Article ID: 818024
Article Last Modified on 12/3/2007
APPLIES TO
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows Small Business Server 2003 Standard Edition
- Microsoft Windows Small Business Server 2003 Premium Edition
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SUMMARY
By default, in the Microsoft Windows Server 2003 family and in the Microsoft Windows 2000 Server family, when the LookupAccountName function or the LsaLookupNames function resolves isolated names to security identifiers (SIDs), a remote procedure call (RPC) is made to domain controllers on external trusted domains. (An isolated name is an ambiguous, non-domain-qualified user account.) In situations where the primary domain has many external trust relationships with other domains or where many lookups are performed at the same time, performance may decrease. You may see increased memory usage and increased CPU usage on the domain controller.
The LookupAccountName function and the LsaLookupNames function can also be called by scripts or by tools that edit security settings, where account names must be mapped to SIDs. Examples of tools that you can use to edit security settings are Cacls.exe, Xcacls.exe, Dsacls.exe, and Subinacl.exe.
This article contains information about how to edit the registry to control whether the lookup of isolated names is performed in external trusted domains in Windows Server 2003 and in Windows 2000 Server.
MORE INFORMATION
The lookup functions accept names that use the following formats:
NetBIOSDomainName
\AccountName
DnsDomainName
\AccountName
- (UPN)
AccountName
@DnsDomainName
- (Isolated)
AccountName
For the first three name formats in the list, the lookup functions can directly target a domain controller on the appropriate domain because these name formats contain the domain that is authoritative for the security principal.
The fourth name format, (Isolated) AccountName
, is ambiguous. The lookup functions must systematically try to resolve the name to an SID by making an RPC to every trusted domain. For environments where many external trusts exist, this operation may require a serial enumeration of the trusted domains that involves making an RPC to a domain controller on each domain. In this scenario, performance decreases as the number of trusted domains increases.
If a script or a program tries to resolve an isolated name, performance may be slow. For example, this problem may occur if the script or the program is configured to run at logon time. The problem may also occur if the script or the program runs on many clients at the same time. In environments with many external trusted domains that use such programs, you may want to disable the lookup and resolution of isolated names to SIDs for external trusted domains.
Edit the registry to disable (or enable) the lookup of isolated names in external trusted domains
Important If you are running Windows 2000 Server, you have to first install the hotfix that is described in the "Windows 2000 Server hotfix information" section later in this article before you can use this procedure.
To edit the registry to control whether lookup of isolated names is performed in external trusted domains, create the following registry entry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LsaLookupRestrictIsolatedNameLevel
- If this entry does not exist, or if the value is set to 0, lookup for isolated names is performed across external trusted domains.
- If this registry entry is set to 1, lookup for isolated names is not performed across external trusted domains.
By default, lookup for isolated names is performed across external trusted domains, and the LsaLookupRestrictIsolatedNameLevel
entry is not present in the registry.
To create the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LsaLookupRestrictIsolatedNameLevel
registry entry and to disable or to enable the lookup of isolated names in external trusted domains, follow these steps.
Note Create this registry entry only on domain controllers.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
- Click Start, and then click Run.
- In the Open box, type regedit, and then click OK.
- Locate, and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- On the Edit menu, point to New, and then click DWORD Value.
- Type LsaLookupRestrictIsolatedNameLevel, and then press ENTER.
- On the Edit menu, click Modify.
- Do one of the following, depending on your situation:
- To disable the lookup of isolated names in external trusted domains, type 1 in the Value data box.
- To enable the lookup of isolated names in external trusted domains, type 0 in the Value data box.
- Click OK, and then quit Registry Editor.
Windows 2000 Server hotfix information
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.
To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Prerequisites
This hotfix requires Microsoft Windows 2000 Service Pack 3 (SP3).
Restart requirement
You have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name -------------------------------------------------------- 25-Sep-2003 12:11 5.0.2195.6824 124,688 Adsldp.dll 25-Sep-2003 12:11 5.0.2195.6824 132,368 Adsldpc.dll 25-Sep-2003 12:11 5.0.2195.6824 63,760 Adsmsext.dll 25-Sep-2003 12:11 5.0.2195.6824 381,712 Advapi32.dll 25-Sep-2003 12:11 5.0.2195.6824 69,904 Browser.dll 25-Sep-2003 12:11 5.0.2195.6824 136,464 Dnsapi.dll 25-Sep-2003 12:11 5.0.2195.6824 96,016 Dnsrslvr.dll 25-Sep-2003 12:11 5.0.2195.6824 47,376 Eventlog.dll 25-Sep-2003 12:11 5.0.2195.6824 148,240 Kdcsvc.dll 20-Sep-2003 15:32 5.0.2195.6824 205,584 Kerberos.dll 20-Sep-2003 15:32 5.0.2195.6824 71,888 Ksecdd.sys 25-Sep-2003 08:58 5.0.2195.6826 510,224 Lsasrv.dll 25-Sep-2003 08:58 5.0.2195.6826 33,552 Lsass.exe 20-Sep-2003 15:32 5.0.2195.6824 109,840 Msv1_0.dll 25-Sep-2003 12:11 5.0.2195.6824 307,984 Netapi32.dll 25-Sep-2003 12:11 5.0.2195.6824 361,232 Netlogon.dll 25-Sep-2003 12:11 5.0.2195.6826 931,600 Ntdsa.dll 25-Sep-2003 12:11 5.0.2195.6824 392,464 Samsrv.dll 25-Sep-2003 12:11 5.0.2195.6824 113,936 Scecli.dll 25-Sep-2003 12:11 5.0.2195.6824 259,856 Scesrv.dll 25-Sep-2003 12:11 5.0.2195.6824 48,912 W32time.dll 20-Sep-2003 15:32 5.0.2195.6824 57,104 W32tm.exe 25-Sep-2003 12:11 5.0.2195.6824 126,224 Wldap32.dll
Keywords: kbhotfixserver kbqfe kbwin2000presp5fix kbhowto KB818024