Windows 2000 Essay, Research Paper
Microsoft? Windows? 2000 Professional,
Windows 2000 Server, and
Windows 2000 Advanced Server
Release Notes
This document provides late-breaking or other information that supplements the Microsoft Windows 2000 documentation.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
? 1999 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Active Directory, DirectX, FrontPage, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual FoxPro, Visual InterDev, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions.
This product contains graphics filter software; this software is based in part on the work of the Independent JPEG Group.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Introduction
Networking and Communications
Change and Configuration Management (IntelliMirror)
Windows Management Instrumentation
Security
Directory Services
Component Services
Microsoft Data Access Components
Internet Services
Microsoft Windows 2000 Server Media™ Services
Storage Notes
Hardware
Application Notes
Printing Notes
Terminal Services
Windows 2000 Advanced Server
Introduction
This document provides late-breaking or other information that supplements the Microsoft Windows 2000 documentation. The Windows 2000 compact disc (CD) includes the following release notes files:
? Read1st.txt, which contains important preinstallation information and is located in the Windows 2000 CD root directory
? Installation chapters from the Getting Started Guide, which include system requirements information and are located in the \Setuptxt folder on your Windows 2000 CD
? Readme.doc, which contains compatibility and post-installation notes and is located in the Windows 2000 CD root directory
? The Hardware Compatibility List. For the most up-to-date list of supported hardware, see the Hardware Compatibility List at the Microsoft Web site (http://www.microsoft.com/hcl/). Your Windows 2000 CD includes a copy of this list (drive:\Support\Hcl.txt) that was accurate as of the date Windows 2000 was released.
To review the latest Application Compatibility information, see the Microsoft Windows 2000 Product Compatibility Web site at:
http://www.microsoft.com/windows2000/compatible/
To review the latest release notes and updated information for Windows 2000, see the Microsoft Knowledge Base on the Microsoft Personal Online Support Web site at:
http://support.microsoft.com/support/
Networking and Communications
The following sections describe Windows 2000 issues related to networking and communications.
Routing and Remote Access
This section describes a known issue related to Windows 2000 Routing and Remote Access.
Enabling Windows NT? 4.0 RAS Servers in a Windows 2000 Domain
If you are using Windows NT 4.0 Remote Access Service (RAS) servers in a Windows 2000 domain, they must be running Service Pack 4 (SP4) or later. Otherwise, they cannot access the Windows 2000 domain controllers to verify that a user has dial-in permissions. Also, if you set up a Windows NT 4.0 RAS or Routing and Remote Access Service (RRAS) server as a member of a Windows 2000 domain, you must make certain adjustments to Active Directory™ so that the server can access the Remote Access credentials of domain accounts.
You can adjust Active Directory to allow Windows NT 4.0 RAS servers by using either of the following methods:
? When you create a Windows 2000 domain by using the Active Directory Installation wizard to upgrade a server to a domain controller, select the option to allow legacy servers to access Active Directory. If you enabled this access when you created the domain, no further action is required.
? If you add a Windows NT 4.0 RAS server to a domain that has not been adjusted to allow legacy server access, you can use the following command to adjust domain security for legacy server access:
net localgroup “Pre-Windows 2000 Compatible Access” everyone /add
After executing this command, you must restart the domain controller.
TAPI
This section describes issues related to TAPI in Windows 2000.
ATI-TV Tuner Video Cards Are Not Supported for Use With TAPI
TAPI does not support the use of ATI video cards that incorporate TV tuners, including but not limited to ATI-TV, ATI-TV WONDER, and All-in-Wonder models. This will be addressed in a future release.
Kodak USB Cameras Are Not Supported
Windows 2000 does not include drivers for Kodak Universal Serial Bus (USB) cameras. To download the latest drivers, visit the Kodak Web site at:
http://www.kodak.com/
This will be addressed in a future release.
Note
Web addresses can change, so you may be unable to connect to the Web site mentioned here.
DHCP
In the online Help for the Dynamic Host Configuration Protocol (DHCP) servers, the instructions that describe how to move a DHCP database from one server to another are incomplete. For complete instructions, see the Knowledge Base on the Microsoft Personal Online Support Web site at:
http://support.microsoft.com/support/
Autonet
On a multi-homed computer, if two or more interfaces are using an Automatic Private Internet Protocol Addressing (APIPA)-based address simultaneously, the routing behavior of the computer for any destination on the APIPA subnet is inconsistent. For more information about this Autonet issue, visit the Knowledge Base on the Microsoft Personal Online Support Web site at:
http://support.microsoft.com/support/
Change and Configuration Management (IntelliMirror)
The following section describes Windows 2000 issues related to change and configuration management.
Group Policy
It is strongly recommended that you limit the computer name used by domain controllers to 15 characters. Longer computer names may cause the installation failure of applications that are deployed by using the Software Installation snap-in to Group Policy. For more detailed information, see the Knowledge Base on the Microsoft Personal Online Support Web site at:
http://support.microsoft.com/support/
Also, to review information about a related issue, see the “Active Directory Domain Name Length Restriction” topic later in this document.
Windows Management Instrumentation
The following section describes Windows 2000 issues related to Windows Management Instrumentation (WMI).
WMI ODBC Driver
When you upgrade your computer to Windows 2000, the previous installation of the WMI open database connectivity (ODBC) driver is deleted. The Windows 2000-compatible driver for WMI ODBC is located on the Windows 2000 CD in the ValuAdd\MSFT\MGMT\WBEMODBC folder.
Security
The following sections describe issues related to Windows 2000 security features.
Certificate Services
This section describes issues related to Certificate Services in Windows 2000.
Certificate Services Setup Fails
If the name of the computer contains non-International Alphabet 5 (IA5) characters, such as non-English characters, Certificate Services Setup fails. Use only IA5 characters to name a computer. This will be addressed in a future release.
PKI Services Fail If the DNS Computer Name Is Greater than 64 Characters
If the fully qualified Domain Name System (DNS) computer name is greater than 64 characters, Public Key Infrastructure (PKI) services fail. This causes the following processes to fail:
? Enterprise Certificate Authority (CA) installation
? Domain controller and computer automatic enrollment
? Internet Protocol Security (IPSec) enrollment
Installation of Certificate Services in a Child Domain
To install Certification Services for a child domain in the enterprise, you must be a member of the Enterprise Administrators group, which is in the parent domain.
CA Service Stops Running After a File System Upgrade from FAT to NTFS
The CA service stops running after a file system upgrade from FAT to the NTFS file system. The following message appears in the application log:
“Certificate Services did not start: Unable to initialize the database connection for *Your CA Name here*. Class not registered 0×80040154.”
As a workaround, uninstall the CA service and then re-install it using the same CA name, key pair, and database as the previous installation.
Upgrade of Subordinate CA from Windows NT 4.0 Certificate Server
After you upgrade a subordinate CA that is running Windows NT 4.0 Option Pack Certificate Server 1.0 to Windows 2000, you must perform a CA renewal operation and create a new CA certificate with the Basic Constraints field set to TRUE for the CA value. Before the SP6 release of Windows NT 4.0, the Certificate Server 1.0 product did not set the CA value to TRUE in the Basic Constraints field in the CA certificate. In SP6, if you are installing the CA for the first time, the CA value is set to TRUE in the CA certificate. In Windows 2000, if you are installing the CA for the first time or if you are performing a CA renewal operation on an existing CA, the CA value is set to TRUE in the CA certificate.
Default Security Settings
This section describes issues related to the default security settings in Windows 2000.
File and Registry Permissions Are Changed During Upgrade
The default security settings for a clean installation are also applied when you upgrade to Windows 2000. Applying the same default security settings ensures that access permissions for the registry and for Windows 2000 system directories and files are set consistently. However, if the default security settings are not sufficient after you upgrade to Windows 2000, you should reapply any custom settings that you applied before the upgrade.
Windows NT 4.0 Users May Need Power User Capabilities After Upgrade
The default security settings for a clean installation are also applied when you upgrade to Windows 2000. For more information about how these default security settings are applied, see “File and Registry Permissions Are Changed During Upgrade,” earlier in this document.
In Windows 2000, the permissions for users who do not have administrator or power user privileges are substantially more secure than in Windows NT 4.0. As a result, most non-certified legacy applications do not run successfully for typical users of Windows 2000. Therefore, after you upgrade to Windows 2000 and default security settings are applied, you may need to give power user capabilities to Windows NT 4.0 users.
When you upgrade from Windows NT 4.0 Workstation, you can provide power user capabilities automatically by adding the Interactive group to the Power Users group. Then, when Windows NT 4.0 users log on locally, they become power users on Windows 2000. Because Windows 2000 power users have the same access control permissions as Windows NT 4.0 users, these users can continue to run non-certified legacy applications after they upgrade to Windows 2000.
Notes
When you upgrade from previous versions of Windows 2000 or install Windows 2000 Server, the Interactive group is not added to the Power Users group.
Certified Windows 2000 applications run successfully for a typical user on Windows 2000. Therefore, certified applications offer the highest level of security without sacrificing application functionality.
Service Account Must Be Manually Added to the Power Users Group After Upgrade
The default security settings for a clean installation are also applied when you upgrade to Windows 2000. For more information about how these default security settings are applied, see “File and Registry Permissions Are Changed During Upgrade,” earlier in this document.
After the default security settings are applied in Windows 2000, services that previously ran under a non-administrative or non-system context on Windows NT 4.0 may no longer work properly. This occurs because Windows 2000 users have fewer permissions than Windows NT 4.0 users. Therefore, after you upgrade to Windows 2000, you must manually add the service account to the Power Users group.
High Encryption Pack—Upgrading from 128-bit Encryption on Down-Level Platforms
When you upgrade the 128-bit version of Windows 95 with Microsoft Internet Explorer 3.02 to Windows 2000, the encryption is reduced to 40-bit. As a workaround, you can install the Windows 2000 High Encryption Pack, which enables you to upgrade to 128-bit encryption.
EFS Recovery and Private Key Issues When Joining a New Windows 2000 Domain
When you upgrade a computer from Windows 95 or Windows 98 to Windows 2000, you may experience problems after joining the new domain because of issues with Encrypting File System (EFS) recovery and migrating private cryptographic keys. After you upgrade the computer, you should not use EFS until the computer actually joins the new domain. If you use EFS before your computer joins the domain, any files that you encrypt with EFS are inaccessible to your domain logon account. In addition, you should not run applications that use private cryptographic keys until the computer actually joins the new domain. If you generate and use private cryptographic keys before your computer joins the domain, these keys are unavailable to your domain logon account.
Directory Services
The following sections describe issues related to Windows 2000 directory services features.
Active Directory Domain Name Length Restriction
The fully-qualified DNS name of an Active Directory domain, for example example.microsoft.com, is restricted to 64 USC Transformation Format 8 (UTF-8) bytes in length. This limit does not apply to computer names.
One ASCII character is equal to one UTF-8 byte in length. Non-ASCII characters, such as other Unicode characters, have a variable length encoding that can be up to three bytes in length. To estimate the size of a name in bytes, count each ASCII character as one byte and each non-ASCII character as three bytes.
Before you deploy Active Directory, verify that all of your planned domain names do not exceed 64 UTF-8 bytes in length.
Message Queuing
This section describes issues related to the installation of Message Queuing.
Installing Message Queuing on Computers that Do Not Have MSMQ 1.0 Installed
This section describes issues related to the installation of Message Queuing on computers that do not have Microsoft Message Queue Server (MSMQ) 1.0 installed.
Administrative Permissions Required to Run Message Queuing Setup
The following permissions are required to install Message Queuing on a computer:
? When you install Message Queuing in either a workgroup or a domain environment, you must have local administrative permissions for the computer.
? If you are installing Message Queuing on a Windows 2000 domain controller, you must have permission to create the msmqSettings object that represents the computer on which you are installing Message Queuing. The msmqSettings object is located under the applicable server object. This applicable server object is located under the Servers object, which is located under the applicable site object in Active Directory Sites and Services.
Alternatively, you can have domain administrative permissions, or you can belong to the Domain Administrators group, which has this permission by default.
? If you are installing a Message Queuing server with routing enabled on a nondomain controller, you must have permission to create the applicable server object that represents the computer on which you are installing the Message Queuing server. This object is located under the Servers object, which is located under the applicable site object in Active Directory Sites and Services.
Alternatively, you can have enterprise administrative permissions, or you can belong to the Enterprise Administrators group, which has this permission by default. In addition, if?when you are prompted during Message Queuing Setup?you enter the name of a Message Queuing server that is running on a Windows 2000 domain controller in the local domain, domain administrative permissions are sufficient.