Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Hotfix is available that broadens logging to identify isolated name lookup requests in Windows Server 2008 SP2

Hotfix is available that broadens logging to identify isolated name lookup requests in Windows Server 2008 SP2

View products that this article applies to.

Introduction

This article describes a hotfix that broadens logging to identify isolated name lookup requests in Windows Server 2008 SP2. After you install this hotfix, the logging mechanism monitors for requests that are discarded when dynamic TCP port exhaustion occurs when the following conditions are true: 
  • Multiple trusted domains are configured on a domain controller that is running Windows Server 2008 Service Pack 2 (SP2). 
  • An application sends many name lookup requests for isolated names to the domain controller at the same time. 
  • The LsaLookupNames or LookupAccountName function is called to resolve isolated names to security identifiers (SIDs).
     
    Note An isolated name is a non-domain-qualified user account that does not have a domain name prefix or user principal name (UPN) suffix.
Notes
  • Dynamic TCP port exhaustion occurs under these conditions because the domain controller forwards multiple name lookup requests to each trusted domain controller. For example, if five trusted domains are listed on a domain controller, a name lookup request for isolated names is sent from a client computer to the domain controller. Then, the domain controller sends five requests to each trusted domain controller. Therefore, if the client computer sends 200 parallel requests to the domain controller, the domain controller sends 1000 requests to the corresponding trusted domain controllers.
  • This hotfix does not prevent dynamic TCP port exhaustion. However, the "Hotfix information" section describes how to minimize the effect of this issue on the domain controller.

↑ Back to the top

Resolution

Hotfix information

To minimize the effect of this issue on the domain controller, you can reconfigure the total number of available ephemeral ports on the domain controller from the default number of 16,000 to 55,000. Or, you can create and configure a registry entry that is named LsaLookupRestrictIsolatedNameLevel on the domain controller. This registry entry instructs the domain controller to discard name lookup requests for isolated names. Therefore, the domain controller does not forward the requests to all the trusted domain controllers.

To create the LsaLookupRestrictIsolatedNameLevel registry entry on the domain controller, follow these steps.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
  1. Click Startstart button , type regedit in the Search programs and files box, and then press ENTER.
    UAC If you are prompted for an administrator password, type the password. If you are prompted for confirmation, provide confirmation.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type LsaLookupRestrictIsolatedNameLevel, and then press ENTER.
  5. Exit Registry Editor.
Notes
  • If the LsaLookupRestrictIsolatedNameLevel registry entry does not exist, or if the value of the registry entry is set to 0, name lookup requests for isolated names are sent to external trusted domains.
  • If the value of the LsaLookupRestrictIsolatedNameLevel registry entry is set to 1, name lookup requests for isolated names are not sent to external trusted domains.
After you create the LsaLookupRestrictIsolatedNameLevel registry entry on the domain controller, install this hotfix to broaden logging to monitor the discarded requests.

For more information about the logging mechanism, go to the following Microsoft website:
General information about the logging mechanism

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running Windows Server 2008 SP2.

For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

968849 How to obtain the latest service pack for Windows Server 2008

Registry information

To apply this hotfix, you do not have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.
File information
The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 file information notes
Important Windows Vista hotfixes and Windows Server 2008 hotfixes are included in the same packages. However, only "Windows Vista" is listed on the Hotfix Request page. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows Vista" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    VersionProductSR_LevelService branch
    6.0.600
    2.
    23xxx    		Windows Server 2008SP2LDR
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are

    listed separately in the "Additional file information for Windows Server 2008" section. MUM files and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintaining the state of the updated component. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows Server 2008
File nameKsecdd.sys
File version6.0.6002.23105
File size440,680
Date (UTC)07-May-2013
Time (UTC)23:09
Platformx86
File nameLsasrv.dll
File version6.0.6002.23153
File size1,262,080
Date (UTC)06-Jul-2013
Time (UTC)02:59
Platformx86
File nameLsasrv.mof
File versionNot applicable
File size13,780
Date (UTC)09-Sep-2011
Time (UTC)11:41
PlatformNot applicable
File nameLsass.exe
File version6.0.6002.23153
File size9,728
Date (UTC)06-Jul-2013
Time (UTC)01:37
Platformx86
File nameSecur32.dll
File version6.0.6002.23153
File size72,704
Date (UTC)06-Jul-2013
Time (UTC)03:01
Platformx86
File nameWdigest.dll
File version6.0.6002.23153
File size175,616
Date (UTC)06-Jul-2013
Time (UTC)03:01
Platformx86
File nameMsv1_0.dll
File version6.0.6002.23153
File size218,624
Date (UTC)06-Jul-2013
Time (UTC)03:00
Platformx86
File nameSchannel.dll
File version6.0.6002.23153
File size279,552
Date (UTC)06-Jul-2013
Time (UTC)03:01
Platformx86
For all supported x64-based versions of Windows Server 2008
File nameKsecdd.sys
File version6.0.6002.23105
File size517,480
Date (UTC)07-May-2013
Time (UTC)22:55
Platformx64
File nameLsasrv.dll
File version6.0.6002.23153
File size1,692,672
Date (UTC)06-Jul-2013
Time (UTC)03:28
Platformx64
File nameLsasrv.mof
File versionNot applicable
File size13,780
Date (UTC)15-Nov-2011
Time (UTC)15:19
PlatformNot applicable
File nameLsass.exe
File version6.0.6002.23153
File size11,264
Date (UTC)06-Jul-2013
Time (UTC)02:05
Platformx64
File nameSecur32.dll
File version6.0.6002.23153
File size94,720
Date (UTC)06-Jul-2013
Time (UTC)03:30
Platformx64
File nameWdigest.dll
File version6.0.6002.23153
File size205,824
Date (UTC)06-Jul-2013
Time (UTC)03:31
Platformx64
File nameMsv1_0.dll
File version6.0.6002.23153
File size269,312
Date (UTC)06-Jul-2013
Time (UTC)03:28
Platformx64
File nameSchannel.dll
File version6.0.6002.23153
File size348,160
Date (UTC)06-Jul-2013
Time (UTC)03:30
Platformx64
File nameLsasrv.mof
File versionNot applicable
File size13,780
Date (UTC)09-Sep-2011
Time (UTC)11:41
PlatformNot applicable
File nameSecur32.dll
File version6.0.6002.23153
File size77,312
Date (UTC)06-Jul-2013
Time (UTC)03:01
Platformx86
File nameWdigest.dll
File version6.0.6002.23153
File size175,616
Date (UTC)06-Jul-2013
Time (UTC)03:01
Platformx86
File nameMsv1_0.dll
File version6.0.6002.23153
File size218,624
Date (UTC)06-Jul-2013
Time (UTC)03:00
Platformx86
File nameSchannel.dll
File version6.0.6002.23153
File size279,552
Date (UTC)06-Jul-2013
Time (UTC)03:01
Platformx86
For all supported IA-64-based versions of Windows Server 2008
File nameKsecdd.sys
File version6.0.6002.23105
File size1,030,504
Date (UTC)07-May-2013
Time (UTC)22:49
PlatformIA-64
File nameLsasrv.dll
File version6.0.6002.23153
File size3,265,024
Date (UTC)06-Jul-2013
Time (UTC)02:25
PlatformIA-64
File nameLsasrv.mof
File versionNot applicable
File size13,780
Date (UTC)15-Mar-2011
Time (UTC)05:54
PlatformNot applicable
File nameLsass.exe
File version6.0.6002.23153
File size17,920
Date (UTC)06-Jul-2013
Time (UTC)01:14
PlatformIA-64
File nameSecur32.dll
File version6.0.6002.23153
File size202,752
Date (UTC)06-Jul-2013
Time (UTC)02:27
PlatformIA-64
File nameWdigest.dll
File version6.0.6002.23153
File size483,328
Date (UTC)06-Jul-2013
Time (UTC)02:28
PlatformIA-64
File nameMsv1_0.dll
File version6.0.6002.23153
File size570,368
Date (UTC)06-Jul-2013
Time (UTC)02:26
PlatformIA-64
File nameSchannel.dll
File version6.0.6002.23153
File size812,032
Date (UTC)06-Jul-2013
Time (UTC)02:27
PlatformIA-64
File nameLsasrv.mof
File versionNot applicable
File size13,780
Date (UTC)09-Sep-2011
Time (UTC)11:41
PlatformNot applicable
File nameSecur32.dll
File version6.0.6002.23153
File size77,312
Date (UTC)06-Jul-2013
Time (UTC)03:01
Platformx86
File nameWdigest.dll
File version6.0.6002.23153
File size175,616
Date (UTC)06-Jul-2013
Time (UTC)03:01
Platformx86
File nameMsv1_0.dll
File version6.0.6002.23153
File size218,624
Date (UTC)06-Jul-2013
Time (UTC)03:00
Platformx86
File nameSchannel.dll
File version6.0.6002.23153
File size279,552
Date (UTC)06-Jul-2013
Time (UTC)03:01
Platformx86

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For more information about this issue, click the following article numbers to view the articles in the Microsoft Knowledge Base:
818024 How to restrict the lookup of isolated names in external trusted domains
929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008
File nameX86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.23153_none_a88779a1733515f4.manifest
File versionNot applicable
File size34,354
Date (UTC)06-Jul-2013
Time (UTC)03:45
PlatformNot applicable
File nameX86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.23153_none_3d0a39f6931ef187.manifest
File versionNot applicable
File size9,924
Date (UTC)06-Jul-2013
Time (UTC)03:48
PlatformNot applicable
File nameX86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.23153_none_7eefdbb278f4a0d6.manifest
File versionNot applicable
File size18,890
Date (UTC)06-Jul-2013
Time (UTC)03:47
PlatformNot applicable
File nameX86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.23153_none_245339ed6bacb47f.manifest
File versionNot applicable
File size18,090
Date (UTC)06-Jul-2013
Time (UTC)03:48
PlatformNot applicable
Additional files for all supported x64-based versions of Windows Server 2008
File nameAmd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.23153_none_04a615252b92872a.manifest
File versionNot applicable
File size34,442
Date (UTC)06-Jul-2013
Time (UTC)04:19
PlatformNot applicable
File nameAmd64_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.23153_none_9928d57a4b7c62bd.manifest
File versionNot applicable
File size9,948
Date (UTC)06-Jul-2013
Time (UTC)04:23
PlatformNot applicable
File nameAmd64_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.23153_none_db0e77363152120c.manifest
File versionNot applicable
File size18,926
Date (UTC)06-Jul-2013
Time (UTC)04:22
PlatformNot applicable
File nameAmd64_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.23153_none_8071d571240a25b5.manifest
File versionNot applicable
File size18,120
Date (UTC)06-Jul-2013
Time (UTC)04:23
PlatformNot applicable
File nameWow64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.23153_none_0efabf775ff34925.manifest
File versionNot applicable
File size21,959
Date (UTC)06-Jul-2013
Time (UTC)03:42
PlatformNot applicable
File nameWow64_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.23153_none_a37d7fcc7fdd24b8.manifest
File versionNot applicable
File size10,140
Date (UTC)06-Jul-2013
Time (UTC)03:42
PlatformNot applicable
File nameWow64_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.23153_none_e563218865b2d407.manifest
File versionNot applicable
File size17,843
Date (UTC)06-Jul-2013
Time (UTC)03:42
PlatformNot applicable
File nameWow64_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.23153_none_8ac67fc3586ae7b0.manifest
File versionNot applicable
File size17,557
Date (UTC)06-Jul-2013
Time (UTC)03:42
PlatformNot applicable
Additional files for all supported IA-64-based versions of Windows Server 2008
File nameIa64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.23153_none_a8891d9773331ef0.manifest
File versionNot applicable
File size34,398
Date (UTC)06-Jul-2013
Time (UTC)03:17
PlatformNot applicable
File nameIa64_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.23153_none_3d0bddec931cfa83.manifest
File versionNot applicable
File size9,936
Date (UTC)06-Jul-2013
Time (UTC)03:19
PlatformNot applicable
File nameIa64_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.23153_none_7ef17fa878f2a9d2.manifest
File versionNot applicable
File size18,908
Date (UTC)06-Jul-2013
Time (UTC)03:18
PlatformNot applicable
File nameIa64_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.23153_none_2454dde36baabd7b.manifest
File versionNot applicable
File size18,105
Date (UTC)06-Jul-2013
Time (UTC)03:19
PlatformNot applicable
File nameWow64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.23153_none_0efabf775ff34925.manifest
File versionNot applicable
File size21,959
Date (UTC)06-Jul-2013
Time (UTC)03:42
PlatformNot applicable
File nameWow64_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.23153_none_a37d7fcc7fdd24b8.manifest
File versionNot applicable
File size10,140
Date (UTC)06-Jul-2013
Time (UTC)03:42
PlatformNot applicable
File nameWow64_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.23153_none_e563218865b2d407.manifest
File versionNot applicable
File size17,843
Date (UTC)06-Jul-2013
Time (UTC)03:42
PlatformNot applicable
File nameWow64_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.23153_none_8ac67fc3586ae7b0.manifest
File versionNot applicable
File size17,557
Date (UTC)06-Jul-2013
Time (UTC)03:42
PlatformNot applicable

↑ Back to the top

Keywords: kbautohotfix, kbqfe, kbhotfixserver, kbfix, kbsurveynew, kbexpertiseadvanced, kb

↑ Back to the top

Article Info
Article ID : 2862566
Revision : 1
Created on : 1/7/2017
Published on : 10/21/2013
Exists online : False
Views : 214