How to restrict the lookup of isolated names to external trusted domains in Windows Server

Article translations Article translations
Article ID: 818024 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Expand all | Collapse all

On This Page

Summary

By default, when the LookupAccountName function or the LsaLookupNames function resolves isolated names to security identifiers (SIDs) in Windows Server, a remote procedure call (RPC) is made to domain controllers on external trusted domains. (An isolated name is an ambiguous, non-domain-qualified user account.) In situations in which the primary domain has many external trust relationships with other domains or in which many lookups are performed at the same time, performance may decrease. You may see increased memory usage and increased CPU usage on the domain controller.

The LookupAccountName function and the LsaLookupNames function can also be called by scripts or tools that edit security settings. There, account names must be mapped to SIDs. Examples of tools that you can use to edit security settings are Cacls.exe, Xcacls.exe, icacls, Dsacls.exe, and Subinacl.exe. 

This article describes how to edit the registry to control whether the lookup of isolated names is performed in external trusted domains in Windows Server.

More information

The lookup functions accept names that use the following formats:
  • NetBIOSDomainName\AccountName
  • DnsDomainName\AccountName
  • (UPN) AccountName@DnsDomainName
  • (Isolated) AccountName
For the first three name formats in the list, the lookup functions can directly target a domain controller on the appropriate domain because these name formats contain the domain that is authoritative for the security principal.

The fourth name format, (Isolated) AccountName, is ambiguous. The lookup functions must systematically try to resolve the name to an SID by making an RPC to every trusted domain. For environments where many external trusts exist, this operation may require a serial enumeration of the trusted domains that involves making an RPC to a domain controller on each domain. In this scenario, performance decreases as the number of trusted domains increases.

If a script or a program tries to resolve an isolated name, performance may be slow. For example, this problem may occur if the script or the program is configured to run at logon time. The problem may also occur if the script or the program runs on many clients at the same time. In environments with many external trusted domains that use such programs, you may want to disable the lookup and resolution of isolated names to SIDs for external trusted domains.

Edit the registry to disable (or enable) the lookup of isolated names in external trusted domains

Important If you are running Windows 2000 Server, you have to first install the hotfix that is described in the "Windows 2000 Server hotfix information" section later in this article before you can use this procedure.

To edit the registry to control whether lookup of isolated names is performed in external trusted domains, create the following registry entry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LsaLookupRestrictIsolatedNameLevel
  • If this entry does not exist, or if the value is set to 0, lookup for isolated names is performed across external trusted domains.
  • If this registry entry is set to 1, lookup for isolated names is not performed across external trusted domains.
By default, lookup for isolated names is performed across external trusted domains, and the
LsaLookupRestrictIsolatedNameLevel
entry is not present in the registry.

To create the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LsaLookupRestrictIsolatedNameLevel
registry entry and to disable or to enable the lookup of isolated names in external trusted domains, follow these steps.

Note Create this registry entry only on domain controllers.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate, and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  4. On the Edit menu, point to New, and then click DWORD Value.
  5. Type LsaLookupRestrictIsolatedNameLevel, and then press ENTER.
  6. On the Edit menu, click Modify.
  7. Do one of the following, depending on your situation:
    • To disable the lookup of isolated names in external trusted domains, type 1 in the Value data box.
    • To enable the lookup of isolated names in external trusted domains, type 0 in the Value data box.
  8. Click OK, and then quit Registry Editor.

Windows 2000 Server hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

This hotfix requires Microsoft Windows 2000 Service Pack 3 (SP3).

Restart requirement

You have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Date         Time   Version        Size     File name 
--------------------------------------------------------
25-Sep-2003  12:11  5.0.2195.6824  124,688  Adsldp.dll 
25-Sep-2003  12:11  5.0.2195.6824  132,368  Adsldpc.dll 
25-Sep-2003  12:11  5.0.2195.6824  63,760   Adsmsext.dll 
25-Sep-2003  12:11  5.0.2195.6824  381,712  Advapi32.dll 
25-Sep-2003  12:11  5.0.2195.6824  69,904   Browser.dll 
25-Sep-2003  12:11  5.0.2195.6824  136,464  Dnsapi.dll 
25-Sep-2003  12:11  5.0.2195.6824  96,016   Dnsrslvr.dll 
25-Sep-2003  12:11  5.0.2195.6824  47,376   Eventlog.dll 
25-Sep-2003  12:11  5.0.2195.6824  148,240  Kdcsvc.dll 
20-Sep-2003  15:32  5.0.2195.6824  205,584  Kerberos.dll 
20-Sep-2003  15:32  5.0.2195.6824  71,888   Ksecdd.sys 
25-Sep-2003  08:58  5.0.2195.6826  510,224  Lsasrv.dll 
25-Sep-2003  08:58  5.0.2195.6826  33,552   Lsass.exe 
20-Sep-2003  15:32  5.0.2195.6824  109,840  Msv1_0.dll 
25-Sep-2003  12:11  5.0.2195.6824  307,984  Netapi32.dll 
25-Sep-2003  12:11  5.0.2195.6824  361,232  Netlogon.dll 
25-Sep-2003  12:11  5.0.2195.6826  931,600  Ntdsa.dll 
25-Sep-2003  12:11  5.0.2195.6824  392,464  Samsrv.dll 
25-Sep-2003  12:11  5.0.2195.6824  113,936  Scecli.dll 
25-Sep-2003  12:11  5.0.2195.6824  259,856  Scesrv.dll 
25-Sep-2003  12:11  5.0.2195.6824  48,912   W32time.dll 
20-Sep-2003  15:32  5.0.2195.6824  57,104   W32tm.exe 
25-Sep-2003  12:11  5.0.2195.6824  126,224  Wldap32.dll

Properties

Article ID: 818024 - Last Review: January 8, 2014 - Revision: 10.0
Applies to
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows Server 2003 Service Pack 2
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Server 2012 Essentials
  • Windows Server 2012 Foundation
  • Windows Server 2012 Standard
  • Windows Server 2012 Datacenter
  • Windows Server 2012 R2 Datacenter
  • Windows Server 2012 R2 Essentials
  • Windows Server 2012 R2 Foundation
  • Windows Server 2012 R2 Standard
Keywords: 
kbautohotfix kbhotfixserver kbqfe kbwin2000presp5fix kbhowto KB818024

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com