[gptalk] Re: Domain controller firewall setttings...

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 20 Nov 2006 09:31:02 -0800

Michael-

That could definitely be the issue. I haven't seen that KB before but I
guess I understand why they do that. Sorta J

 

 

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Michael Pietrzak
Sent: Monday, November 20, 2006 9:17 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain controller firewall setttings...

 

Darren,

 

Another sys admin here just came across this tidbit in a MS kb article.

Could it be the cause of the "problem"?

 

Note: After promotion to being a Domain Controller the computer will

restart; after this first restart, the computer will use the Windows

Firewall's Domain Profile.  After the first replication completes

successfully and the computer is restarted, the Domain Controller will

use the Windows Firewall's Standard Profile.  So, to avoid problems,

make the Domain and Standard profiles for Domain Controllers identical. 

 

http://support.microsoft.com/kb/555381

 

Michael

 

-----Original Message-----

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]

On Behalf Of Darren Mar-Elia

Sent: Saturday, November 18, 2006 7:52 AM

To: gptalk@xxxxxxxxxxxxx

Subject: [gptalk] Re: Domain controller firewall setttings...

 

The algorithm that is used to determine whether to apply the standard or

domain profiles is pretty simple. Basically its, "if the DNS suffix of

the current active non-PPP,non-SLIP network connection to the DC is the

same as the last time that GP was applied successfully, then a domain

profile is assumed". That "last time" value is found in the registry

under HKLM\Software\Microsoft\Windows\CurrentVersion\Group

Policy\History\Network Name. Usually what happens is that the DNS suffix

on the active connection is set to nothing or something whacky. If you

do an ipconfig /all, you will see what the current active DNS suffix is

on your DC. If you're getting DNS directly from your ISP, then it may be

their DNS name, like *.comcast.net.

However, if not, it should be your AD domain's DNS name, which is

correct.

The next step is to look in the registry in the location above and see

what's shown there. It should be the domain's DNS name. If not, then

that could be a problem as well. You can update this NetworkName value

manually, then disable and re-enable the LAN adapter on that DC, and

that should force domain profile if both DNS suffixes are identical.

 

Darren

 

-----Original Message-----

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]

On Behalf Of Michael Pietrzak

Sent: Friday, November 17, 2006 10:27 PM

To: gptalk@xxxxxxxxxxxxx

Subject: [gptalk] Re: Domain controller firewall setttings...

 

 

Darren,

 

Wow, this is really wierd. Well, on my home domain, adding in my domain

to the DNS connection suffix did not make a difference. I took the

following steps...

 

1. I was able to replicate here at home. Create a new GPO at the domain

controller OU. In the standard profile, enabled the firewall, gpudpate,

reboot, the firewall was on. Then I turned it off.

2. Tried to do the same with the domain profile and as expected, no joy.

The firewall did not turn on when set to enabled in the domain profile.

 

3. In my TCP\IP settings, I added my domain suffix to both the "DNS

suffix for this connection:" and Append these DNS suffixes in order.

Tried again with the GPO enabling the firewall with the domain profile

and again, nothing.

 

Well, at least I am able to replicate it. As best as I can tell, adding

the DNS suffix on my DC made no change. Did it work for you in that

manner?

 

Thanks again,

 

Michael

 

-----Original Message-----

From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia

Sent: Fri 11/17/2006 4:04 PM

To: gptalk@xxxxxxxxxxxxx

Subject: [gptalk] Re: Domain controller firewall setttings...

 

Michael-

Tell him to make sure he has a DNS connection suffix set on the DC's

TCP/IP properties. I'll bet its blank now. That will probably get him

the domain profile.

 

The Hauppage card is great! Thanks again. I'm using it wth Vista MCE and

it rocks.

-----Original Message-----

From: "Michael Pietrzak" <mpietrzak@xxxxxxxxxxxxxxxx>

To: gptalk@xxxxxxxxxxxxx

Sent: 11/17/2006 3:49 PM

Subject: [gptalk] Re: Domain controller firewall setttings...

 

HI Darren,

 

He indicates that he has a new GPO liked at the domain controllers OU.

He has not modified the default domain controller gpo. In his new GPO,

when he sets it for "domain profile", the settings do not take hold on

the DC.

But, when he sets the profile to Standard, they are applied.

 

Not sure if he can change them locally when he states the settings are

applied. I will ask now.

 

Thanks!

 

Michael

 

ps, how is your happaugue card working out?

 

________________________________

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]

On Behalf Of Darren Mar-Elia

Sent: Friday, November 17, 2006 3:40 PM

To: gptalk@xxxxxxxxxxxxx

Subject: [gptalk] Re: Domain controller firewall setttings...

 

 

Michael-

Normally when you deliver WF settings via Group Policy, the ability to

manually change the firewall settings at the client machine is grayed

out (i.e. unavailable) regardless of which profile is in effect. It

sounds like you're saying that is only true if the DC is operating in

domain profile mode. But, when a standard profile is detected, he is

able to change them locally? Correct? 

 

Darren

 

________________________________

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]

On Behalf Of Michael Pietrzak

Sent: Friday, November 17, 2006 2:19 PM

To: gptalk@xxxxxxxxxxxxx

Subject: [gptalk] Domain controller firewall setttings...

 

 

A co-worker of mine is trying to control his domain controllers firewall

settings via group policies. He has enabled the server 2003 firewall and

is unable to modify the DC's firewall settings when the policy is set at

"domain profile". He is able to modify the firewall when it is set to

standard profile.

 

Has anyone seen anything like this before and\or can anyone confirm if

this is standard?

 

Thanks,

 

Michael Pietrzak

SDSU

 

 

[truncated by sender]

***********************

You can unsubscribe from gptalk by sending email to

gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR

by logging into the freelists.org Web interface. Archives for the list

are available at http://www.freelists.org/archives/gptalk/

************************

 

 

***********************

You can unsubscribe from gptalk by sending email to

gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR

by logging into the freelists.org Web interface. Archives for the list

are available at http://www.freelists.org/archives/gptalk/

************************

***********************

You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/

************************

Other related posts: