Microsoft KB Archive/818024

= How to restrict the lookup of isolated names in external trusted domains by using the LsaLookupRestrictIsolatedNameLevel registry entry =

Article ID: 818024

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-





IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
By default, in the Microsoft Windows Server 2003 family and in the Microsoft Windows 2000 Server family, when the LookupAccountName function or the LsaLookupNames function resolves isolated names to security identifiers (SIDs), a remote procedure call (RPC) is made to domain controllers on external trusted domains. (An isolated name is an ambiguous, non-domain-qualified user account.) In situations where the primary domain has many external trust relationships with other domains or where many lookups are performed at the same time, performance may decrease. You may see increased memory usage and increased CPU usage on the domain controller.

The LookupAccountName function and the LsaLookupNames function can also be called by scripts or by tools that edit security settings, where account names must be mapped to SIDs. Examples of tools that you can use to edit security settings are Cacls.exe, Xcacls.exe, Dsacls.exe, and Subinacl.exe.

This article contains information about how to edit the registry to control whether the lookup of isolated names is performed in external trusted domains in Windows Server 2003 and in Windows 2000 Server.



MORE INFORMATION
The lookup functions accept names that use the following formats:
 * (UPN) @
 * (Isolated)
 * (UPN) @
 * (Isolated)

For the first three name formats in the list, the lookup functions can directly target a domain controller on the appropriate domain because these name formats contain the domain that is authoritative for the security principal.

The fourth name format, (Isolated), is ambiguous. The lookup functions must systematically try to resolve the name to an SID by making an RPC to every trusted domain. For environments where many external trusts exist, this operation may require a serial enumeration of the trusted domains that involves making an RPC to a domain controller on each domain. In this scenario, performance decreases as the number of trusted domains increases.

If a script or a program tries to resolve an isolated name, performance may be slow. For example, this problem may occur if the script or the program is configured to run at logon time. The problem may also occur if the script or the program runs on many clients at the same time. In environments with many external trusted domains that use such programs, you may want to disable the lookup and resolution of isolated names to SIDs for external trusted domains.

Edit the registry to disable (or enable) the lookup of isolated names in external trusted domains
Important If you are running Windows 2000 Server, you have to first install the hotfix that is described in the &quot;Windows 2000 Server hotfix information&quot; section later in this article before you can use this procedure.

To edit the registry to control whether lookup of isolated names is performed in external trusted domains, create the following registry entry:


 * If this entry does not exist, or if the value is set to 0, lookup for isolated names is performed across external trusted domains.
 * If this registry entry is set to 1, lookup for isolated names is not performed across external trusted domains.

By default, lookup for isolated names is performed across external trusted domains, and the  entry is not present in the registry.

To create the  registry entry and to disable or to enable the lookup of isolated names in external trusted domains, follow these steps.

Note Create this registry entry only on domain controllers.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.  Click Start, and then click Run. In the Open box, type regedit, and then click OK. Locate, and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

 On the Edit menu, point to New, and then click DWORD Value. Type LsaLookupRestrictIsolatedNameLevel, and then press ENTER. On the Edit menu, click Modify.</li> Do one of the following, depending on your situation: <ul> To disable the lookup of isolated names in external trusted domains, type 1 in the Value data box.</li> To enable the lookup of isolated names in external trusted domains, type 0 in the Value data box.</li></ul> </li> Click OK, and then quit Registry Editor.</li></ol>

Windows 2000 Server hotfix information
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;[LN;CNTACTMS]

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites
This hotfix requires Microsoft Windows 2000 Service Pack 3 (SP3).

Restart requirement
You have to restart the computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

<pre class="fixed_text">Date        Time   Version        Size     File name

25-Sep-2003 12:11  5.0.2195.6824  124,688  Adsldp.dll 25-Sep-2003 12:11  5.0.2195.6824  132,368  Adsldpc.dll 25-Sep-2003 12:11  5.0.2195.6824  63,760   Adsmsext.dll 25-Sep-2003 12:11  5.0.2195.6824  381,712  Advapi32.dll 25-Sep-2003 12:11  5.0.2195.6824  69,904   Browser.dll 25-Sep-2003 12:11  5.0.2195.6824  136,464  Dnsapi.dll 25-Sep-2003 12:11  5.0.2195.6824  96,016   Dnsrslvr.dll 25-Sep-2003 12:11  5.0.2195.6824  47,376   Eventlog.dll 25-Sep-2003 12:11  5.0.2195.6824  148,240  Kdcsvc.dll 20-Sep-2003 15:32  5.0.2195.6824  205,584  Kerberos.dll 20-Sep-2003 15:32  5.0.2195.6824  71,888   Ksecdd.sys 25-Sep-2003 08:58  5.0.2195.6826  510,224  Lsasrv.dll 25-Sep-2003 08:58  5.0.2195.6826  33,552   Lsass.exe 20-Sep-2003 15:32  5.0.2195.6824  109,840  Msv1_0.dll 25-Sep-2003 12:11  5.0.2195.6824  307,984  Netapi32.dll 25-Sep-2003 12:11  5.0.2195.6824  361,232  Netlogon.dll 25-Sep-2003 12:11  5.0.2195.6826  931,600  Ntdsa.dll 25-Sep-2003 12:11  5.0.2195.6824  392,464  Samsrv.dll 25-Sep-2003 12:11  5.0.2195.6824  113,936  Scecli.dll 25-Sep-2003 12:11  5.0.2195.6824  259,856  Scesrv.dll 25-Sep-2003 12:11  5.0.2195.6824  48,912   W32time.dll 20-Sep-2003 15:32  5.0.2195.6824  57,104   W32tm.exe 25-Sep-2003 12:11  5.0.2195.6824  126,224  Wldap32.dll

Keywords: kbhotfixserver kbqfe kbwin2000presp5fix kbhowto KB818024

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.