Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Shaun E on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2000 DC can't access XP SP2 clients well sort of....... 1

Status
Not open for further replies.
kevins74

kevins74

Technical User
Jul 26, 2002
14
US
Okay, not exactly sure where this question should be posted, so if you think it might get a better response somewhere else, please let me know.

I have a branch office in Florida with a windows 2000 DC running DNS/WINS/DHCP. The office is connected to my other offices via an IPSEC tunnel created using watchguard firewalls. Everything works great between all the DC's on the network including the Florida DC.

Here is the problem, none of the client xp sp2 systems can access any other xp sp2 system. They can all access the DC/File Server shares since it is 2000 and the 2000 Professional clients are fine. I am pretty sure it has to do with the windows firewall on the xp systems, but I cannot turn that off (greyed out). If I go to network places and search for one of the systems at the office, I get not network path found or a permission issue error box. I can search for an xp system at another office and I can see and access it fine. Yes, I can access other xp systems fine at other offices. I can also Remote desktop to a server back in Virginia and then come back to the florida office network and access the xp systems fine.

So, the problem is just at the office. All the other sysdmins at remote offices connect via IPsec tunnels can access the xp systems at Florida just fine. Me and all the regular users at the florida office can't access any xp systems at the florida office. The one XP SP2 system that I can access at the Florida office while I am at the Florida office doesn't have windows firewall running. Any ideas????

Thanks,

KevinS
 
Sort by date Sort by votes
Check with the people who set GPO's that the firewall has file and print sharing enabled within the XP firewall.
Also, get them to check what the scope is--ask them to turn the XP firewall off on a test machine and see what happens.Can you ping the other machines?
 
Upvote 0 Downvote
Elmurado,

Right now we are not specifically controlling xp firewall with group policy. It says it is being controlled, so I imagine it is an automatic thing once xp sp2 is installed. But yes, print sharing is enabled as an exception on the firewall.

On a system that doesn't have xp sp2 loaded, I can access the system fine. Also another system that you can shut off the firewall, works fine.

I can ping every system, by name and by IP.

If I log into the DC at that location, I cannot access any of the xp sp2 systems. This is only at that location since I can access those same problem xp sp2 systems from my other office connected via ipsec tunnels.
 
Upvote 0 Downvote
So if it's not turned on by GP then you'll need to be localadmin to change the settings? When you say access the machines, are we talking RDP or something similar?
You can configure the firewall on a domain wide basis using GPO and so find out what settings you need(port/program exceptions ect) and then roll out a GPO for it. If the firewall is on and remote is not allowed then you can't access it.
 
Upvote 0 Downvote
That is just one of the problems. It isn't turned on by GP and I can't turn it off. I am an admin and still can't turn it off. I can't even log in with a local admin account to the local system to turn it off.

By accessing the machines, I mean by going into network places (seeing all systems on domain). Even if nothing is shared on the systems except the generic printers/faxes type stuff, I can't even see that. I get error messages about the path can't be found or permission errors.

The rest of the domain is perfectly fine with the same GP settings (firewall on). For some reason this one office is not working.

Thanks,

KevinS
 
Upvote 0 Downvote
what happens if you disable it through teh local policy?

what happened most likely is either its set there...or someone used adminpak frmo an XP client and set that value in there....that will copy the adm to the DC and be effective for all XP clients

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Type gpedit.msc in run when logged in as LOCALADMIN on the machine then disable the firewall. Computer config>admin templates>network>Network connections>Windows firewall For protect all connections set this to disable for both standard and domain and see what happens.

Otherwise try netsh firewall reset in a command prompt.
Beware, this sets everything to default.
 
Upvote 0 Downvote
Thanks for everyone that tried to help. Unfortunately I work with monkeys and with us being spread out, what page we are all on sometimes doesn't get passed to everyone. I was told by the head guy that we are not controlling windows firewall with group policy. Hey, when you are told by the person that should know for sure, you normally don't question it. (lesson 1).

We are controlling windows firewall with group policy and the person that set it up, had not added the subnet 192.168.4.0/24 to the list and so when they logged in to the DC that was pushing out the domain policy, their systems wouldn't allow 4.0/24 systems to access any other systems with windows firewall enabled and controlled.

So, the problem has been solved. (lesson 2) double check yourself with the obvious thing even if the big monkey tells you different.
 
Upvote 0 Downvote
i saw you got this solved...glad to hear it...here is a complete port listing of required ports to check against...I use this as my template for any case regarding ports, and it has been verified correct many 100s of times over.

Required ports:
1024-5000 TCP/UDP – RPC (dynamic response ports) / required for RPC to respond to communications
135 TCP – RPC (endpoint mapper) / required to open the endpoint mapper to the destination for RPC communications
389 TCP/UDP – LDAP / required to bind to a DC
3268 TCP – LDAP GC / required to bind to the GC function of a domain controller (extremely important for Exchange)
53 TCP/UDP – DNS / required for name resolution and Active Directory functionality as a whole
88 TCP/UDP – Kerberos / self explanatory
445 TCP – SMB / self explanatory
123 UDP – SNTP / required for time synchronization with a time source
ICMP / required for group policy detection, application, and MTU size detection, as well as other low level activities


Optional ports:
636 TCP – LDAP SSL / required to bind to a DC using LDAP over SSL
3269 TCP – LDAP GC SSL / required to bind to a GC using LDAP over SSL
137 UDP – NetBIOS name / self explanatory
138 UDP – NetBIOS Netlogon and Browsing / self explanatory
139 TCP – NetBIOS session / self explanatory
42 TCP – WINS replication / self explanatory
1723 TCP – PPTP / required if using PPTP VPN tunnel
IP PROTOCOL 47 (GRE) – VPN related/required for PPTP VPN tunnel as well

For more information, please see:

For Exchange considerations:


For SQL considerations:

For SMS considerations:



-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
435
hairlessupportmonkey
hairlessupportmonkey
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
1K
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
939
DrB0b
DrB0b
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
380
RRankin355
RRankin355
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
389
mikehook
mikehook

Part and Inventory Search

Sponsor

Back
Top