Microsoft KB Archive/811422

= LDAP signing changes for Active Directory administrative tools in Windows 2000 Server Service Pack 4 =

Article ID: 811422

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



INTRODUCTION
Active Directory directory service administrative tools sign and encrypt all Lightweight Directory Access Protocol (LDAP) traffic. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. This article describes the signing and sealing support that is added to Microsoft Windows 2000 Active Directory administrative tools after you install Windows 2000 Service Pack 4 (SP4).



MORE INFORMATION
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. By default, Active Directory administrative tools in Microsoft Windows Server 2003 and in Microsoft Windows XP Professional sign and encrypt all LDAP traffic. Windows 2000 SP4 supports the same LDAP signing defaults for Windows 2000 Active Directory Administration tools as Windows Server 2003. However, it offers improved compatibility when targeting computers that have Windows 2000 SP2 installed. The Windows 2000 SP4 Active Directory administration tools can successfully target Windows 2000 SP2 domain controllers in scenarios that fail when a Windows Server 2003 client tries to perform them. There are two differences between the signing and sealing functionality of Windows 2000 SP4 and the signing and sealing functionality of Windows Server 2003 and Windows XP Professional clients:  The initial bind in the Windows 2000 SP4 Active Directory Users and Computers and the Active Directory Sites and Services snap-in is performed without signing and sealing. Therefore, even if the tool is targeted against a remote computer by using its network basic input/output system (NetBIOS) name, the RootDSE bind will succeed and return the DNS name so that later binds that are signed and sealed will succeed.

Note An exception to this is targeting a remote computer over an external Microsoft Windows NT LAN Manager (NTLM) trust. Windows 2000 SP4 Active Directory administration tools do not support the special-case handling of the sign and seal bind failure. Therefore, the user receives raw errors that are similar to one of the following:

The server is unwilling to process the request. (ERROR_DS_UNWILLING_TO_PERFORM)

The server is not operational. (ERROR_DS_SERVER_DOWN)

The directory service is unavailable. (ERROR_DS_UNAVAILABLE)

Note Administrators will see the error code, but they will not see the symbolic names that appear in parentheses.

Active Directory Administration tools that support LDAP signing and sealing in Windows 2000 SP4 include the following:
 * Active Directory Domains and Trusts
 * Active Directory Sites and Services
 * Active Directory Schema
 * Active Directory Users and Computers
 * ADSI Edit
 * Object Picker

We recommend that Windows 2000 computers and domain controllers that are used for domain administration be upgraded to Windows 2000 SP4. Windows 2000 SP4 Active Directory administration tools are more secure than previous Windows 2000 versions of Active Directory administrative tools. Also, Windows 2000 SP4 Active Directory administration tools offer better backward compatibility than their Windows Server 2003 counterparts.

Active Directory administration tools may also negotiate by using the NTLM authentication protocol. Scenarios that start NTLM authentication include the following:  The administration of Windows 2000 and Windows Server 2003 domain controllers in domains that are located in an external forest that is connected by earlier-version trusts. Focusing Microsoft Management Console (MMC) snap-ins against a specific domain controller that is referenced by its IP address. For example, you click Start, click Run, and then type the following, where x.x.x.x is the IP address of the domain controller:

dsa.msc /server=x.x.x.x



Signing and sealing that occurs between Windows 2000 SP2 servers and Windows 2000 SP4 clients that use NTLM authentication will fail. To use the Windows 2000 SP4 administrative tools when NTLM authentication is negotiated with Windows 2000-based domain controllers that are running Service Pack 2 or earlier, administrators must use one of the following methods:  Install Windows 2000 Service Pack 3 (SP3) or later on the Windows 2000-based domain controllers that are being administered.</li> Turn off LDAP signing, seal the registry of the client computer that is running the administrative tools, and then restart the tools on the client. To turn off LDAP signing and sealing on the client, set the ADsOpenObjectFlags entry to a value of 0x03 in the following registry subkey on the client computer:

</li></ul>

Note You cannot programmatically override the Group Policy setting to enable signing. This enables the administrator to force programs to use signing. If you do not want all programs to be forced to use signing, do not turn on LDAP signing. You may experience these errors intermittently in Windows 2000 or in Windows Server 2003 when signing is enabled and Active Directory is under stress from heavy use.

Keywords: KB811422

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.