Server 2008 R2 - http://support.microsoft.com/kb/978836

In this case you have RODCs in a network that users can directly access, but those same users cannot access writable DCs (a DMZ or oddly configured branch office). After you apply SP1 the RODC will know how to forward the request on to a writable DC for MSA operations.

To fix it is install SP1 (or that hotfix) on all your RODCs.

The authentication thing

This scenario referenced by the release notes refers to:

A time-out error occurs when many NTLM authentication requests are sent from a computer that is running Windows Server 2008 R2, Windows 7, Windows Server 2008, or Windows Vista in a high latency network - http://support.microsoft.com/kb/975363

This one is more complicated. Netlogon has a "throttle" that controls the maximum number of simultaneous calls over a secure channel. On DCs this includes the secure channels of external trusted domains (i.e. not Kerberos forest trusts). On member computers this is to authenticating DCs for intra-forest requests or requests to other domains/forests. On high latency networks with a ton of NTLM authentication, applications could start having issues authenticating, ranging from slow performance to errors. MaxConcurrentAPI controls this through a registry value:

Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value Name: MaxConcurrentApi
Data Type: REG_DWORD

The default value if this registry value name does not exist is 1 if a DC, 2 if a member server, and 1 if a client – it has been since NT 4.0 and that has never changed. Until this update is applied, the maximum value is 10. After the update is installed, the maximum value is 150. Generally speaking, since DCs are authenticating users and most companies are not heavily using local member accounts, it only needs to be set on domain controllers.

For all those folks that got scared when we recommended setting the value to 10 in order to fix your issue, this is the proof that you were being paranoid. :) You will see more DC memory usage when you raise the value, but your alternative is obviously far worse.

This has no effect on Kerberos at all and Kerberos is not restricted in this fashion. If you’re using NTLM unnecessarily (misconfigured app, older version app, crummy app, external trust instead of forest trust, etc.) then getting Kerberos in gear is a much better solution than registry band-aids.

Other updates

There are 795 public fixes that were rolled into SP1 and they’re all listed here:

Hotfixes and Security Updates included in Windows 7 and Windows Server 2008 R2 Service Pack 1.xls

Of these, 104 can be considered “pure” Directory Services updates if you go off the list of what gets supported by the DS team here in Microsoft. Another 59 updates fix things that victimize DS – stuff like networking, file system, SMB, or backups. There are other fixes in SP1 as well. Sometimes issues never get public attention or a QFE would be too expensive or risky; service pack testing is far more comprehensive. I’m not including security updates, you already have those from Windows Update (right?!)

There are some fairly interesting new things here besides the two arbitrary ones in the release notes, I recommend giving these tables a look. For example:

977542 - A hotfix is available to block standard users from logging on to a Window 7-based or Windows Server 2008 R2-based computer in safe mode
979294 - The Dcdiag.exe tool takes a long time to run in Windows Server 2008 R2 and in Windows 7
980254 - The "dsget user -memberof -expand" command returns incorrect results in Windows Server 2008 R2 and in Windows 7
980360 - Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2

Pure DS updates

KB Article	KB Title
969851	Instead of the specified startup program, the whole desktop is started on a remote desktop connection when you change the "Terminal Services Profile" setting for the user account
969867	FIX: You cannot import or paste some group policies across domains by using the "Group Policy Management" MMC snap-in
970840	Some settings in Group Policy Preferences for Internet Explorer 7 do not deploy correctly to computers that are running Windows Server 2008 or Windows Vista
971277	You cannot access an administrative share on a computer that is running Windows Vista or Windows Server 2008 after you set the SrvsvcDefaultShareInfo registry entry to configure the default share permissions for a network share
971338	The terminal server roaming profile of a user account is not loaded correctly on a terminal server that is running Windows Server 2008 R2 or Windows Server 2008 after the user password is changed during session logon
972069	A terminal server that is running Windows Server 2008 cannot obtain terminal licenses from a Terminal Server license server that is running Windows Server 2008 after you enable the "License Server Security Group" Group Policy setting
974893	FIX: An unexpected Failure Audit event is logged for the local credential when you run a .NET Framework 2.0-based application that tries to connect to a remote computer
975142	You cannot install Active Directory Domain Services on a member server that is running Windows Server 2008 or Windows Server 2008 R2 in a branch office if the DNS and LDAP communication between the branch office and the forest root domain is blocked
975363	A time-out error occurs when many NTLM authentication requests are sent from a computer that is running Windows Server 2008 R2 or Windows 7 in a high latency network
976398	LDAP filters in the Group Policy preference settings do not take effect on a computer that is running Windows Server 2008 R2 or Windows 7
976399	FIX: You cannot apply Group Policy settings on a computer that is running Windows 7 or Windows Server 2008 R2 when security group filters are used in Group Policy preference settings
976424	Error code when the kpasswd protocol fails after you perform an authoritative restore: "KDC_ERROR_S_PRINCIPAL_UNKNOWN"
976494	Error 1789 when you use the LookupAccountName function on a computer that is running Windows 7 or Windows Server 2008 R2
976586	Error in Windows 7 or Windows Server 2008 R2 when unlocking a computer or switching users
976655	You cannot perform a system state restore in the Directory Service Restore mode on a read-only domain controller that is running Windows Server 2008 R2 if DFS Replication is used to replicate the SYSVOL folder
977180	Error message when an application or a service tries to query for any deleted objects by using a well-known GUID in a Windows Server 2008 R2-based domain if paged search is used: "0x8007202c Critical extension is unavailable"
977184	You cannot install Active Directory on an iSCSI boot computer that is running Windows Server 2008 R2
977222	No private key is associated with a certificate after you successfully install the certificate on a computer that is running Windows 7 or Windows Server 2008 R2
977229	You are unable to update the target location of offline file shares in the Offline File client side cache without administrative permission in Windows Server 2008 R2 or in Windows 7
977346	The Welcome screen may be displayed for 30 seconds during the logon process after you set a solid color as the desktop background in Windows 7 or in Windows Server 2008 R2
977353	A Group Policy Immediate Task preference item does not run on a client computer that is running Windows 7 or Windows Server 2008 R2
977397	The icon of an offline file that you changed in offline mode always indicates that synchronization is successful even when the synchronization fails on a client computer that is running Windows 7
977542	A hotfix is available to block standard users from logging on to a Window 7-based or Windows Server 2008 R2-based computer in safe mode
977579	Error message when you try to open a 3DES encrypted file that is migrated from Windows XP to Windows 7 or to Windows Server 2008 R2: "Access Denied"
977692	The Lsass.exe process exits unexpectedly on a domain controller that is running Windows Server 2008 R2 after a password is synchronized in Identity Management for UNIX (IDMU)
977695	The SceCli 1202 events are logged when some Group Policy settings are refreshed in Windows Server 2008 R2 and in Windows 7
977944	The "Desktop Wallpaper" Group Policy setting is not applied in Windows 7 or in Windows Server 2008 R2
978034	Active Directory Certificate Services cannot be reinstalled by using the "Use existing private key" option on a computer that is running in Windows Server 2008 R2
978116	In an MIT realm, user authentication fails after invalid credentials are received on a computer that is running Windows 7 or Windows Server 2008 R2
978387	FIX: The connectivity test that is run by the Dcdiag.exe tool fails together with error code 0x621
978489	Logoff process stops responding after you create a logoff Group Policy script on a client computer that is running Windows Vista or Windows Server 2008
978836	You cannot create or delete managed service accounts in a perimeter network in Windows 7 or in Windows Server 2008 R2
978837	The Group Policy Management Editor window crashes when you apply some changes for NRPT policy settings
978838	Error message when you run the "Set-GPPermission" cmdlet or the "Get-GPPermission" cmdlet: ""_ploc" is not a valid security group"
978918	Error code when an application uses the CredSSP in Windows Server 2008 R2: "0x80090329"
978977	An exclamation mark (!) may be displayed next to the smartcard reader in Device Manager after you start Windows 7 or Windows Server 2008 R2
979039	Error message when you view or modify the migrated Group Policy objects in Windows Server 2008 R2: "Attribute cannot be empty"
979214	The DirSync control search does not return the deactivated linked attributes from a modified object in a Windows Server 2008 R2-based domain
979294	The Dcdiag.exe tool takes a long time to run in Windows Server 2008 R2 and in Windows 7
979383	After you apply a WMI filter, the GPO does not take effect on a client computer that is running Windows 7 or Windows Server 2008 R2
979524	The DFS Replication service crashes randomly in x64-based versions of Windows Server 2008 R2
979548	You cannot enter an agreement number of a volume license that contains more than seven digits in Remote Desktop Licensing Manager or in TS Licensing Manager
979564	The DFS Replication Management Pack shows alerts for cluster network names that are in the “healthy” status on a Windows Server 2008 R2 failover cluster
979645	You cannot use a script to join a computer automatically into a specified OU in a Windows 2000 domain when the computer is running Windows 7 or Windows Server 2008 R2
979646	Some folders or some files are unexpectedly deleted on the upstream server after you restart the DFS Replication service
979731	Some Group Policy preferences are not applied successfully on computers that are running Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2
979808	"Robocopy /B" does not copy the security information such as ACL in Windows 7 and in Windows Server 2008 R2
980027	A Windows Server 2008 domain controller or a Windows Server 2008 R2 domain controller cannot allocate new ports when Server for NIS is running
980254	The "dsget user -memberof -expand" command returns incorrect results in Windows Server 2008 R2 and in Windows 7
980360	Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2
980628	The "Load a specific theme" Group Policy setting is not applied correctly on a computer that is running Windows 7 or Windows Server 2008 R2
980654	The DFS Replication service stops responding on the downstream server in Windows Server 2008 R2
980909	"The home folder could not be created" remote desktop error in Windows Server 2008 R2
980933	The Licensing Diagnosis tool returns a value of “0” for the number of RDS CALs that are available in Windows Server 2008 R2
981054	The Group Policy preference settings for the "Terminal Session" item-level targeting item are not applied in Windows 7 or in Windows Server 2008 R2
981111	An update is available for Best Practices Analyzer for the File Services role in x64 editions of Windows Server 2008 R2
981118	The CryptDecrypt function fails when you try to decrypt encrypted content on a computer that is running Windows 7 or Windows Server 2008 R2
981265	You cannot create a software installation Group Policy setting on a read-only domain controller in Windows Server 2008 R2
981394	A computer restarts when multiple Kerberos authentication requests are made at the same time in Windows 7 or in Windows Server 2008 R2
981750	Error message occurs when you use GPMC to view a software restriction Group Policy setting in Windows 7 and in Windows Server 2008 R2: "An error has occurred while collecting data for Software Restriction Policies"
981844	Smartcard application cannot read information from some smartcards on a computer that is running Windows 7 or Windows Server 2008 R2
981872	Access to a redirected folder or a home drive disconnects regularly on a computer that is running Windows Server 2008 R2 and Windows 7
981890	The user profile is not updated when you configure a client computer that is running Windows 7 or Windows Server 2008 R2 to use roaming user profiles
981936	Lots of the Event ID 476 events are logged when you use the Ntdsutil.exe tool to create an RODC installation media in Windows Server 2008 or in Windows Server 2008 R2
982606	The value of the "State" registry item is changed after a Group Policy preferences setting is applied in Windows Server 2008, in Windows Vista or in Windows Server 2008 R2
983402	The debug symbol file that corresponds to Dsadmin.dll is missing in Active Directory Lightweight Directory Services (AD LDS) for Windows 7
983531	You experience a significant delay when you try to log on to an Active Directory site from a computer that is running Windows 7 or Windows Server 2008 R2
983544	The "Modified time" file attribute of a registry hive file is updated when an application loads and then unloads the registry hive file without making any changes on a computer that is running Windows Server 2008 R2 or Windows 7
983551	Windows 7 or Windows Server 2008 R2 stops responding at the "Please wait" screen before you are requested to press Ctrl+ALT+DEL
983618	Some Group Policy settings are not displayed in the Group Policy Results report in Windows Server 2008, in Windows Vista, in Windows Server 2008 R2, or in Windows 7
983620	You cannot access a DFS share through a mapped network drive on a computer that is running Windows 7 or Windows Server 2008 R2
2028960	The Offline Files Disk Usage Limits settings do not reflect the settings that are defined in the GPO in Windows 7
2028962	The "Active Directory Users and Computers" MMC snap-in does not list all the accounts that have passwords cached on the RODC in Windows
2028988	The DFS Namespaces service requires a long time to process a "NetDfsAdd" request when a duplicated DFS link exists in Windows Server 2008 R2
2157973	The Security event that has Event ID 4625 does not contain the user account name on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
2171571	You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain
2254754	You experience a GPO report-generation issue in the GPMC window when you try to generate the report in a localized version of Windows 7 or of Windows Server 2008 R2
2258620	You cannot find the "Find Now," "Stop," and "Clear All" buttons in the GPMC snap-in on a computer that is running Windows 7 or Windows Server 2008 R2
2274102	An application that uses DES encryption for Kerberos authentication cannot run on a Windows XP-based client computer in a Windows Server 2008 domain
2275950	An error occurs when you try to establish SSL connections to the nodes by using the alias name from an LDAPS client computer that is running Windows 7 or Windows Server 2008 R2
2276597	"LDAP_AUTH_UNKNOWN (0x56)" error code occurs when you call the "ldap_set_option" function in Windows 7 or in Windows Server 2008 R2 if you use the "LDAP_OPT_SASL_METHOD" session option
2284538	"Apply once and do not reapply" Group Policy setting is never applied after the first GPO deployment fails on a client computer that is running Windows 7 or Windows Server 2008 R2
2285823	The DFS Namespace service becomes inaccessible if the domain controller that plays the Inter-Site Topology Generator (ISTG) role is down on a Windows Server 2008 R2-based computer
2285835	An outgoing replication backlog occurs after you convert a read/write replicated folder to a read-only replicated folder in Windows Server 2008 R2
2302077	You experience poor performance when you call the "CryptAcquireContext" function in Windows Server 2008 R2 or in Windows 7
2345131	The logon screen appears two times when you resume a Windows 7-based or Windows Server 2008 R2-based computer from Sleep (S3) or from Hibernation (S4)
2351254	The StrongCRLCheck setting does not work on a Windows Server 2008 R2-based computer that has the RRAS role service installed
2379592	"Object reference not set to an instance of an object" error message when you view the GPO backup settings in the Group Policy Management Console
2382370	You cannot apply a Wi-Fi Protected Access 2 (WPA2) pre-authentication Group Policy setting to some client computers that are running Windows 7
2385775	Group Policy Modeling Wizard fails when you have registry updates in the Group Policy preference on a computer that is running Windows Server 2008 R2
2385838	Item-level targeting object picker dialog box shows only the domain in which the Gpmc.msc is started in Windows Server 2008 R2, in Windows 7, in Windows Vista or in Windows Server 2008
2386717	The "Enforce password history" and "Minimum password age" Group Policy settings do not work when you reset the password for a Windows Server 2008 R2-based or a Windows Server 2008-based computer
2386288	The SIS service does not de-duplicate some files that are replicated to a read-only replicated folder for DFS Replication in Windows Storage Server 2008 R2
2386730	An item-level targeting security group filter in Group Policy preferences settings does not work on a computer that is running Windows Server 2008 R2 or Windows 7 in a disjoint namespace
2386759	Group Policy preference settings for the settings on the Advanced tab in Internet Explorer 8 do not work as expected on a client computer that is running Windows 7 or Windows Server 2008 R2
2387778	You find a very large increase in the DFS Replication backlogs
2386802	The user cannot log back on to a client computer that is running Windows 7 or Windows Server 2008 R2 after you reset the password and then lock the computer
2389167	The "User Notice" value of the policy extension is displayed incorrectly in Windows Server 2008 R2 or in Windows 7 if the "UTF8String" data type is used
2390986	Folder redirection fails in Windows 7 and in Windows Server 2008 R2 when you use a large Fdeploy1.ini file to configure the Folder Redirection policy
2392951	The Security Configuration Wizard creates a duplicated rule in Windows Server 2008 and in Windows Server 2008 R2 when you edit an existing rule
2394663	An LDAP simple bind to a Windows Server 2008 R2-based domain controller fails when the user name has more than 255 characters in the distinguished name
2401600	The Dcdiag.exe VerifyReferences test fails on an RODC that is running Windows Server 2008 R2
2409711	A 30-second delay occurs when you log on to a computer after you configure the "Hide all icons on Desktop" Group Policy and the "Normal Wallpaper" Group Policy in Windows 7 or in Windows Server 2008
2434932	Temporary files do not synchronize correctly to a non-DFS share on a server from a client computer that is running Windows 7 or Windows Server 2008 R2

Secondary DS updates

KB Article	KB Title
974674	Description of the Windows NT Backup Restore Utility for Windows 7 and for Windows Server 2008 R2
975512	Some SMB clients cannot access cluster file shares but they can access non-cluster file shares that are located on a computer that is running Windows Server 2008 or Windows Server 2008 R2
975680	Virtual Disk Service (VDS) crashes when you try to extend a dynamic volume in an NTFS file system on a computer that is running Windows Vista, Windows Server 2008, Windows Server 2008 R2, or Windows 7
975688	A snapshot may become corrupted when the Volume Shadow Copy Service (VSS) snapshot providers take more than 10 seconds to create it on a computer that is running Windows 7 or Windows Server 2008 R2
976099	VSS snapshot creation may fail after a LUN resynchronization on a computer that is running Windows 7 or Windows Server 2008 R2
976329	Error message when you run the ChkDsk.exe utility in read-only mode on a Windows-based computer: "The Volume Bitmap is incorrect" or "Error detected in index $I30 for file 5"
976538	File corruption may occur if you run a program that uses a file system filter driver in Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008
976782	Text in the General tab of the Windows Backup task in the Task Scheduler Library is not displayed in the localized language in Windows 7 or Windows Server 2008 R2
977015	You are repeatedly prompted to insert a new disk when you use the Backup and Restore tool in Windows 7 or the Windows Server Backup tool in Windows Server 2008 R2 to back up your files or to create a system image on a recordable Blu-ray disc (BD-R)
977096	You are unable to diagnose whether a snapshot creation failure is caused by issues in VSS hardware providers running in Windows 7 and in Windows Server 2008 R2
977158	DNS updates may be incorrectly reported as failed when you use a third-party DNS server application for DNS registration on a computer that is running Windows Server 2008 R2 or Windows 7
977375	Error message when some file system filter drivers that are transaction-aware are installed on a failover cluster node that is running Windows Server 2008 R2 and that has FSRM installed: "6704 (0x1A30) ERROR_TRANSACTION_ALREADY_ABORTED"
977417	You are prompted to provide authentication again when you open a new tab or a new window in a SSL Web site in Internet Explorer 8
977977	RSS network throughput performance decreases on Windows Server 2008 R2-based computers that have more than 32 processors
978000	Add a fix to improve the logging capabilities of the Storport.sys driver to troubleshoot poor disk I/O performance in Windows Server 2008 R2
978491	FIX: A server that is running Server Message Block Version 2 does not respond to certain FSCTL_SRV_NOTIFY_TRANSACTION requests from clients that are running Windows Vista or Windows Server 2008
978898	You cannot access a volume in Windows 7 or in Windows 2008 R2 when the volume is encrypted by a third-party encryption driver
979530	A Windows Server 2008 R2-based Remote Desktop server denies some connection requests randomly under heavy logon or logoff conditions
979710	You cannot log off the session for an iSCSI disk or take a disk offline from the Cluster Shared Volumes list in Windows Server 2008 R2 if the disk is an iSCSI disk or a fibre channel disk
979751	A domain user account that has a blank password cannot be used to authenticate against Microsoft SharePoint Server 2010 or against Windows Live SkyDrive
980082	Stop error in Win7 and in Win2008 R2 when you run a backup application: "0x0000007E SYSTEM_THREAD_EXCEPTION_NOT_HANDLED"
980259	The SNMP service does not respond to any SNMP requests after a Group Policy refresh in Windows Vista or in Windows Server 2008
980794	System state backup error in Windows Server 2008, in Windows Vista, in Windows 7 and in Windows Server 2008 R2: "Enumeration of the files failed"
981166	Some data is corrupted when cached and noncached I/O operations occur by using the same NTFS file handle
981208	Poor performance when you transfer many small files on a computer that is running Windows 7 or Windows Server 2008 R2
981506	"SSL Certificate add failed, Error: 1312" error message when you try to add a CTL in Windows Server 2008 R2 or in Windows 7
981765	The network performance is not as fast as expected on a computer that has NUMA-based processors and that is running Windows Server 2008 R2 or Windows 7
981836	Network connectivity for a Windows Server 2003-based Hyper-V virtual machine is lost temporarily in Windows Server 2008 R2
981851	The backup operation fails and the Wbengine.exe service stops in Windows Server 2008 R2 or in Windows 7 if one of the volumes in the operation does not exists any longer
981983	Cluster resources do not fail over automatically to other nodes when nodes cannot connect to the rest of a network in a Windows Server 2008 R2 failover cluster
982383	You encounter a decrease in I/O performance under a heavy disk I/O load on a Windows Server 2008 R2-based or Windows 7-based computer
982502	You cannot back up a file in Windows Server 2008 R2 or in Windows 7 if the path length is longer than 260 characters
982860	A computer that is running Windows 7 or Windows Server 2008 R2 takes four minutes to open a Microsoft Office 2003 document from a network share
983426	Some noncritical volumes are included in the system state backup image when you use the "-allCritical" switch in Windows Server 2008 R2 or in Windows 7
983458	You cannot save documents to a folder or change the permission settings of folders on a SMB 1.0-based remote server from a Windows-based computer that has security update 980232 (MS10-020) installed
983466	"A fatal error has occurred." error message when you use Windows Update on a Windows 7 or Windows Server 2008 R2-based computer that has a third-party filter driver installed
983528	The TCP receive window autotuning feature does not work correctly in Windows Server 2008 R2 or in Windows 7
983633	You cannot bring a volume online when the Snapshot Protection mode is enabled in Windows Server 2008 R2 or in Windows 7
2028566	A copy-on-write snapshot may become corrupted in Windows Server 2008 R2 or in Windows 7 if some snapshots that are stored on the same volume are deleted
2028965	Data corruption when multiple users perform read and write operations to a shared file in the SMB2 environment
2064460	The "BackupRead" function randomly fails together with error code 58 in Windows Server 2008 R2 or in Windows 7
2155024	A write operation to a volume is slower than usual in Windows Server 2008 or in Windows 7 after you create a snapshot of the volume
2194664	You cannot access a remote server that shares files and printers by using the SMB protocol from a computer that is running Windows Server 2008 R2 or Windows 7
2203302	An RDP connection that uses SSL authentication and CredSSP protocol fails in Windows 7 or in Windows Server 2008 R2
2223005	The network connection is lost for a Windows Server 2003-based or Windows XP-based virtual machine that is hosted on a computer that is running Windows Server 2008 R2
2253693	A VSS writer cannot create a snapshot on a computer that is running Windows 7 or Windows Server 2008 R2 if the snapshot set of the VSS writer has no disk volumes
2277439	The Cluster service stops responding if you run backup applications in parallel in Windows Server 2008 R2
2283445	The backup process requires significantly more time when you use the Windows Backup utility in Windows 7 if the size of the backup files increases
2309290	The DNS Server service does not respond to multi-label name resolution request correctly when background zone loading occurs in Windows Server 2008 R2
2309371	"HTTP 401" error message when you try to access web resources that require Kerberos authentication on a computer that is running Windows 7 or Windows Server 2008 R2
2314467	Error message when you add an InetOrgPerson user account to an RMS template in Windows Server 2008 R2: "No email address was found for the selected user or group"
2316513	The Lanmanserver service cannot start after you restart a computer that is running Windows 7 or Windows Server 2008 R2 if a volume that is referenced in the PATH variable is inaccessible
2353832	Authentication requests between nodes in the same failover cluster may be unable to use the Kerberos protocol if the Negotiate SSP is specified in Windows Server 2008 R2
2359344	The inheritable ACEs may not be propagated correctly to the child object on an NFS share when you enable the KeepInheritance registry value in Windows Server 2008 R2
2385596	An update that adds 33 configuration rules and 9 operation rules to BPA for DNS in Windows Server 2008 R2 is available
2386184	IP addresses are still registered on the DNS servers even if the IP addresses are not used for outgoing traffic on a computer that is running Windows 7 or Windows Server 2008 R2
2386854	Files remain encrypted after you copy the files from an encrypted folder to a WebDAV share if the files are copied by using a computer that is running Windows 7 or Windows Server 2008 R2
2411958	In Windows Server 2008 R2, the DNS Server service might crash when it handles many concurrent queries that are submitted through the DNS server plug-in interface
2415115	You cannot open, edit, or delete the Windows Security Health Validator after you install the Microsoft .NET Framework 4 on a computer that is running Windows Server 2008 R2

And the issue you are least likely to hit?

KB980598 - Windows Server 2008 R2 cannot be installed or started on a computer that has 1 TB or more of RAM

Holy Schnike, I wish I had that “problem”…

Until next time.

- Ned “640GB ought to be enough for anybody” Pyle

Ask the Directory Services Team

We're back. Did you miss us?

AD FS 2.0 Claims Rule Language Part 2

Circle Back to Loopback

Distributed File System Consolidation of a Standalone Namespace to a Domain-Based Namespace