Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
While bouncing around ideas with colleagues more intelligent than me I was reminded of a case I had with a customer 5 years ago. The exact specifics of the problem aren’t important but the reason it became a problem are as follows:
So, something on the clients was making massive Name-to-Sid requests to the DC’s during logon for isolated usernames but this only became a problem when the DC’s on the other side of the 15+ trusts didn’t respond quickly.
In that case, we resolved the issue by fixing the client-side problem which was sending isolated account name requests (USER rather than DOMAIN\USER). The customer also later discovered that several of his trusts were broken as well which was the catalyst for the problem to appear.
My impression was however that it would have been nice to be able to turn off this behaviour on the DC’s altogether and just assume that any request that didn’t explicitly specify a domain name should be treated as belonging to the local domain database.
At the time there was unfortunately no such method available on the Windows 2000 SP3 DC’s the customer was running.
....However, that brings me back full circle to the first point; it is now possible to turn this off via http://support.microsoft.com/default.aspx?scid=kb;EN-US;818024. Note that DC's still default to the old behaviour of chasing isolated names over trusts though.
To change whether lookup of isolated names is performed in external trusted domains by a DC, you can create the following on any W2k DC with SP4 SRP2 installed or any W2k3/W2k8 DC:
Under HKLM\System\CurrentControlSet\Control\LsaDWORD: LsaLookupRestrictIsolatedNameLevel
In short; Consider turning this on if you have multiple trust relationships, the benefits from turning it on are increased performance while the drawbacks are potentially that a name may not be translated to a Sid. The drawbacks can however be easily addressed by simply reconfiguring the application or service requesting it to use a proper format like DOMAIN\User or UPN.
How to restrict the lookup of isolated names in external trusted domains by using the LsaLookupRestrictIsolatedNameLevel registry entry http://support.microsoft.com/default.aspx?scid=kb;EN-US;818024
Have you the valid parameter for 2003 64 bits server ?
If you're referring to LsaLookupRestrictIsolatedNameLevel it is the same format on all OS's post Windows 2000 SP4.
the technote KB818024 just apply on 2003 32 bits os.
The 32 bit and 64 bit versions of W2k3 are compiled from the same source so the registry value applies to both - the KB article shouldn't specifically mention the 32-bit version.
I.e. it¨s a doc bug - the same registry value is present on the 64-bit version of W2k3...try it and you'll see :)