I've never implemented IPSEC polices on my network, either in windoows 2000 nor here in windows 2003.
so, you're saying to try to run the SCW to determine if a security policy is installed ? if not create one then roll-it back ?
where can i find the ipsec monitor ?
UPDATE* -- i've enabled to the windows firewall just to see what can be done with regard to icmp.
i've used the netsh command to add a custom port that DAMEWARE remote uses.
netsh firewall add portopening TCP 6129 dameware.
once i added that, i was able to dameware into the box ( which i wasn't able to do previously)
i then adjust the ICMP setting to allow ALL icmp.
netsh firewall set icmpsetting ALL enable
and allowed incoming
netsh firewall set icmpsetting 8 enable
C:\>netsh firewall show icmpsetting
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 3 Allow outbound destination unreachable
Enable 4 Allow outbound source quench
Enable 5 Allow redirect
Enable 8 Allow inbound echo request
Enable 9 Allow inbound router request
Enable 11 Allow outbound time exceeded
Enable 12 Allow outbound parameter problem
Enable 13 Allow inbound timestamp request
Enable 17 Allow inbound mask request
ICMP configuration for Local Area Connection 7:
Mode Type Description
-------------------------------------------------------------------
Enable 3 Allow outbound destination unreachable
Enable 4 Allow outbound source quench
Enable 5 Allow redirect
Enable 8 Allow inbound echo request
Enable 9 Allow inbound router request
Enable 11 Allow outbound time exceeded
Enable 12 Allow outbound parameter problem
Enable 13 Allow inbound timestamp request
Enable 17 Allow inbound mask request
then - i disabled netsh opmode and enable's the exceptions on all the interfaces. I disabled the ICF service in the services console and restarted the machine. this is the output of the opmode syntax.
C:\>netsh firewall show opmode
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Local Area Connection 7 firewall configuration:
-------------------------------------------------------------------
Operational mode = Disable
Local Area Connection 8 firewall configuration:
-------------------------------------------------------------------
Operational mode = Disable
This is my config: Looks like i might want to disable the ICF using the domain profile in gpo, since it looks enabled ?
C:\>netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
6129 TCP Enable dameware
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 3 Allow outbound destination unreachable
Enable 4 Allow outbound source quench
Enable 5 Allow redirect
Enable 8 Allow inbound echo request
Enable 9 Allow inbound router request
Enable 11 Allow outbound time exceeded
Enable 12 Allow outbound parameter problem
Enable 13 Allow inbound timestamp request
Enable 17 Allow inbound mask request
Log configuration:
-------------------------------------------------------------------
File location = C:\WINNT\pfirewall.log
Max file size = 4096 KB
Dropped packets = Enable
Connections = Disable
Local Area Connection 7 firewall configuration:
-------------------------------------------------------------------
Operational mode = Disable
Port configuration for Local Area Connection 7:
Port Protocol Mode Name
-------------------------------------------------------------------
3389 TCP Enable Remote Desktop
ICMP configuration for Local Area Connection 7:
Mode Type Description
-------------------------------------------------------------------
Enable 3 Allow outbound destination unreachable
Enable 4 Allow outbound source quench
Enable 5 Allow redirect
Enable 8 Allow inbound echo request
Enable 9 Allow inbound router request
Enable 11 Allow outbound time exceeded
Enable 12 Allow outbound parameter problem
Enable 13 Allow inbound timestamp request
Enable 17 Allow inbound mask request
Local Area Connection 8 firewall configuration:
-------------------------------------------------------------------
Operational mode = Disable
This is increasingly looking like a bug in the tcpip stack --
what do you think laura ? activedir group ?
Two quick questions-1. Are you positive there are no IPsec policies applied to this machine?2. Are you also positive that the machines from which you've been testing *also* have no IPsec policies in place?I can't think of a reason why this problem would surface only after you'd upgraded to R2, but it might not hurt to take a look with the IP security monitor just in case.As far as how to check whether or not it's a problem with the Security Configuration Wizard (which was introduced in Win2K3 SP1 and hasn't gone anywhere since it's quite new), you can read the log files as Matheesha mentioned, or you can run SCW against the server and it will allow you to rollback a previously applied policy (if applicable). If you try to rollback a policy and none was ever applied, it will tell you on about the third page of the wizard. You could then start over and select the option to create a new policy, which would show you the current configuration of the machine as part of the process of making the policy. If you're not sure where to find SCW, go to Add/Remove Programs, Add Windows Components to add or remove it, and when it's installed, it shows up in your Administrative Tools folder.Laura
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of HBooGzSent: Saturday, July 29, 2006 10:54 AMSubject: Re: [ActiveDir] R2 In-Place Upgrade bug ?I applied no post sp-1 fixes, but i would imagine it's worth a try.
do you guys want to hear something even more mind-boggling ?
i can ping the server from workstations outside the main office!!!
i've remotely connected to workstations at our IPSEC vpns to test login times and email access,a nd pinged the problematic server just fine!!!
arghhh
Matheesha:
Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. i run a dcdiag /s:problemserver with no problem. so it means that directory service traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing from the main office!
i checked the IPSEC domain and Standard profile and made sure no IPSEC polocies were applied.
if it's the SCW -- how do i look at it ?
could it someway be my checkpoint firewall at the local site ? how in the world can it accept icmp from other workstations ( win2k pro) at my remote vpn sites ?
On 7/29/06, Kurt Falde <[EMAIL PROTECTED]> wrote:Did you apply the post SP1 security hotfixes? I know there are a couple of updates for tcpip.sys which fix issues which will cause AD repl issues from a couple times in the field. Check out http://support.microsoft.com/kb/898060 or for the latest tcpip.sys http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx .
Kurt Falde
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGz
Sent: Saturday, July 29, 2006 5:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 In-Place Upgrade bug ?
Morning to all -
I just spent the last 6 hours with dell gold software support team trying to figure out the following occurrence:
The upgraded R2 DC does not accept incoming connections, but it appears it accepts certain connections. Particularly those related to directory services. e.g. telnet server ip 389 from the mail server works. \\serverip or servername brings up the shared printers and folders perfectly.
outbound traffic and icmp works fine, inbound icmp returns a time out.
scenario:
Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to R2.
connections to and from box were fine on 2003 sp1.
downgraded NIC drivers to match other r2 DC on identical server hardware/model
installed new nic drivers and proset
upgraded to R2.
rebooted and noticed a ton of errors with services hanging upon boot.
checked connection to the box from workstations and servers, but all requests timed out.
i made sure ICF was disabled.
i disabled IPSEC and entered dword value for ProhibitIpSec - nothing
i then enabled ICF configured exceptions - explicitly allowing ICMP, and still nothing.
reset the TCP/ip stack and winsock using netsh, nothing
servers has two nics, one of which is disabled. changed binding order so active is on top -- nothing
reinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- nothing.
i'm at a lost of ideas and sure could use to vast resources the contributors of this group may have or know of.
Thanks,
--
HBooGz:\>
--
HBooGz:\>
--
HBooGz:\>
