Hotfix to Increase Performance of Directory Service Queries in Large Domains (313065)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Datacenter Server SP2
This article was previously published under Q313065

SYMPTOMS

On a heavily loaded domain controller that is a member of a large domain, you may experience intermittent delays in Kerberos-related operations, such as cross-domain authentication.

CAUSE

This is primarily a performance issue that occurs because the Directory Service uses the objectClass table to perform Active Directory queries. Because this is not an indexed table, Active Directory queries are less efficient than if they use an indexed table.

This issue is most noticeable in a large domain and on a heavily loaded domain controller, because the domain controller may put a write lock on the trusted domain list, causing Kerberos work-related threads to become backlogged.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English-language version of this fix should have the following file attributes or later:
   Date         Time   Version           Size     File name
   -----------------------------------------------------------
   27-Nov-2001  01:10  5.0.2195.4600     123,664  Adsldp.dll       
   27-Nov-2001  01:10  5.0.2195.4628     130,320  Adsldpc.dll      
   27-Nov-2001  01:10  5.0.2195.4016      62,736  Adsmsext.dll     
   27-Nov-2001  01:09  5.0.2195.4653     356,112  Advapi32.dll     
   27-Nov-2001  01:10  5.0.2195.4571      82,704  Cmnquery.dll     
   27-Nov-2001  01:09  5.0.2195.4141     133,904  Dnsapi.dll       
   27-Nov-2001  01:10  5.0.2195.4379      91,408  Dnsrslvr.dll     
   27-Nov-2001  01:10  5.0.2195.4534      41,744  Dsfolder.dll     
   27-Nov-2001  01:10  5.0.2195.4534     156,944  Dsquery.dll      
   27-Nov-2001  01:10  5.0.2195.4574     110,352  Dsuiext.dll      
   27-Nov-2001  01:37  5.0.2195.4682     521,488  Instlsa5.dll     
   27-Nov-2001  01:10  5.0.2195.4630     145,680  Kdcsvc.dll       
   27-Nov-2001  00:33  5.0.2195.4680     199,440  Kerberos.dll     
   04-Sep-2001  16:32  5.0.2195.4276      71,024  Ksecdd.sys
   27-Nov-2001  00:51  5.0.2195.4682     503,568  Lsasrv.dll       
   27-Nov-2001  00:52  5.0.2195.4682      33,552  Lsass.exe        
   27-Nov-2001  00:32  5.0.2195.4680     107,280  Msv1_0.dll       
   27-Nov-2001  01:10  5.0.2195.4594     306,960  Netapi32.dll     
   27-Nov-2001  01:10  5.0.2195.4603     358,672  Netlogon.dll     
   27-Nov-2001  01:10  5.0.2195.4650     913,168  Ntdsa.dll        
   27-Nov-2001  01:10  5.0.2195.4627     387,856  Samsrv.dll       
   27-Nov-2001  01:10  5.0.2195.4583     128,784  Scecli.dll       
   27-Nov-2001  01:10  5.0.2195.4600     299,792  Scesrv.dll       
   27-Nov-2001  01:10  5.0.2195.4600      48,400  W32time.dll      
   06-Nov-2001  19:43  5.0.2195.4600      56,592  W32tm.exe        
   27-Nov-2001  01:09  5.0.2195.4600     125,712  Wldap32.dll

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.

MORE INFORMATION

This update changes Active Directory query logic to perform the same search by using objectCategory (an indexed table) instead of the objectClass attribute, therefore increasing the search speed by several orders of magnitude.
Modification Type:MinorLast Reviewed:9/26/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB313065
©2004 Microsoft Corporation. All rights reserved.