RE: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy
Thanks for both the links. I had seen the first one, but not the second. While they answered the question I had, they didn't explain why the firewall is still enabled when it shouldn't be. The slow link threshold isn't an issue (set down the 200kbps quite some time ago, and confirmed with GPRESULT with the last applied time). The DNS suffix on the client matches the DNS suffix in the last-received Group Policy update DNS name, so it appears the client thinks it's on a trusted network (or at least it should). Still plugging away. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury Sent: Tuesday, September 06, 2005 3:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy The domain mode is determined by the DNS suffix of your active network connections. This article has information on troubleshooting the XP SP2 firewall: http://www.microsoft.com/technet/prodtechnol/winxppro/support/wftshoot.m spx And it links to this article which describes the algorithm for determining if the domain mode is in effect (look in the How Network Determination Works section): http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx Hope that helps! -Original Message- From: Mark Parris [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 06, 2005 12:03 PM To: ActiveDir.org Subject: Re: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy It's probably to do with apply GPO over slow links, the troiuble is the spead is measured as the speed of the NIC not the speed of the link. Unless you dial up from the PC directly. I have had great fun with this and VPNs over ADSL and dial up. -Original Message- From: "Joe Pochedley" <[EMAIL PROTECTED]> Date: Tue, 6 Sep 2005 14:39:31 To: Subject: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy I've done some googling and searched the MS site a bit, but cannot find an answer... The question I have is this: How does an XP computer determine whether it's connected to the domain in order to decide which firewall policy (standard or domain) to enforce? The reason I ask is this: I see this most often with machines that come in over the WAN, though I've seen it a few times on machines on our local LAN too. A machine will start up and the firewall will be enabled. Normally that would be expected as that is the default behavior of the XP firewall. However, I do have a GPO that turns off the firewall for the domain profile. If I do a GPRESULT on these machine, the GPO is applied, yet the firewall is still on. If I do a "netsh fi show state" the current active profile is the standard profile, and the Firewall GPO that I have set displays as the Group Policy Version (so I know the machine has the settings) My only guess is that, for some reason when these machines start, they don't realize they're on the domain, but I can't explain why. Latency for the remote sites is about 60 to 100 ms and there are no DC's at many of the small (2-4 people) remote sites. If it were only remotes sites, then I might be convinced that the latency was an issue. But as I mentioned, I've seen it happen to machines on our LAN too. Any insights or other things to check would be much appreciated. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ
RE: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy
The domain mode is determined by the DNS suffix of your active network connections. This article has information on troubleshooting the XP SP2 firewall: http://www.microsoft.com/technet/prodtechnol/winxppro/support/wftshoot.mspx And it links to this article which describes the algorithm for determining if the domain mode is in effect (look in the How Network Determination Works section): http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx Hope that helps! -Original Message- From: Mark Parris [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 06, 2005 12:03 PM To: ActiveDir.org Subject: Re: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy It's probably to do with apply GPO over slow links, the troiuble is the spead is measured as the speed of the NIC not the speed of the link. Unless you dial up from the PC directly. I have had great fun with this and VPNs over ADSL and dial up. -Original Message- From: "Joe Pochedley" <[EMAIL PROTECTED]> Date: Tue, 6 Sep 2005 14:39:31 To: Subject: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy I've done some googling and searched the MS site a bit, but cannot find an answer... The question I have is this: How does an XP computer determine whether it's connected to the domain in order to decide which firewall policy (standard or domain) to enforce? The reason I ask is this: I see this most often with machines that come in over the WAN, though I've seen it a few times on machines on our local LAN too. A machine will start up and the firewall will be enabled. Normally that would be expected as that is the default behavior of the XP firewall. However, I do have a GPO that turns off the firewall for the domain profile. If I do a GPRESULT on these machine, the GPO is applied, yet the firewall is still on. If I do a "netsh fi show state" the current active profile is the standard profile, and the Firewall GPO that I have set displays as the Group Policy Version (so I know the machine has the settings) My only guess is that, for some reason when these machines start, they don't realize they're on the domain, but I can't explain why. Latency for the remote sites is about 60 to 100 ms and there are no DC's at many of the small (2-4 people) remote sites. If it were only remotes sites, then I might be convinced that the latency was an issue. But as I mentioned, I've seen it happen to machines on our LAN too. Any insights or other things to check would be much appreciated. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy
It's probably to do with apply GPO over slow links, the troiuble is the spead is measured as the speed of the NIC not the speed of the link. Unless you dial up from the PC directly. I have had great fun with this and VPNs over ADSL and dial up. -Original Message- From: "Joe Pochedley" <[EMAIL PROTECTED]> Date: Tue, 6 Sep 2005 14:39:31 To: Subject: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy I've done some googling and searched the MS site a bit, but cannot find an answer... The question I have is this: How does an XP computer determine whether it's connected to the domain in order to decide which firewall policy (standard or domain) to enforce? The reason I ask is this: I see this most often with machines that come in over the WAN, though I've seen it a few times on machines on our local LAN too. A machine will start up and the firewall will be enabled. Normally that would be expected as that is the default behavior of the XP firewall. However, I do have a GPO that turns off the firewall for the domain profile. If I do a GPRESULT on these machine, the GPO is applied, yet the firewall is still on. If I do a "netsh fi show state" the current active profile is the standard profile, and the Firewall GPO that I have set displays as the Group Policy Version (so I know the machine has the settings) My only guess is that, for some reason when these machines start, they don't realize they're on the domain, but I can't explain why. Latency for the remote sites is about 60 to 100 ms and there are no DC's at many of the small (2-4 people) remote sites. If it were only remotes sites, then I might be convinced that the latency was an issue. But as I mentioned, I've seen it happen to machines on our LAN too. Any insights or other things to check would be much appreciated. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] XP SP2 Firewall - Domain vs Standard Policy
I've done some googling and searched the MS site a bit, but cannot find an answer... The question I have is this: How does an XP computer determine whether it's connected to the domain in order to decide which firewall policy (standard or domain) to enforce? The reason I ask is this: I see this most often with machines that come in over the WAN, though I've seen it a few times on machines on our local LAN too. A machine will start up and the firewall will be enabled. Normally that would be expected as that is the default behavior of the XP firewall. However, I do have a GPO that turns off the firewall for the domain profile. If I do a GPRESULT on these machine, the GPO is applied, yet the firewall is still on. If I do a "netsh fi show state" the current active profile is the standard profile, and the Firewall GPO that I have set displays as the Group Policy Version (so I know the machine has the settings) My only guess is that, for some reason when these machines start, they don't realize they're on the domain, but I can't explain why. Latency for the remote sites is about 60 to 100 ms and there are no DC's at many of the small (2-4 people) remote sites. If it were only remotes sites, then I might be convinced that the latency was an issue. But as I mentioned, I've seen it happen to machines on our LAN too. Any insights or other things to check would be much appreciated. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
