Most people spend the short days and long nights of December with loved ones. At Microsoft, December is a vacation month for a lot of employees as the end of December marks the first half of the fiscal year and targets have mostly been met. For the Active Directory team, however, December marked the fourth Active Directory-related Security Bulletin for 2011. After all that, it’s amazing they still found time for the KnowledgeBase articles below:
New KnowledgeBase articles
2641192 The badPwdCount attribute is not reset to 0 on a Windows Server 2008 R2-based PDC when the reset request is sent from an RODC
In a specific scenario, the badPwdCount attribute for a user account is reset to 0 on a Read-only Domain Controller. However, the badPwdCount attribute is not reset to 0 on the Domain Controller holding the Primary Domain Controller emulator (PDCe) FSMO role. The expected behavior is that the badPwdCount attribute is reset to 0 on both the RoDC and the PDC. Because of this issue, the user account will be locked incorrectly if the total amount of incorrect password attempts exceeds the value that is set in the Account Lockout Threshold Group Policy setting. This issue occurs because the Security Accounts Manager (SAM) server does not support badPwdCount attribute requests that come from an RoDC. A hotfix is available, that needs to be installed on all Read-Write Domain Controllers in domains with Read-only Domain Controllers.
2636585 Proquota.exe uses incorrect profile quota Group Policy settings in Windows Vista or in Windows Server 2008
On domain-joined Windows Vista Service Pack 2 and Windows Server 2008 SP2 boxes, with multiple Group Policy objects (GPOs) applied, each containing the Limit profile size setting (under User Configuration\Administrative Templates\System\User Profiles), the Profile Quota Manager tool (Proquota.exe) may receive incorrect profile quota settings. This behavior causes data loss if the incorrect quota size that is actually applied is too small.
2635621 A Windows Server 2008-based OCSP responder logs incorrect "thisUpdate" time stamp in the OCSP response
A logging issue exists on Windows Server 2008-based Online Certificate Status Protocol (OCSP) responder in a network environment. The value of the thisUpdate time stamp in the OCSP response is outdated by 24 hours. A more recent time stamp value that is based on the latest-issued delta certificate revocation list (CRL) should have been used. A hotfix is available.
2638957 You cannot generate an RSoP report by using the "gpresult /h" command in Windows Vista or in Windows Server 2008
Windows Server 2008 R2-based ADMX files contain a new element that is incompatible with Group Policy tools on a computer that is running Windows Vista or Windows Server 2008. When use use the tools on these platforms you will encounter an error. The workaround is to manage Group Policy from Windows 7 or Windows Server 2008 R2, but, also, a hotfix is available to manage the Group Policy Central Store on Windows Server 2008 R2 Domain Controllers from Windows Vista and Windows Server 2008.
2634157 DNS name resolution fails when using a long CNAME or DNAME chain record in Windows Server 2008
CNAME and DNAME resource records can be used in DNS to point multiple DNS names to a single IP address. Chaining these records is considered a bad practice and under certain circumstances in Windows Server 2008 DNS, this can lead to subsequent lookup failures when the cache of the CNAME or DNAME chain expires. A hotfix is available.
2605692 An update is available to enable simple delegation in AD RMS on Windows Server 2008 R2-based computers
This article introduces an update for Windows Server 2008 R2 that enables simple delegation in Active Directory Rights Management Services (AD RMS). After you install this update, the rights of an executive can easily be delegated to assistants. This update enables the assistants to have the same level of access permission to Information Rights Management (IRM)-protected content as the executive.