Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1

Wed, 07 Jun 2006 09:30:16 -0700

Besides .. if this is an interior firewall and you just opened up 1024-65535.. and chances are 0-1024 is already open... what are they good for now? What's their job now? Why does he even need them now in these deployments if the ports are open? Graphical views of malware as it streams across your network? 

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
Egress filtering so that there's less ports for me to keep an eye on... those high level ports can be used for backdoors, trojans and what not... I live in California.. I have SSNs in an encrypted database... I have sucky vendors that won't support encryption... so I'm putting all the layers I can.
I don't trust my secretary that 'has' downloaded malware on her machine (she's nonadmin these days along with many others in my firm).
I have a tiny network in comparison to you guys (Joe would get claustrophobic just opening up the group policy snap in and seeing hardly anything in there) but each workstation has XP sp2 with the firewalls enabled..and believe you me... if some high level port is needed, I need, I want to know what the 'normal' baseline traffic is on my network.. should something change... that's a sign of a new piece of software.. or worse yet... malware, trojans, yadda yadda... and I'm having a heart attack and licking stamps on post cards informing clients of an intrusion.
These days your interior "trusted network" can't be trusted anymore. The bad guys want my desktops.. and most of my risks in my sized network is coming in from those users.. not my server. 


Al Mulnick wrote:


Hmm.. I'm surprised by that Susan. :)
Anyhow, why would you lock it down? I'm curious as to what the motivation is in this particular instance to use the firewall like that? What's the gain? What risk are you mitigating? What are you controlling? As I understand this, it is not an internet facing machine such that a firewall is there to slow the rush. This is firewalled off from other networks within the "trusted" networks (or not so trusted I suppose, since you did deploy a firewall.) I'm not sure I understand what's to be gained by doing this, so I'm curious. I'm familiar with what other companies have done this type of configuration for, but I'm interested in this particular instance. On 6/7/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: 

    I think I'd be setting up a sniffer and figuring out exactly what
    is wanting what open and why.
...that's an awful lot of ports....and exactly where is this firewall? 

    I'm with Brian.. except I would probably not use the f word.. but
    I think I'd be going "okay this is fine to keep the bosses from
    freaking out but we're getting to the bottom of this so I can
    close those suckers back up or at least only open the minimums".



    Brian Desmond wrote:


    *And fwiw you have some forgiving firewall people. I would have
    told you to f off and lock it down.*

    * *

    *Thanks,*

    *Brian Desmond*

    [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>*

    * *

    *c - 312.731.3132*

    * *

    *From:* [EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>
    [mailto:[EMAIL PROTECTED] *On Behalf Of *Clay,
    Justin (ITS)
    *Sent:* Friday, June 02, 2006 4:30 PM
    *To:* ActiveDir@mail.activedir.org
    <mailto:ActiveDir@mail.activedir.org>
    *Subject:* RE: [ActiveDir] PCs hang at "Applying computer
    settings" after upgradingDCs to 2K3 SP1
Well everyone, it's fixed. It's something that even MS is a bit 
    surprised at, although they say they have seen it before.
    Essentially, the last year since this forest has been deployed,
    high ports (1024-65535) have been blocked at the firewall but for
    whatever reason, everything seemed to work fine. Installing SP1
    apparently changed something, or fixed something that finally
    made it a requirement to have those high ports open.
They opened 1024-65535 on our Checkpoint firewall and the login 
    times instantly went from 4-8 minutes back down to the usual few
    seconds. It sucks to have to learn about things like this by
    killing a production environment for 4 hours and burning some
    Premiere Support hours, but at least we know what to look for
    when we upgrade some of our other domains to SP1!
Thanks to everyone for all the suggestions and help, it's always 
    appreciated!
Also, to everyone else that was experiencing this issue, I'd be 
    interested to know if a firewall or router ACL blocking high
    ports is the cause of the problem for you!
------------------------------------------------------------------------ 

    *From:* [EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>
    [mailto:[EMAIL PROTECTED] *On Behalf Of *Clay,
    Justin (ITS)
    *Sent:* Friday, June 02, 2006 2:31 PM
    *To:* ActiveDir@mail.activedir.org
    <mailto:ActiveDir@mail.activedir.org>
    *Subject:* RE: [ActiveDir] PCs hang at "Applying computer
    settings" after upgradingDCs to 2K3 SP1
Nope, I can get to them from the client PCs just fineā€¦I was able 
    to drill down into all of the policies that I tried.
------------------------------------------------------------------------ 

    *From:* [EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>
[mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick 
    *Sent:* Friday, June 02, 2006 1:34 PM
    *To:* ActiveDir@mail.activedir.org
    <mailto:ActiveDir@mail.activedir.org>
    *Subject:* Re: [ActiveDir] PCs hang at "Applying computer
    settings" after upgradingDCs to 2K3 SP1
Any problems accessing
\\domain\sysvol\domain\Policies
?
On 6/2/06, *Clay, Justin (ITS)* <[EMAIL PROTECTED] 
    <mailto:[EMAIL PROTECTED]>> wrote:

    Hopefully the attachment comes through. The interesting part, and
    where most of the time delay is seen is here:
USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. 

    USERENV(42c.2f0) 12:37:50:606 MyGetUserName:  GetUserNameEx
    failed with 1753.

    USERENV(42c.2f0) 12:37:50:606 MyGetUserName:  Retrying call to
    GetUserNameEx in 1/2 second.

    USERENV(42c.2f0) 12:38:54:371 MyGetUserName:  GetUserNameEx
    failed with 1753.

    USERENV(42c.2f0) 12:38:54:371 MyGetUserName:  Retrying call to
    GetUserNameEx in 1/2 second.

    USERENV(42c.2f0) 12:39:58:027 MyGetUserName:  GetUserNameEx
    failed with 1753.

    USERENV(42c.2f0) 12:39:58:027 MyGetUserName:  Retrying call to
    GetUserNameEx in 1/2 second.

    USERENV(42c.2f0) 12:41:01:573 MyGetUserName:  GetUserNameEx
    failed with 1753.

    USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed
    with 1753.

    USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in
    this policy cycle.

    USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with
    error 1753.
------------------------------------------------------------------------ 

    *From:* [EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>
    [mailto:[EMAIL PROTECTED]
    <mailto:[EMAIL PROTECTED]>] *On Behalf Of *Al
    Mulnick
    *Sent:* Friday, June 02, 2006 12:19 PM
    *To:* ActiveDir@mail.activedir.org
    <mailto:ActiveDir@mail.activedir.org>
    *Subject:* Re: [ActiveDir] PCs hang at "Applying computer
    settings" after upgradingDCs to 2K3 SP1
I think a different thread mentioned that DNS was about 90% of 
    the cause of this type of behavior.  It's not the only one however.
What keeps rebooting? The DC? Or the workstations? If the 
    workstations, not only ethereal but Darren's suggestion of
    logging is a good idea.
On 6/2/06, *Za Vue* < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: 

    Finally..someone is also experiencing this problem. My DCs are
    Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My
    first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup
    all show no error. Nothing is reported in logs. It is not
    firewall. I have play with NetBIOS, changing Provider Order in
    Network Neighborhood->Advanced Settings..nada.

    This week has been quiet. If someone calls again I have ethereal
    setup and ready to capture. The thing about my environment is I
    do not manage the switches or router. I don't know if someone is
    messing with something.

    -Z.V.



    , Justin (ITS) wrote:

    Hello,
Last night we upgraded our 3 Win2K3 domain controllers to SP1. 
    This morning, we're getting tons and tons of calls from users who
    report that their computer sits at "Applying computer settings"
    for a good 10 minutes, then another 10 or so minutes at "Applying
    your personalized settings"
After the upgrade we did start seeing DCOM errors in the System 
    event log, which I've found many people online have experienced.
    I "fixed it" (or at least the DCOM errors went away) by granting
    Network Service the following rights:
Local Launch 

    Remote Launch

    Local Activation

    Remote Activation
In the Launch and Activation Permissions dialog on the Security 
    tab of the netman component. However, even after the DCOM errors
    have gone away, we continue to see the same results on the clients.
Any ideas? I'm considering calling Premier Support, but I figured 
    you guys would be better help than them.
Thanks,
/Justin Clay/ 
    /ITS Enterprise Services/
    /Metropolitan Government of Nashville and Davidson County /
    /Howard School Building/
    /Phone: (615) 880-2573/



    ITS ENTERPRISE SERVICES EMAIL NOTICE

    The information contained in this email and any attachments is
    confidential and may be subject to copyright or other
    intellectual property protection. If you are not the intended
    recipient, you are not authorized to use or disclose this
    information, and we request that you notify us by reply mail or
    telephone and delete the original message from your mail system.



    ITS ENTERPRISE SERVICES EMAIL NOTICE

    The information contained in this email and any attachments is
    confidential and may be subject to copyright or other
    intellectual property protection. If you are not the intended
    recipient, you are not authorized to use or disclose this
    information, and we request that you notify us by reply mail or
    telephone and delete the original message from your mail system.




    ITS ENTERPRISE SERVICES EMAIL NOTICE

    The information contained in this email and any attachments is
    confidential and may be subject to copyright or other
    intellectual property protection. If you are not the intended
    recipient, you are not authorized to use or disclose this
    information, and we request that you notify us by reply mail or
    telephone and delete the original message from your mail system.



    ITS ENTERPRISE SERVICES EMAIL NOTICE

    The information contained in this email and any attachments is
    confidential and may be subject to copyright or other
    intellectual property protection. If you are not the intended
    recipient, you are not authorized to use or disclose this
    information, and we request that you notify us by reply mail or
    telephone and delete the original message from your mail system.








--
Letting your vendors set your risk analysis these days? http://www.threatcode.com 
The SBS product team wants to hear from you:
http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Reply via email to