LOL that thought has crossed my mind several times. But the box was operating just fine before we joined it to the domain.. and all this behavior started taking place. As soon as it came off a reboot from joining the domain, the Windows Firewall stopped, couldn't ping the server etc.
This client also installed a Windows 2K8 standalone server with E2K7 ready to deploy and they were running across the same issues. Cannot RDP, can't ping, etc. I'm not sold it's a build issue just yet. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Friday, March 19, 2010 11:44 AM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue I think you should rebuild this box. IMHO. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: John Bowles [mailto:john.bow...@wlkmmas.org] Sent: Friday, March 19, 2010 11:42 AM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue Oh I'm sorry Michael, I'm assuming it cannot get out because RPC is blocked incoming/outgoing on the server. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Friday, March 19, 2010 11:31 AM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue No....This error "Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from exchsrv01.teambi.com\mail.evolvent.com (The RPC server is unavailable. 0x800706ba (WIN32: 1722)) " means that you have a policy requiring the DC to get a certificate and it couldn't access the CA when it tried to get it. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: John Bowles [mailto:john.bow...@wlkmmas.org] Sent: Friday, March 19, 2010 11:28 AM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue That is something that is in the process of being purchased. I'm assuming you're wanting to import a cert to all Windows 2008 DC's correct? From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Friday, March 19, 2010 11:24 AM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue Do you have a CA on the same side of the firewall as this new DC? I think I'd demote this server, remove it from the domain, re-add it, and then repromote. Assuming you do have an available CA. Otherwise - you are going to need access to a CA! Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: John Bowles [mailto:john.bow...@wlkmmas.org] Sent: Friday, March 19, 2010 11:13 AM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue Here are some of the Event Log errors i'm receiving. As you can see I'm not getting a whole lot of anything in the Event Viewer..just access denied. Log Name: Application Source: VSS Date: 3/18/2010 1:23:47 PM Event ID: 8193 Task Category: None Level: Error Keywords: Classic User: N/A Computer: computer.domain.com Description: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied. . Log Name: Application Source: Microsoft-Windows-MSDTC Date: 3/18/2010 1:25:48 PM Event ID: 4112 Task Category: SVC Level: Error Keywords: Classic User: N/A Computer: computer.domain.com Description: Could not start the MS DTC Transaction Manager. Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied. . Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from exchsrv01.teambi.com\mail.evolvent.com (The RPC server is unavailable. 0x800706ba (WIN32: 1722)). John Bowles | 301.473.2260 ________________________________ From: Michael B. Smith [mich...@smithcons.com] Sent: Friday, March 19, 2010 11:03 AM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue No, shouldn't be a consideration. Have you verified your event log is clean? I truly expect you should be getting information about a service startup failure. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: John Bowles [mailto:john.bow...@wlkmmas.org] Sent: Friday, March 19, 2010 10:58 AM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue Just to throw this out there.. The client's domain functional level shouldn't have a bearing on this type of behavior correct? The forest level is Windows 2000 and the domain is Windows 2003. Thank you. From: Jackson, Jeff [mailto:jeff.jack...@rbza.com] Sent: Friday, March 19, 2010 10:54 AM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue Hi Michael, I'm probably beating a dead horse and shouldn't... But, on both my 2008 and 2008 R2 servers, if I stop the windows firewall service, I can no longer connect to them via RDP, or access file shares, or even ping them for that matter. I agree, 2008 and 2008 R2 are very different beasts, but they do seem to have that behavior in common. At least that's my experience... Of course, the important thing is why is this happening to John and how might he resolve it, and on that, I'm currently stumped. Jeff From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, March 18, 2010 4:59 PM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue Guys, y'all need to realize that y'all are comparing apples and oranges. Server 2008 is NOT the same as Server 2008 R2. Server 2008 R2 should've been called Server 2010. It's way different. It's not like 2003 R2 which was just a bunch of additional optional functionality. Disabling or stopping the Windows Firewall service in Server 2008 R2 is not supported and will cause indeterminate behavior. If you want to not use the firewall, you need to open the Windows Firewall application and disable the appropriate profile. This is a change in behavior between 2008 and 2008 R2. Now, in 2008 R2, if the Windows Firewall won't start, then it WILL generate an error in one event log or another. You need to track that down and fix it! :-P Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: John Bowles [mailto:john.bow...@wlkmmas.org] Sent: Thursday, March 18, 2010 7:30 PM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue +1 Jeff, that's exactly the issue I'm having. The Windows Firewall will not even start up or allow me to start it up to allow traffic to the DC. From: Jackson, Jeff [mailto:jeff.jack...@rbza.com] Sent: Thursday, March 18, 2010 5:35 PM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue If I stop the Windows Firewall service on my 2008 servers, I can no longer RDP to it. So, what I meant by off is, the service is stopped, which is the case for John, who's firewall service won't start at all. From: N Parr [mailto:npar...@mortonind.com] Sent: Thursday, March 18, 2010 2:22 PM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue What? Firewall Off = Traffic Allowed I have the firewall's off on my 2008 server and RDP to them just fine. ________________________________ From: Jackson, Jeff [mailto:jeff.jack...@rbza.com] Sent: Thursday, March 18, 2010 4:17 PM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue The 2008 firewall is conservative. In my experience, if it's turned off, no traffic is allowed inbound. So, you can't RDP into because your firewall won't start up to allow traffic in. Jeff From: John Bowles [mailto:john.bow...@wlkmmas.org] Sent: Thursday, March 18, 2010 1:29 PM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue Outside of enabling RDP on the DC, what can be preventing me from RDP'ing into the server? I have this issue with my Exchange 2K7 server as well as DC. I keep getting access is denied when trying to turn on Windows Firewall on the DC. From: John Bowles [mailto:john.bow...@wlkmmas.org] Sent: Thursday, March 18, 2010 2:46 PM To: NT System Admin Issues Subject: RE: Installing Win2K8 Server as DC Issue From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Thursday, March 18, 2010 2:43 PM To: NT System Admin Issues Subject: Re: Installing Win2K8 Server as DC Issue >>I cannot access the server remotely Error message? No error message, after running DS role I am no longer able to connect to server via RDP >> the windows firewall service won't start How are you determining this? This is determined by the service on the server set to automatic but doesn't show's not started What does the eventlog say? Etc and so on. Event log is throwing MS DTC errors saying service cannot start. >>The Windows Firewall is a pain in the arse if you ask me. Because? Because it's always been a pain in the arss. :) -ASB: http://XeeSM.com/AndrewBaker On Thu, Mar 18, 2010 at 2:29 PM, John Bowles <john.bow...@wlkmmas.org<mailto:john.bow...@wlkmmas.org>> wrote: All- I'm trying to join a w2k8 r2 server to a windows 2003 domain. I've ran adprep /forestprep Adprep /domain prep Installed domain services under roles.. rebooted Now when the server came up I cannot access the server remotely and the windows firewall service won't start. Just wondering what I did wrong here? The Windows Firewall is a pain in the arse if you ask me. Any help would be appreciated. Thank you, John Bowles ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
