RE: [ActiveDir] R2 In-Place Upgrade bug ?

[Kurt Falde]

Is this on a separate network segment then your other boxes that you’re utilizing to ping it?  If not I would say make sure you put a laptop into a switch port that you are positive is in the same vlan as this server and start doing some testing there to ping the server.  Have you taken a network trace on the server side to see if you see any of these connections getting to the server however the response not getting back to the originator?   Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Sunday, July 30, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ?   anywhere i can possibly look ? i'm running out of options and i have a long week ahead with microsoft PSS and Dell. On 7/29/06, HBooGz < [EMAIL PROTECTED]> wrote: back to square one i presume ?   On 7/29/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] < [EMAIL PROTECTED] > wrote: I think you are right.. I remember now they sucked in that fix to a later security bulletin. HBooGz wrote: > Thank you. > > So it looks like i should get the hotfix related to this article: > > http://support.microsoft.com/kb/898060 but it says in that article > that the download supplied is superceeded by the hotfix i applied > already : Security update 913446 (security bulletin MS06-007) > supersedes this update (898060). > > so which hotfixes do i really need ? > > what's the mystery is why can the clients and servers outside the > subnet connecting via VPN ping this server by name and IP succesfully. > > > > On 7/29/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED] >> wrote: > >     The trick here is go to the bulletin and check the caveats section >     http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx > >     Which links to.... >     http://support.microsoft.com/kb/893066 > >     Which points to... > >     Network connectivity between clients and servers may not work >     after you >     install security update MS05-019. For more information, click the >     following article number to view the article in the Microsoft >     Knowledge >     Base: >     898060 </kb/898060/> ( http://support.microsoft.com/kb/898060/) >     Installing security update MS05-019 or Windows Server 2003 Service >     Pack >     1 may cause network connectivity between clients and servers to fail >     •       For more information, click the following article number >     to view the >     article in the Microsoft Knowledge Base: >     898542 </kb/898542/> ( http://support.microsoft.com/kb/898542/) Windows >     Server 2003 systems using IPsec tunnel-mode functionality may >     experience >     problems after you install the original version of 893066 > > > >     HBooGz wrote: >     > I applied the related to article ending with MS06-007.mspx >     > < >     http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx> . >     > >     > do you happen to have the hotfix for the other article ? >     > >     > >     > >     > On 7/29/06, *Kurt Falde* < [EMAIL PROTECTED] >     <mailto: [EMAIL PROTECTED]> >     > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote: >     > >     >     I would definitely get the tcpip.sys hotfixes applied as this >     >     sounds very symptomatic of ms05-019 issues. >     > >     >     Kurt Falde >     >     Sent from my Windows Mobile Phone >     > >     > >     >     -----Original Message----- >     >     From: "HBooGz"< [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED]> >     <mailto:[EMAIL PROTECTED] <mailto: [EMAIL PROTECTED]>>> >     >     Sent: 7/29/06 10:58:58 AM >     >     To: " ActiveDir@mail.activedir.org >     <mailto: ActiveDir@mail.activedir.org> >     >     <mailto:ActiveDir@mail.activedir.org >     <mailto:ActiveDir@mail.activedir.org >>"<ActiveDir@mail.activedir.org >     <mailto: ActiveDir@mail.activedir.org> >     >     <mailto: ActiveDir@mail.activedir.org >     <mailto: ActiveDir@mail.activedir.org>>> >     >     Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? >     > >     >     I applied no post sp-1 fixes, but i would imagine it's worth >     a try. >     > >     >     do you guys want to hear something even more mind-boggling ? >     > >     >     i can ping the server from workstations outside the main >     office!!! >     > >     >     i've remotely connected to workstations at our IPSEC vpns to >     test >     >     login >     >     times and email access,a nd pinged the problematic server >     just fine!!! >     > >     >     arghhh >     > >     >     Matheesha: >     > >     >     Incoming connections i mean services that somehow are not >     defined >     >     to the >     >     server. I run a repadmin /replsum from another dc and it >     shows no >     >     errors. i >     >     run a dcdiag /s:problemserver with no problem. so it means that >     >     directory >     >     service traffic is allowed, but when i try to Dameware ( tcp >     port >     >     6129) to >     >     the machine it times out, when i try to the ping the box i get >     >     nothing from >     >     the main office! >     > >     >     i checked the IPSEC domain and Standard profile and made >     sure no IPSEC >     >     polocies were applied. >     > >     >     if it's the SCW -- how do i look at it ? >     > >     >     could it someway be my checkpoint firewall at the local site >     ? how >     >     in the >     >     world can it accept icmp from other workstations ( win2k >     pro) at >     >     my remote >     >     vpn sites ? >     > >     > >     > >     > >     > >     >     On 7/29/06, Kurt Falde < [EMAIL PROTECTED] >     <mailto:[EMAIL PROTECTED]> >     >     <mailto: [EMAIL PROTECTED] >     <mailto: [EMAIL PROTECTED]>>> wrote: >     >     > >     >     >  Did you apply the post SP1 security hotfixes? I know >     there are >     >     a couple >     >     > of updates for tcpip.sys which fix issues which will cause AD >     >     repl issues >     >     > from a couple times in the field. Check out >     >     > http://support.microsoft.com/kb/898060 or for the latest >     tcpip.sys >     >     > >     http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . >     >     > >     >     > >     >     > >     >     > *Kurt Falde* >     >     >   ------------------------------ >     >     > >     >     > *From:* [EMAIL PROTECTED] >     <mailto: [EMAIL PROTECTED]> >     >     <mailto: [EMAIL PROTECTED] >     <mailto: [EMAIL PROTECTED]>> [mailto: >     >     > [EMAIL PROTECTED] >     <mailto: [EMAIL PROTECTED] > >     >     <mailto: [EMAIL PROTECTED] >     <mailto: [EMAIL PROTECTED] >>] *On Behalf Of *HBooGz >     >     > *Sent:* Saturday, July 29, 2006 5:39 AM >     >     > *To:* ActiveDir@mail.activedir.org >     <mailto: ActiveDir@mail.activedir.org> >     >     <mailto: ActiveDir@mail.activedir.org >     <mailto: ActiveDir@mail.activedir.org>> >     >     > *Subject:* [ActiveDir] R2 In-Place Upgrade bug ? >     >     > >     >     > >     >     > >     >     > Morning to all - >     >     > >     >     > I just spent the last 6 hours with dell gold software support >     >     team trying >     >     > to figure out the following occurrence: >     >     > >     >     > The upgraded R2 DC does not accept incoming connections, >     but it >     >     appears it >     >     > accepts certain connections. Particularly those related to >     directory >     >     > services. e.g . telnet *server ip* 389 from the mail server >     >     works. \\*serverip >     >     > or servername *brings up the shared printers and folders >     perfectly. >     >     > >     >     > outbound traffic and icmp works fine, inbound icmp returns a >     >     time out. >     >     > >     >     > scenario: >     >     > >     >     > Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then >     >     upgrade to >     >     > R2. >     >     > connections to and from box were fine on 2003 sp1. >     >     > downgraded NIC drivers to match other r2 DC on identical >     server >     >     > hardware/model >     >     > installed new nic drivers and proset >     >     > upgraded to R2. >     >     > rebooted and noticed a ton of errors with services hanging >     upon >     >     boot. >     >     > checked connection to the box from workstations and >     servers, but >     >     all >     >     > requests timed out. >     >     > i made sure ICF was disabled. >     >     > i disabled IPSEC and entered dword value for ProhibitIpSec >     - nothing >     >     > i then enabled ICF configured exceptions - explicitly allowing >     >     ICMP, and >     >     > still nothing. >     >     > reset the TCP/ip stack and winsock using netsh, nothing >     >     > servers has two nics, one of which is disabled. changed >     binding >     >     order so >     >     > active is on top -- nothing >     >     > reinstalled the binaries of windows 2003 sp1 and upgraded >     to r2 >     >     again -- >     >     > nothing. >     >     > >     >     > i'm at a lost of ideas and sure could use to vast >     resources the >     >     > contributors of this group may have or know of. >     >     > >     >     > Thanks, >     >     > >     >     > >     >     > >     >     > >     >     > >     >     > -- >     >     > HBooGz:\> >     >     > >     > >     > >     > >     >     -- >     >     HBooGz:\> >     >     List info   : http://www.activedir.org/List.aspx >     >     List FAQ    : http://www.activedir.org/ListFAQ.aspx >     >     List archive: http://www.activedir.org/ml/threads.aspx >     > >     > >     > >     > >     > -- >     > HBooGz:\> >     List info   : http://www.activedir.org/List.aspx >     List FAQ    : http://www.activedir.org/ListFAQ.aspx >     List archive: http://www.activedir.org/ml/threads.aspx > > > > > -- > HBooGz:\> List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- HBooGz:\> -- HBooGz:\>