Re: GPO controlled firewall incorrectly ON due to Standard instead of Domain Profile
From: Rebecca Chen [MSFT] (v-rebc_at_online.microsoft.com)
Date: 12/01/04
- Next message: CK: "Re: Locking Workstation"
- Previous message: l_stocky: "Re: GP cannont find Domain Controller"
- In reply to: Erik: "Re: GPO controlled firewall incorrectly ON due to Standard instead of Domain Profile"
- Next in thread: Erik: "Re: GPO controlled firewall incorrectly ON due to Standard instead of Domain Profile"
- Reply: Erik: "Re: GPO controlled firewall incorrectly ON due to Standard instead of Domain Profile"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 01 Dec 2004 10:44:10 GMT
Hi Erik,
Good information. However, there is obvious cause we can find to resolve
this issue. In addition, I would like to confirm that if you hibernate the
laptop and resume it, or turn off/turn on the laptop when you connect to
the domain. I mean, if you use the laptop outside of the office, hibernate
it and connect to the office, resume the laptop, the GPO will not be
applied and the firewall will be turned on. Is this the case?
Since this issue occurs occasionally, please issue the RSOP (you are right
that it is equal gpresult /v, however, it is a GUI tool), we can see if the
firewall policy has been correctly applied.
In addition, please check XP's fully configured domain suffix. Firewall
Group Policy is segmented into two applications, the domain profile and the
standard profile. What determines the use of the domain profile is the
matching of the DNS primary domain suffix to the name of the AD domain for
the Network connection that the Windows Firewall is assigned to. If there
is no DNS primary domain suffix (workgroup) or the DNS suffix does not
match the name of the clients current AD domain then the standard profile
is used. This toggling effect could be what is causing your issue. If the
Windows XP Pro / Firewall client is using a non configured Windows Firewall
profile inadvertently then this could be how your are loosing your intended
Firewall configuration.
Any update, let us get in touch!
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "Erik" <umetricsdev@umetrics.com>
>References: <#WCJqni1EHA.2180@TK2MSFTNGP10.phx.gbl>
<pRaY0iq1EHA.2732@cpmsftngxa10.phx.gbl>
>Subject: Re: GPO controlled firewall incorrectly ON due to Standard
instead of Domain Profile
>Date: Tue, 30 Nov 2004 15:01:14 +0100
>Lines: 206
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <uXzyPUu1EHA.1152@TK2MSFTNGP14.phx.gbl>
>Newsgroups: microsoft.public.windows.group_policy
>NNTP-Posting-Host: mail.umetrics.com 194.165.228.114
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.group_policy:10866
>X-Tomcat-NG: microsoft.public.windows.group_policy
>
>Thanks for your answer!
>
>here are some replies to your questions;
>
>1. The two DCs are in the same domain and the same AD site. But the DCs
are
>at two different physical locations and subnets, connected through a
>VPN-tunnel. The latencty through the tunnel is around 40ms which I think
is
>pretty low, that's why they are in the same AD site.
>
>2. I'm not sure what you mean? There is no workgroup... the terms
"Standard
>Profile" and "Domain Profile" I refer to are the two GPO settings
available
>when configuring the Windows Firwall using a Group Policy: the Domain
>Profile is in use when the computer is in contact with the domain, and the
>Standard Profile otherwise. (Here's a quick link about this that also
>contains stuff on how Windows determines if the computer is connected to a
>domain or not - but unfortunately I don't see anything there that helps
>me...
>http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx
>
>3. The problem is that it isn't reproducible at all:
>
>Only SOMETIMES it happes that the firewall of a client is ON even though
the
>computer is connected to the domain (and no particular errors in the event
>log). But most of the time everything works just as expected: the firewall
>is ON when laptops are out-of-office but OFF when they are at the office.
>
>I looked in the event log of a client that had the problem yesterday, and
>the logs look just normal: I still had the 1704 Event from SceCli
indicating
>the the GPO has been applied....
>
>4. We don't have any logon/logoff or startup/shutdown script to disable,
so
>this isn't the cause of the problem.
>
>About rsop:
>
>I did run "gpresults /z" (which is what you mean by "rsop"?) on my
machine
>just to test and of course everything looks good here (since it works).
>
>But since I can't reproduce the problem "on demand", I can't really run it
>on a machine that has the problem right now... I will do this as soon as
it
>happens again though.
>
>But I'm still hoping that some of the above information can help you
>understand what could be the cause of our intermittent problems?
>
>/ Erik
>
>
>"Rebecca Chen [MSFT]" <v-rebc@online.microsoft.com> wrote in message
>news:pRaY0iq1EHA.2732@cpmsftngxa10.phx.gbl...
>> Hi Erik,
>>
>> I am a little unclear the paragraph and have a couple of questions
below:
>> "
>> We do have two DCs in our small domain (50 computers, Windows Server 2003
>> on the DCs), one of which is at another location, but the connectivity is
>> good (around 40ms ping)".
>>
>> 1. What is the relationship of two DCs, they are in the same domain but
>> two
>> sites, or they are in the different domains?
>> 2. Where is the workgroup to implement the standard profile?
>> 3. Could you provide the detailed steps to reproduce this issue? For
>> example, if you connect the laptop to the domain, do you hibernate the
>> laptop and resume it, or turn off/turn on the machine when you connect to
>> the domain or workgroup?
>> 4. Do you have applied logon/logoff or startup/shutdown script in the
>> domain? Please temporarily remove the script and test this issue.
>>
>> According to your description, since "gpupdate /force" can fresh the
GPO,
>> I
>> believe the GPO has not correctly applied to the problematic machine.
>>
>> I suggest you take your laptop as the test machine and use the following
>> steps to isolate this issue:
>> 1. Refer to the following KB to perform a Clean Boot and always keep in
>> clean boot.
>> Q310353 How to Perform a Clean Boot in Windows XP
>> http://support.microsoft.com/support/kb/articles/q310/3/53.asp
>>
>>
>> 2. Turn off the machine and connect to the domain. What is the result?
>>
>> 3. Issue "rsop" in CMD, can you see the GPO has applied to the machine?
>> Save the rsop result and called it "domain".
>>
>> 4. Turn off the machine and connect to the workgroup, what is the result?
>> Issue "rsop" in CMD, does the GPO has been successfully applied? Save the
>> rsop result and called it "workgroup".
>>
>> If the issue persists, please send me (v-rebc@microsoft.com) two rosp
>> result for research. In addition, please download the MPS report tool
from
>> the following link and send the result (CAB) file to me. This log file
can
>> help me clarify the computer configuration.
>>
>>
<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
>> 915706/MPSRPT_SETUPPerf.EXE>
>>
>> 1. Double click this file to run it.
>> 2. After that, please go to
C:\windows\MPSReports\Setup\Reports\Cab
>> .
>> 3. Find a file named [COMPUTERNAME]_MPSReports.CAB
>> 4. Send this cab file to me at v-rebc@microsoft.com
>>
>>
>>
>> Any update, let us get in touch!
>>
>> Best regards,
>>
>> Rebecca Chen
>>
>> MCSE2000 MCDBA CCNA
>>
>>
>> Microsoft Online Partner Support
>> Get Secure! - www.microsoft.com/security
>>
>> =====================================================
>>
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>>
>> =====================================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> --------------------
>>>From: "Erik" <umetricsdev@umetrics.com>
>>>Subject: GPO controlled firewall incorrectly ON due to Standard instead
of
>> Domain Profile
>>>Date: Mon, 29 Nov 2004 16:41:35 +0100
>>>Lines: 49
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>>X-RFC2646: Format=Flowed; Original
>>>Message-ID: <#WCJqni1EHA.2180@TK2MSFTNGP10.phx.gbl>
>>>Newsgroups: microsoft.public.windows.group_policy
>>>NNTP-Posting-Host: mail.umetrics.com 194.165.228.114
>>>Path:
>>
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
>> phx.gbl
>>>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.group_policy:10832
>>>X-Tomcat-NG: microsoft.public.windows.group_policy
>>>
>>>I have setup a GPO to configure the XP SP2 Windows Firewall to work
>>>differently while connected to the domain (Domain profile) and when now
>>>(Standard profile). This basically works as intended but unfortunately
not
>>>always:
>>>
>>>
>>>
>>>Sometimes the firewall on a client is incorrectly ON and the profile used
>> is
>>>"Standard" (from netsh firewall show state) when it in fact should be OFF
>>>and the profile "Domain" since the computers are connected to the domain.
>> A
>>>reboot or "gpupdate /force" on a command prompt fixes the problem but is
>>>more of a workaround than a solution.
>>>
>>>
>>>
>>>The problem occurs only sometimes, not always. I have found nothing wrong
>> on
>>>the clients that have the problem (same IP settings, and network
>> connection
>>>domain name for example). Nothing in the event log. Happens to both
>> laptops
>>>and desktops (that are always at the office).
>>>
>>>
>>>
>>>We do have two DCs in our small domain (50 computers, Windows Server 2003
>> on
>>>the DCs), one of which is at another location, but the connectivity is
>> good
>>>(around 40ms ping). But still; could it be temporary connectivity
problems
>>>to the other DC that are causing the GPO problems? How can I try this
>>>theory?
>>>
>>>
>>>
>>>Any other ideas how I narrow the problem down further?
>>>
>>>
>>>
>>>I have googled but all I've found is a similar post "Windows Firewall by
>>>Group Policy fails to detect domain network" from 2004-10-29 by Andy
Vaya
>>>(herbwarrior@mmecpa.com) in microsoft.public.backoffice.smallbiz2000, but
>>>there were no replies there. (and I though that posting here might be
>>>better.).
>>>
>>>
>>>
>>>/ Erik
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>
>
- Next message: CK: "Re: Locking Workstation"
- Previous message: l_stocky: "Re: GP cannont find Domain Controller"
- In reply to: Erik: "Re: GPO controlled firewall incorrectly ON due to Standard instead of Domain Profile"
- Next in thread: Erik: "Re: GPO controlled firewall incorrectly ON due to Standard instead of Domain Profile"
- Reply: Erik: "Re: GPO controlled firewall incorrectly ON due to Standard instead of Domain Profile"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
