Stability and reliability update for Windows 7 and Windows Server 2008 R2.

Having just blogged about  a Windows Server 2008 R2 and Windows 7 Application compatibility update , I discover additional updates for stability and reliability.  These updates do not appear to be accumulative.

This one is dated April 2010 and I assume these updates are the Windows Server and client equivalent of the Exchange Rollup updates.

Issues resolved:

  • Windows Explorer crashes and then restarts when you access a third-party Control Panel item.
  • You cannot connect to an instance of SQL Server Analysis Services from an application in Windows 7 or in Windows Server 2008 R2 after you install Office Live Add-in 1.4 or Windows Live ID Sign-in Assistant 6.5.
  • Windows Explorer may stop responding for 30 seconds when a file or a directory is created or renamed after certain applications are installed.
  • The Welcome screen may be displayed for 30 seconds when you try to log on to a computer if you set the desktop background to a solid color.
  • You are not warned when you delete more than 1000 files at the same time. Then, the files are deleted permanently and are not moved to the Recycle Bin.
  • This one is dated January 2010

    Issues resolved:

    • Keyboard function keys or keyboard shortcuts, such as mute or calculator, may not work correctly.

    • The notification icon for an application may be moved or lost when the executable application is updated.

    • On a computer that is running Windows 7, you configure the Screen Saver Settings to display the logon screen on resume. Additionally, you configure the computer to go to sleep. However, the computer may not go to sleep after the screen saver starts. Instead, a black screen is displayed. This problem causes the operating system to stop responding. You must restart the computer by holding down the power button.

    This one is dated October 2009

    Issues resolved:

    • When you view a PDF file that was created by using a 2007 Microsoft Office system document, the PDF file is displayed on the screen correctly. However, when the document is printed, some characters are missing. This problem occurs in fonts such as Calibri, Cambria, Courier New, or Gabriola in which character combinations such as “fi,” “ti,” “fl,” and other combinations are frequently presented as ligatures.

    • In certain scenarios, an Emergency Alert System (EAS) message does not automatically tune to the appropriate channel in Windows Media Center.

    • You connect a secondary monitor to a computer that is running Windows 7. When the computer resumes from hibernation, a black screen is displayed.

    • In certain scenarios, the Windows 7 Customer Experience Improvement Program (CEIP) diagnostic information settings are configured incorrectly for Windows Explorer. Only those users who are enrolled in the Windows 7 CEIP will be affected by this part of the update. This update limits the diagnostic information that can be collected by the CEIP.
    • You put an x86-based computer that does not have Physical Address Extension (PAE) enabled into hibernation. However, the computer does not enter hibernation correctly. When you try to resume the computer from hibernation, a black screen is displayed. This issue does not affect x64-based or Itanium-based computers, or computers that have the Data Execution Prevention (DEP) feature enabled.

    • A problem in Windows 7 affects the playback of certain media files in Windows Media Player when Windows Media Player is started from Windows Internet Explorer. Only those users whose media associations were changed incorrectly will be affected by this part of the update.

    • On a computer that is running Windows 7, you use Internet Explorer to open the certificate enrollment Web page and to install an end entity certificate. However, the installation fails. This issue occurs if the certificate chain for the new certificate cannot be built, or if the root certification authority (CA) has not first been installed in the Trusted Roots on the computer.

    This is an issue that I have come across and I thought it worth sharing.

    There is a hotfix available for Windows 7 and Windows Server 2008 R2 for the dsget utility.

    When the dsget user command is executed with the two switches –memberof and –expand,  the output is incorrect.   Only group information is expected to be returned but both group and user information is displayed.

    Syntax: dsget user -memberof -expand

    KB Article

    Hotfix – Download

    On a couple of weeks ago, there was a discussion around the fact that Microsoft now have hardcoded LDAP limits for Active Directory. This may not directly affect you in a Windows 2003 forest – but if you have changed your LDAP Policies to make a poorly written application work in Windows Server 2003 then in Windows Server 2008 and 2008 R2 rather than modify Active Directory – you may have to modify the application – which might not be that simple.

    Further information:

    Hardcoded LDAP limitations have been introduced in Windows Server 2008 R2 and Windows Server 2008 to prevent overloading the domain controller. These limits overwrite the LDAP policy setting when the policy value should be higher.

    LDAP setting hardcoded) Maximum value (hardcoded)
    MaxReceiveBuffer       20971520
    MaxPageSize                20000
    MaxQueryDuration    1200
    MaxTempTableSize    100000
    MaxValRange             5000


    Full KB Article:

    Windows Server 2008 R2 or Windows Server 2008 domain controller returns only 5000 attributes in a LDAP response

    In the companies that I work with, Active Directory and Firewalls are often said in the same sentence, this KB article discusses the essential network ports; protocols and services that are used by Windows client and server operating systems;  server-based programs and their subcomponents in the Windows server system.

    I have found this document to be invaluable when it comes to making Active Directory and other Windows components such as  (DFS-N and DFS-R) work through a firewall.

    One of the reasons that I am adding this post is that this KB article is constantly evolving and in the pass 6 six weeks alone I have seen 4 versions.

    30th March 2010 Version: 42.0
    9th April 2010
    Version: 43.0
    23rd April 2010
    Version: 44.0


    Active Directory environments configured to use Network Address Translation (NAT)  appear to be a support scenario with multiple configurations some supported and some unsupported.  Detailed below is the information I have collated so far.

    Active Directory over NAT – KB 978772

    The Microsoft statement regarding Active Directory over NAT is:

    Active Directory over NAT has not been tested by Microsoft.
    We do not recommend Active Directory over NAT.
    Support for issues related to Active Directory over NAT will be very limited and will reach the bounds of commercially reasonable efforts very quickly.

    If you are tasked with configuring a network with NAT and you plan to run any Microsoft Server solution (including Active Directory) across the NAT, please contact Microsoft customer technical support using your preferred approach.

    Description of support boundaries for Active Directory over NAT

    Associated Articles

    Tim Springston – DCs and Network Address Translation

    Microsoft Online Dedicated Service Descriptions and Service Level Agreements

    Microsoft Online Services does not support the implementation of network address translation (NAT) technology between the customer and Microsoft domain controllers. Implementing NAT systems requires a highly specific configuration that is dependent on the networking products used. Even if successfully deployed, NAT systems and devices pose operational risks. They require that customers change their NAT configuration when Microsoft modifies its domain controller deployments. Without NAT reconfiguration, Microsoft authentication to the Customer Forest can fail.

    Download the agreements

    There will be a Critical (As the vulnerability allows remote code execution) Out of Band Security Patch for Internet Explorer 6 and 7 later today.

    Executive Summary

    Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7. Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected. The main impact of the vulnerability is remote code execution. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

    Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.

    The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

    At this time, we are aware of targeted attacks attempting to use this vulnerability. We (Microsoft) will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

    Microsoft Security Advisory (981374):
    Vulnerability in Internet Explorer Could Allow Remote Code Execution

    Microsoft Security Bulletin Advance Notification for March 2010: