Re: Slow client logon
- From: "Sean M. Loftus" <sean(remove me)@loftus.org>
- Date: Sun, 3 Apr 2005 21:19:24 -0400
DNS, Replication etc. is all configured properly and working as it should.
This paragraph pulled from Q179442 sounds exactly like the problem we are
experiencing AND they block ICMP on the entire network. I failed to mention
in the earlier posting that we get group policy processing aborted errors as
well, so this sounds like it could be at least part of our issue along with
Q154596 for allocating random ports.
---------------------------
"For Active Directory to function correctly through a firewall, the Internet
Control Message Protocol (ICMP) protocol must be allowed through the
firewall from the clients to the domain controllers so that the clients can
receive Group Policy information. ICMP is used to determine whether the link
is a slow link or a fast link. ICMP is a legitimate protocol that Active
Directory uses for Group Policy detection and for Maximum Transfer Unit
(MTU) detection.
If you want to minimize ICMP traffic, you can use the following sample
firewall rule:
<any> ICMP -> DC IP addr = allow"
---------------------------
Sean
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23xL3qeJOFHA.3716@xxxxxxxxxxxxxxxxxxxxxxx
> Probably a problem with RPC endpoint mapper. See the link below on how to
> configure for dynamic RPC and check your firewall logs for dropped
> traffic. You will probably see dropped packets in the 1025 - 1030
> ange. --- Steve
>
> http://support.microsoft.com/kb/154596/ --- RPC and firewalls
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B179442
>
> "Sean M. Loftus" <sean(remove me)@loftus.org> wrote in message
> news:e7Ds3WHOFHA.1732@xxxxxxxxxxxxxxxxxxxxxxx
>> We have an upgraded windows NT 4 domain to 2003 with a firewall between
>> the clients and the DC. We have opened ports 53, 389, 3268, 88, 445, 135,
>> 137, 138, 139. We have a mix of desktop clients from 98 to XP. Clients
>> appear to authenticate properly at the logon box but hang at the loading
>> profile box just before the desktop shows up. There are no roaming or
>> mandatory profiles in use and this happens regardless of whether the
>> users has an existing profile on the machine or its a new user logging
>> onto it for the first time. All network links and speeds are more than
>> adequate for the logon process. We have eliminated the possibility that
>> personal firewalls etc are an issue.
>>
>> I have a feeling we are missing some high order port numbers or something
>> like that in the firewall rule set for client specific logon, but I don't
>> recall ever having to do that before for client logon.
>>
>> Any help will be greatly appreciated, I have to get this corrected Monday
>> morning ASAP...
>>
>> --
>> Sean M. Loftus
>> Enterprise Architect
>> Loftus Consulting, Inc.
>> www.LoftusConsulting.com
>>
>> sean(removeme)@loftus.org
>>
>
>
.
- References:
- Slow client logon
- From: Sean M. Loftus
- Re: Slow client logon
- From: Steven L Umbach
- Slow client logon
- Prev by Date: Re: RAID 1 and the OS
- Next by Date: Re: RAID 1 and the OS
- Previous by thread: Re: Slow client logon
- Next by thread: Solution: Slow client logon
- Index(es):
Relevant Pages
|
