[gptalk] Re: Domain controller firewall setttings...

  • From: "Michael Pietrzak" <mpietrzak@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 20 Nov 2006 09:17:03 -0800

Darren,

Another sys admin here just came across this tidbit in a MS kb article.
Could it be the cause of the "problem"?

Note: After promotion to being a Domain Controller the computer will
restart; after this first restart, the computer will use the Windows
Firewall's Domain Profile.  After the first replication completes
successfully and the computer is restarted, the Domain Controller will
use the Windows Firewall's Standard Profile.  So, to avoid problems,
make the Domain and Standard profiles for Domain Controllers identical. 

http://support.microsoft.com/kb/555381

Michael

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Saturday, November 18, 2006 7:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain controller firewall setttings...

The algorithm that is used to determine whether to apply the standard or
domain profiles is pretty simple. Basically its, "if the DNS suffix of
the current active non-PPP,non-SLIP network connection to the DC is the
same as the last time that GP was applied successfully, then a domain
profile is assumed". That "last time" value is found in the registry
under HKLM\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\Network Name. Usually what happens is that the DNS suffix
on the active connection is set to nothing or something whacky. If you
do an ipconfig /all, you will see what the current active DNS suffix is
on your DC. If you're getting DNS directly from your ISP, then it may be
their DNS name, like *.comcast.net.
However, if not, it should be your AD domain's DNS name, which is
correct.
The next step is to look in the registry in the location above and see
what's shown there. It should be the domain's DNS name. If not, then
that could be a problem as well. You can update this NetworkName value
manually, then disable and re-enable the LAN adapter on that DC, and
that should force domain profile if both DNS suffixes are identical.

Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Michael Pietrzak
Sent: Friday, November 17, 2006 10:27 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain controller firewall setttings...


Darren,

Wow, this is really wierd. Well, on my home domain, adding in my domain
to the DNS connection suffix did not make a difference. I took the
following steps...

1. I was able to replicate here at home. Create a new GPO at the domain
controller OU. In the standard profile, enabled the firewall, gpudpate,
reboot, the firewall was on. Then I turned it off.
2. Tried to do the same with the domain profile and as expected, no joy.
The firewall did not turn on when set to enabled in the domain profile.

3. In my TCP\IP settings, I added my domain suffix to both the "DNS
suffix for this connection:" and Append these DNS suffixes in order.
Tried again with the GPO enabling the firewall with the domain profile
and again, nothing.

Well, at least I am able to replicate it. As best as I can tell, adding
the DNS suffix on my DC made no change. Did it work for you in that
manner?

Thanks again,

Michael

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia
Sent: Fri 11/17/2006 4:04 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain controller firewall setttings...
 
Michael-
Tell him to make sure he has a DNS connection suffix set on the DC's
TCP/IP properties. I'll bet its blank now. That will probably get him
the domain profile.

The Hauppage card is great! Thanks again. I'm using it wth Vista MCE and
it rocks.
-----Original Message-----
From: "Michael Pietrzak" <mpietrzak@xxxxxxxxxxxxxxxx>
To: gptalk@xxxxxxxxxxxxx
Sent: 11/17/2006 3:49 PM
Subject: [gptalk] Re: Domain controller firewall setttings...

HI Darren,
 
He indicates that he has a new GPO liked at the domain controllers OU.
He has not modified the default domain controller gpo. In his new GPO,
when he sets it for "domain profile", the settings do not take hold on
the DC.
But, when he sets the profile to Standard, they are applied.
 
Not sure if he can change them locally when he states the settings are
applied. I will ask now.
 
Thanks!
 
Michael
 
ps, how is your happaugue card working out?

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, November 17, 2006 3:40 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain controller firewall setttings...


Michael-
Normally when you deliver WF settings via Group Policy, the ability to
manually change the firewall settings at the client machine is grayed
out (i.e. unavailable) regardless of which profile is in effect. It
sounds like you're saying that is only true if the DC is operating in
domain profile mode. But, when a standard profile is detected, he is
able to change them locally? Correct? 
 
Darren

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Michael Pietrzak
Sent: Friday, November 17, 2006 2:19 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Domain controller firewall setttings...


A co-worker of mine is trying to control his domain controllers firewall
settings via group policies. He has enabled the server 2003 firewall and
is unable to modify the DC's firewall settings when the policy is set at
"domain profile". He is able to modify the firewall when it is set to
standard profile.
 
Has anyone seen anything like this before and\or can anyone confirm if
this is standard?
 
Thanks,
 
Michael Pietrzak
SDSU


[truncated by sender]
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/
************************


***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: