You have a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2. When this computer is a member of a child domain, the computer cannot identify the network. This may cause the firewall on the computer to be set to the public profile.

When you run a Lightweight Directory Access Protocol (LDAP) query against a Windows Server 2008-based domain controller, you obtain a partial attribute list. However, if you run the same LDAP query against a Windows Server 2003-based domain controller, you obtain a full attribute list.

Note: You can run this query from the domain controller or from a client computer that is running Windows Vista or Windows Server 2008.

The user account that you use to run the LDAP query has the following properties:

• The account is a member of the built-in Administrators group.
• The account is not the built-in administrator account.
• The account is a member of the Domain Admins group.
• The discretionary access control list (DACL) of the user object contains full control permission for the Administrators group.
• The effective permissions of the object that you query against shows that the user has full control permission.

After you enable the credential roaming feature for a domain, the size of the Ntds.dit file becomes larger on one or more domain controllers that are running Windows Server 2003 or Windows Server 2008.

This problem may cause unexpected errors on the affected domain controllers. Domain administrators must monitor and maintain the Active Directory database to prevent possible errors.

To monitor this problem, you must set the logging level of Internal Processing events to 4 in Active Directory diagnostic event logging.

For more information about how to set the logging level, click the following article number to view the article in the Microsoft Knowledge Base:

314980 How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server

If the size of the Ntds.dit file grows abnormally after you set the logging level, the following event is logged in the Directory Service event log:

Event Type: Error Event Source: NTDS General Event Category: Internal Processing Event ID: 1481 Date: <Date> Time: <Time> User: <user name> Computer: <computer name> Description: Internal error: The operation on the object failed. Additional Data Error value: 1 00002083: AtrErr: DSID-0315115A, #1: 0: 00002083: DSID-0315115A, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90765 (msPKIDPAPIMasterKeys):len 1072

Consider the following scenario:

• You use the Group Policy Management MMC snap-in to define and configure some policies in a domain.
• You do either of the following:
  • You export some group policies, and then you import them into the current domain or into a new one.
  • You copy some group policies, and then you paste them into the current domain or into a new one.

In this scenario, the importing or the pasting action reports a “successful” result. However, some random group policies are missing after the importing or pasting action is finsihed.

For example, you define a wired network policy in a domain, and then you export it. You then import the policy into a new domain. After the importing process finishes, the defined wired network policy is missing in the new domain.

Consider the following scenario:

• In the Active Directory domain environment, you create the Predefined Windows Firewall outgoing and incoming rules for File and Printer Sharing and Network Discovery.
• You select Allow the connection for the Firewall outgoing and incoming rules.
• The Firewall rules are applied to the client computer.

In this scenario, you encounter the following issues on a client computer that is running Windows Vista or Windows Server 2008:

Issue 1
In Network and Sharing Center, you see that Network discovery and File sharing are turned off.

Issue 2
When you click View computers and devices, you do not see any computers in Network Explorer. Additionally, you receive the following message in the information bar of Network Explorer:

Network discovery and file sharing are turned off. Network computers and devices are not visible. Click to change…

When you logon or logoff from your domain with a newly built Windows Vista SP1 computer, you experience delays of about 5-10 minutes. This problem appears after you have joined the computer to an Active Directory domain.

You have a Windows Vista Service Pack 1 (SP1)-based or Windows Server 2008-based computer that is a member of a domain. When you disconnect from the network, you may experience a delay of 12 to 14 seconds before you can access the network again.

Notes:

• This issue usually occurs when the computer switches between a network that deploys Network Access Protection (NAP) enforcement and another network.
• This issue does not occur on a computer that is running the release version of Windows Vista or on a computer that is not a domain member.

In a Windows 2008-based domain that is using the Active Directory directory service, you enable a client computer to use smart card authentication to log on to the domain. However, when you try to log on to the domain from a Windows Vista-based or a Windows Server 2008-based client computer, the logon process may fail, and you may receive the following error message:

No valid certificates found
Check that the card is inserted

This issue occurs if the smart card certificate does not contain Microsoft Extended Key Usage (EKU).

Considering the following scenario:

• On a Windows Vista-based or Windows Server 2008-based computer, you are running a client application that must connect to a server application. For example, you are running a Microsoft SQL Server client, a Microsoft Internet Security and Acceleration (ISA) Server client, or a Microsoft Office Excel client.
• The computer that hosts the client application is in a workgroup or in a different domain from the domain that hosts the server application.
• On the client computer, you have stored the domain credentials in Credential Manager.
  Note: You can use the Stored User Names and Passwords feature in Control Panel to store credentials.

In this case, the client application that has to obtain domain credentials from Credential Manager cannot connect to the server application in the domain.

For example, assume that you store the domain credentials of an authenticated user in Domain A on a Windows Vista-based computer. This computer is in a workgroup. In this example, when you open SQL Server Management Studio, and you try to connect to a SQL Server installation in Domain A, you receive an error message that resembles the following:

The user is not associated with a trusted SQL Server Connection

Note: This issue does not occur on a Windows XP Service Pack 2 (SP2)-based computer.

Environment
Novell Client for Vista 1.0.0

Situation
The Vista workstation name had been changed previously. The Novell client for Vista had been installed, and upon first login, an error message is displayed: “The Domain name is not correct”