<quote>
Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound echo requests, even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow file and printer sharing exception," "Windows Firewall: Allow remote administration exception," and "Windows Firewall: Define port exceptions."
</quote>
When you say you cant ping from the main office, are you talking of workstations/servers that belong to the same subnet of the DC they are pinging?
I assume you did a trace to see ICMP coming into the server and whether its leaving the server.
I'm curious now as to whats happening.
M@
I applied no post sp-1 fixes, but i would imagine it's worth a try.
do you guys want to hear something even more mind-boggling ?
i can ping the server from workstations outside the main office!!!
i've remotely connected to workstations at our IPSEC vpns to test login times and email access,a nd pinged the problematic server just fine!!!
arghhh
Matheesha:
Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. i run a dcdiag /s:problemserver with no problem. so it means that directory service traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing from the main office!
i checked the IPSEC domain and Standard profile and made sure no IPSEC polocies were applied.
if it's the SCW -- how do i look at it ?
could it someway be my checkpoint firewall at the local site ? how in the world can it accept icmp from other workstations ( win2k pro) at my remote vpn sites ?On 7/29/06, Kurt Falde < [EMAIL PROTECTED]> wrote:Did you apply the post SP1 security hotfixes? I know there are a couple of updates for tcpip.sys which fix issues which will cause AD repl issues from a couple times in the field. Check out http://support.microsoft.com/kb/898060 or for the latest tcpip.sys http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx .
Kurt Falde
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGz
Sent: Saturday, July 29, 2006 5:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 In-Place Upgrade bug ?
Morning to all -
I just spent the last 6 hours with dell gold software support team trying to figure out the following occurrence:
The upgraded R2 DC does not accept incoming connections, but it appears it accepts certain connections. Particularly those related to directory services. e.g. telnet server ip 389 from the mail server works. \\serverip or servername brings up the shared printers and folders perfectly.
outbound traffic and icmp works fine, inbound icmp returns a time out.
scenario:
Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to R2.
connections to and from box were fine on 2003 sp1.
downgraded NIC drivers to match other r2 DC on identical server hardware/model
installed new nic drivers and proset
upgraded to R2.
rebooted and noticed a ton of errors with services hanging upon boot.
checked connection to the box from workstations and servers, but all requests timed out.
i made sure ICF was disabled.
i disabled IPSEC and entered dword value for ProhibitIpSec - nothing
i then enabled ICF configured exceptions - explicitly allowing ICMP, and still nothing.
reset the TCP/ip stack and winsock using netsh, nothing
servers has two nics, one of which is disabled. changed binding order so active is on top -- nothing
reinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- nothing.
i'm at a lost of ideas and sure could use to vast resources the contributors of this group may have or know of.
Thanks,
--
HBooGz:\>--HBooGz:\>
