Michael- That could definitely be the issue. I haven't seen that KB before but I guess I understand why they do that. Sorta J -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Pietrzak Sent: Monday, November 20, 2006 9:17 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Domain controller firewall setttings... Darren, Another sys admin here just came across this tidbit in a MS kb article. Could it be the cause of the "problem"? Note: After promotion to being a Domain Controller the computer will restart; after this first restart, the computer will use the Windows Firewall's Domain Profile. After the first replication completes successfully and the computer is restarted, the Domain Controller will use the Windows Firewall's Standard Profile. So, to avoid problems, make the Domain and Standard profiles for Domain Controllers identical. http://support.microsoft.com/kb/555381 Michael -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Saturday, November 18, 2006 7:52 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Domain controller firewall setttings... The algorithm that is used to determine whether to apply the standard or domain profiles is pretty simple. Basically its, "if the DNS suffix of the current active non-PPP,non-SLIP network connection to the DC is the same as the last time that GP was applied successfully, then a domain profile is assumed". That "last time" value is found in the registry under HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\Network Name. Usually what happens is that the DNS suffix on the active connection is set to nothing or something whacky. If you do an ipconfig /all, you will see what the current active DNS suffix is on your DC. If you're getting DNS directly from your ISP, then it may be their DNS name, like *.comcast.net. However, if not, it should be your AD domain's DNS name, which is correct. The next step is to look in the registry in the location above and see what's shown there. It should be the domain's DNS name. If not, then that could be a problem as well. You can update this NetworkName value manually, then disable and re-enable the LAN adapter on that DC, and that should force domain profile if both DNS suffixes are identical. Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Pietrzak Sent: Friday, November 17, 2006 10:27 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Domain controller firewall setttings... Darren, Wow, this is really wierd. Well, on my home domain, adding in my domain to the DNS connection suffix did not make a difference. I took the following steps... 1. I was able to replicate here at home. Create a new GPO at the domain controller OU. In the standard profile, enabled the firewall, gpudpate, reboot, the firewall was on. Then I turned it off. 2. Tried to do the same with the domain profile and as expected, no joy. The firewall did not turn on when set to enabled in the domain profile. 3. In my TCP\IP settings, I added my domain suffix to both the "DNS suffix for this connection:" and Append these DNS suffixes in order. Tried again with the GPO enabling the firewall with the domain profile and again, nothing. Well, at least I am able to replicate it. As best as I can tell, adding the DNS suffix on my DC made no change. Did it work for you in that manner? Thanks again, Michael -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia Sent: Fri 11/17/2006 4:04 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Domain controller firewall setttings... Michael- Tell him to make sure he has a DNS connection suffix set on the DC's TCP/IP properties. I'll bet its blank now. That will probably get him the domain profile. The Hauppage card is great! Thanks again. I'm using it wth Vista MCE and it rocks. -----Original Message----- From: "Michael Pietrzak" <mpietrzak@xxxxxxxxxxxxxxxx> To: gptalk@xxxxxxxxxxxxx Sent: 11/17/2006 3:49 PM Subject: [gptalk] Re: Domain controller firewall setttings... HI Darren, He indicates that he has a new GPO liked at the domain controllers OU. He has not modified the default domain controller gpo. In his new GPO, when he sets it for "domain profile", the settings do not take hold on the DC. But, when he sets the profile to Standard, they are applied. Not sure if he can change them locally when he states the settings are applied. I will ask now. Thanks! Michael ps, how is your happaugue card working out? ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Friday, November 17, 2006 3:40 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Domain controller firewall setttings... Michael- Normally when you deliver WF settings via Group Policy, the ability to manually change the firewall settings at the client machine is grayed out (i.e. unavailable) regardless of which profile is in effect. It sounds like you're saying that is only true if the DC is operating in domain profile mode. But, when a standard profile is detected, he is able to change them locally? Correct? Darren ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Pietrzak Sent: Friday, November 17, 2006 2:19 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Domain controller firewall setttings... A co-worker of mine is trying to control his domain controllers firewall settings via group policies. He has enabled the server 2003 firewall and is unable to modify the DC's firewall settings when the policy is set at "domain profile". He is able to modify the firewall when it is set to standard profile. Has anyone seen anything like this before and\or can anyone confirm if this is standard? Thanks, Michael Pietrzak SDSU [truncated by sender] *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************