[gptalk] Re: Domain controller firewall setttings...

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Sat, 18 Nov 2006 07:51:40 -0800

The algorithm that is used to determine whether to apply the standard or
domain profiles is pretty simple. Basically its, "if the DNS suffix of the
current active non-PPP,non-SLIP network connection to the DC is the same as
the last time that GP was applied successfully, then a domain profile is
assumed". That "last time" value is found in the registry under
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\Network
Name. Usually what happens is that the DNS suffix on the active connection
is set to nothing or something whacky. If you do an ipconfig /all, you will
see what the current active DNS suffix is on your DC. If you're getting DNS
directly from your ISP, then it may be their DNS name, like *.comcast.net.
However, if not, it should be your AD domain's DNS name, which is correct.
The next step is to look in the registry in the location above and see
what's shown there. It should be the domain's DNS name. If not, then that
could be a problem as well. You can update this NetworkName value manually,
then disable and re-enable the LAN adapter on that DC, and that should force
domain profile if both DNS suffixes are identical.

Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Michael Pietrzak
Sent: Friday, November 17, 2006 10:27 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain controller firewall setttings...


Darren,

Wow, this is really wierd. Well, on my home domain, adding in my domain to
the DNS connection suffix did not make a difference. I took the following
steps...

1. I was able to replicate here at home. Create a new GPO at the domain
controller OU. In the standard profile, enabled the firewall, gpudpate,
reboot, the firewall was on. Then I turned it off.
2. Tried to do the same with the domain profile and as expected, no joy. The
firewall did not turn on when set to enabled in the domain profile.

3. In my TCP\IP settings, I added my domain suffix to both the "DNS suffix
for this connection:" and Append these DNS suffixes in order. Tried again
with the GPO enabling the firewall with the domain profile and again,
nothing.

Well, at least I am able to replicate it. As best as I can tell, adding the
DNS suffix on my DC made no change. Did it work for you in that manner?

Thanks again,

Michael

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia
Sent: Fri 11/17/2006 4:04 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain controller firewall setttings...
 
Michael-
Tell him to make sure he has a DNS connection suffix set on the DC's TCP/IP
properties. I'll bet its blank now. That will probably get him the domain
profile.

The Hauppage card is great! Thanks again. I'm using it wth Vista MCE and it
rocks.
-----Original Message-----
From: "Michael Pietrzak" <mpietrzak@xxxxxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx
Sent: 11/17/2006 3:49 PM
Subject: [gptalk] Re: Domain controller firewall setttings...

HI Darren,
 
He indicates that he has a new GPO liked at the domain controllers OU.
He has not modified the default domain controller gpo. In his new GPO, when
he sets it for "domain profile", the settings do not take hold on the DC.
But, when he sets the profile to Standard, they are applied.
 
Not sure if he can change them locally when he states the settings are
applied. I will ask now.
 
Thanks!
 
Michael
 
ps, how is your happaugue card working out?

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, November 17, 2006 3:40 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain controller firewall setttings...


Michael-
Normally when you deliver WF settings via Group Policy, the ability to
manually change the firewall settings at the client machine is grayed out
(i.e. unavailable) regardless of which profile is in effect. It sounds like
you're saying that is only true if the DC is operating in domain profile
mode. But, when a standard profile is detected, he is able to change them
locally? Correct? 
 
Darren

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Michael Pietrzak
Sent: Friday, November 17, 2006 2:19 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Domain controller firewall setttings...


A co-worker of mine is trying to control his domain controllers firewall
settings via group policies. He has enabled the server 2003 firewall and is
unable to modify the DC's firewall settings when the policy is set at
"domain profile". He is able to modify the firewall when it is set to
standard profile.
 
Has anyone seen anything like this before and\or can anyone confirm if this
is standard?
 
Thanks,
 
Michael Pietrzak
SDSU


[truncated by sender]
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************


***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: