RE: [ActiveDir] R2 In-Place Upgrade bug ?
Check your antivirus software to make sure it doesn't include some sort of pseudo-firewall feature. Also make sure the built-in firewall isn't enabled. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Monday, July 31, 2006 1:15 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] R2 In-Place Upgrade bug ? Kurt -I've put several machines into the same switch and fabric of switches. all devices are on the same vlan, the default vlan. Not one machine on the same subnet can ping this box. i even switched ports and staticlly added its mac address to the switch. i ran a trace on the server and noticed that it was receiving an ECHO request from the server to the testing machine, but it didn't send a response to the box.the only time the server sent a response was when it initiatied a ping. The problem server can communicate to all other hosts. there are no problems with replication. i have succesfully ran repadmin /replsum and repadmin /showreps numerous times.ive applied the following hotfix ( even though the server does respond to ping from vpn sites ) http://support.microsoft.com/kb/899657/under the advice of the dell engineer, i've even tried this:http://support.microsoft.com/default.aspx?scid=kb;en-us;325356but couldn't becuase it was hosting DNS,DHCP,WINS and print services for unix and tcpip wont uninstall until those services are not present. On 7/30/06, Kurt Falde <[EMAIL PROTECTED]> wrote: Is this on a separate network segment then your other boxes that you're utilizing to ping it? If not I would say make sure you put a laptop into a switch port that you are positive is in the same vlan as this server and start doing some testing there to ping the server. Have you taken a network trace on the server side to see if you see any of these connections getting to the server however the response not getting back to the originator? Kurt Falde From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGzSent: Sunday, July 30, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? anywhere i can possibly look ?i'm running out of options and i have a long week ahead with microsoft PSS and Dell. On 7/29/06, HBooGz < [EMAIL PROTECTED]> wrote: back to square one i presume ? On 7/29/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] < [EMAIL PROTECTED] > wrote: I think you are right.. I remember now they sucked in that fix to alater security bulletin.HBooGz wrote:> Thank you.>> So it looks like i should get the hotfix related to this article:>> http://support.microsoft.com/kb/898060 but it says in that article> that the download supplied is superceeded by the hotfix i applied> already : Security update 913446 (security bulletin MS06-007)> supersedes this update (898060).>> so which hotfixes do i really need ?>> what's the mystery is why can the clients and servers outside the> subnet connecting via VPN ping this server by name and IP succesfully.>>>> On 7/29/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*> <[EMAIL PROTECTED] [EMAIL PROTECTED] >> wrote:>> The trick here is go to the bulletin and check the caveats section> http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx >> Which links to> http://support.microsoft.com/kb/893066>> Which points to...>> Network connectivity between clients and servers may not work > after you> install security update MS05-019. For more information, click the> following article number to view the article in the Microsoft> Knowledge> Base:> 898060 ( http://support.microsoft.com/kb/898060/)> Installing security update MS05-019 or Windows Server 2003 Service > Pack> 1 may cause network connectivity between clients and servers to fail > • For more information, click the following article number> to view the> article in the Microsoft Knowledge Base:> 898542 ( http://support.microsoft.com/kb/898542/) Windows> Server 2003 systems using IPsec tunnel-mode functionality may> experience> problems after you install the original version of 893066>>>> HBooGz wrote:> > I applied the related to article ending with MS06-007.mspx> > <> http://www.microsoft.com/t
Re: [ActiveDir] R2 In-Place Upgrade bug ?
Kurt -I've put several machines into the same switch and fabric of switches. all devices are on the same vlan, the default vlan. Not one machine on the same subnet can ping this box. i even switched ports and staticlly added its mac address to the switch. i ran a trace on the server and noticed that it was receiving an ECHO request from the server to the testing machine, but it didn't send a response to the box.the only time the server sent a response was when it initiatied a ping. The problem server can communicate to all other hosts. there are no problems with replication. i have succesfully ran repadmin /replsum and repadmin /showreps numerous times.ive applied the following hotfix ( even though the server does respond to ping from vpn sites ) http://support.microsoft.com/kb/899657/under the advice of the dell engineer, i've even tried this: http://support.microsoft.com/default.aspx?scid=kb;en-us;325356but couldn't becuase it was hosting DNS,DHCP,WINS and print services for unix and tcpip wont uninstall until those services are not present. On 7/30/06, Kurt Falde <[EMAIL PROTECTED]> wrote: Is this on a separate network segment then your other boxes that you're utilizing to ping it? If not I would say make sure you put a laptop into a switch port that you are positive is in the same vlan as this server and start doing some testing there to ping the server. Have you taken a network trace on the server side to see if you see any of these connections getting to the server however the response not getting back to the originator? Kurt Falde From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGz Sent: Sunday, July 30, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? anywhere i can possibly look ? i'm running out of options and i have a long week ahead with microsoft PSS and Dell. On 7/29/06, HBooGz < [EMAIL PROTECTED]> wrote: back to square one i presume ? On 7/29/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] < [EMAIL PROTECTED] > wrote: I think you are right.. I remember now they sucked in that fix to a later security bulletin. HBooGz wrote: > Thank you. > > So it looks like i should get the hotfix related to this article: > > http://support.microsoft.com/kb/898060 but it says in that article > that the download supplied is superceeded by the hotfix i applied > already : Security update 913446 (security bulletin MS06-007) > supersedes this update (898060). > > so which hotfixes do i really need ? > > what's the mystery is why can the clients and servers outside the > subnet connecting via VPN ping this server by name and IP succesfully. > > > > On 7/29/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* > <[EMAIL PROTECTED] [EMAIL PROTECTED] >> wrote: > > The trick here is go to the bulletin and check the caveats section > http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx > > Which links to > http://support.microsoft.com/kb/893066 > > Which points to... > > Network connectivity between clients and servers may not work > after you > install security update MS05-019. For more information, click the > following article number to view the article in the Microsoft > Knowledge > Base: > 898060 ( http://support.microsoft.com/kb/898060/) > Installing security update MS05-019 or Windows Server 2003 Service > Pack > 1 may cause network connectivity between clients and servers to fail > • For more information, click the following article number > to view the > article in the Microsoft Knowledge Base: > 898542 ( http://support.microsoft.com/kb/898542/) Windows > Server 2003 systems using IPsec tunnel-mode functionality may > experience > problems after you install the original version of 893066 > > > > HBooGz wrote: > > I applied the related to article ending with MS06-007.mspx > > < > http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx > . > > > > do you happen to have the hotfix for the other article ? > > > > > > > > On 7/29/06, *Kurt Falde* < [EMAIL PROTECTED] > [EMAIL PROTECTED]> > > [EMAIL PROTECTED] [EMAIL PROTECTED]>>> wrote: > > > > I would definitely get the tcpip.sys hotfixes applied as this > > sounds very symptomatic of ms05-019 issues. > > > > Kurt Falde > > Sent from my Windows Mobile Phone > > > > > > -Original Message- > > From: "HBooGz"< [EMAIL PROTECT
RE: [ActiveDir] R2 In-Place Upgrade bug ?
Is this on a separate network segment then your other boxes that you’re utilizing to ping it? If not I would say make sure you put a laptop into a switch port that you are positive is in the same vlan as this server and start doing some testing there to ping the server. Have you taken a network trace on the server side to see if you see any of these connections getting to the server however the response not getting back to the originator? Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Sunday, July 30, 2006 6:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? anywhere i can possibly look ? i'm running out of options and i have a long week ahead with microsoft PSS and Dell. On 7/29/06, HBooGz < [EMAIL PROTECTED]> wrote: back to square one i presume ? On 7/29/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] < [EMAIL PROTECTED] > wrote: I think you are right.. I remember now they sucked in that fix to a later security bulletin. HBooGz wrote: > Thank you. > > So it looks like i should get the hotfix related to this article: > > http://support.microsoft.com/kb/898060 but it says in that article > that the download supplied is superceeded by the hotfix i applied > already : Security update 913446 (security bulletin MS06-007) > supersedes this update (898060). > > so which hotfixes do i really need ? > > what's the mystery is why can the clients and servers outside the > subnet connecting via VPN ping this server by name and IP succesfully. > > > > On 7/29/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* > <[EMAIL PROTECTED] [EMAIL PROTECTED] >> wrote: > > The trick here is go to the bulletin and check the caveats section > http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx > > Which links to > http://support.microsoft.com/kb/893066 > > Which points to... > > Network connectivity between clients and servers may not work > after you > install security update MS05-019. For more information, click the > following article number to view the article in the Microsoft > Knowledge > Base: > 898060 ( http://support.microsoft.com/kb/898060/) > Installing security update MS05-019 or Windows Server 2003 Service > Pack > 1 may cause network connectivity between clients and servers to fail > • For more information, click the following article number > to view the > article in the Microsoft Knowledge Base: > 898542 ( http://support.microsoft.com/kb/898542/) Windows > Server 2003 systems using IPsec tunnel-mode functionality may > experience > problems after you install the original version of 893066 > > > > HBooGz wrote: > > I applied the related to article ending with MS06-007.mspx > > < > http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx> . > > > > do you happen to have the hotfix for the other article ? > > > > > > > > On 7/29/06, *Kurt Falde* < [EMAIL PROTECTED] > [EMAIL PROTECTED]> > > [EMAIL PROTECTED] [EMAIL PROTECTED]>>> wrote: > > > > I would definitely get the tcpip.sys hotfixes applied as this > > sounds very symptomatic of ms05-019 issues. > > > > Kurt Falde > > Sent from my Windows Mobile Phone > > > > > > -Original Message- > > From: "HBooGz"< [EMAIL PROTECTED] [EMAIL PROTECTED]> > [EMAIL PROTECTED] [EMAIL PROTECTED]>>> > > Sent: 7/29/06 10:58:58 AM > > To: " ActiveDir@mail.activedir.org > ActiveDir@mail.activedir.org> > > ActiveDir@mail.activedir.org > ActiveDir@mail.activedir.org >>"<ActiveDir@mail.activedir.org > ActiveDir@mail.activedir.org> > > ActiveDir@mail.activedir.org > ActiveDir@mail.activedir.org>>> > > Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? > > > > I applied no post sp-1 fixes, but i would imagine it's worth > a try. > > > > do you guys want to hear something even more mind-boggling ? > > > > i can ping the server from workstations outside the main > office!!! > > > > i've remotely connected to workstations at our IPSEC vpns to > test > > login > > times and email access,a nd pinged the problematic server > just fine!!! > > > > arghhh >
Re: [ActiveDir] R2 In-Place Upgrade bug ?
anywhere i can possibly look ?i'm running out of options and i have a long week ahead with microsoft PSS and Dell.On 7/29/06, HBooGz < [EMAIL PROTECTED]> wrote:back to square one i presume ? On 7/29/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] < [EMAIL PROTECTED] > wrote:I think you are right.. I remember now they sucked in that fix to a later security bulletin.HBooGz wrote:> Thank you.>> So it looks like i should get the hotfix related to this article:>> http://support.microsoft.com/kb/898060 but it says in that article> that the download supplied is superceeded by the hotfix i applied> already : Security update 913446 (security bulletin MS06-007)> supersedes this update (898060). >> so which hotfixes do i really need ?>> what's the mystery is why can the clients and servers outside the> subnet connecting via VPN ping this server by name and IP succesfully.> >>> On 7/29/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*> <[EMAIL PROTECTED] [EMAIL PROTECTED] >> wrote:>> The trick here is go to the bulletin and check the caveats section> http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx >> Which links to> http://support.microsoft.com/kb/893066 >> Which points to...>> Network connectivity between clients and servers may not work > after you> install security update MS05-019. For more information, click the> following article number to view the article in the Microsoft> Knowledge> Base:> 898060 ( http://support.microsoft.com/kb/898060/)> Installing security update MS05-019 or Windows Server 2003 Service > Pack> 1 may cause network connectivity between clients and servers to fail > • For more information, click the following article number> to view the> article in the Microsoft Knowledge Base:> 898542 ( http://support.microsoft.com/kb/898542/) Windows> Server 2003 systems using IPsec tunnel-mode functionality may> experience> problems after you install the original version of 893066 >>>> HBooGz wrote:> > I applied the related to article ending with MS06-007.mspx> > <> http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx> .> >> > do you happen to have the hotfix for the other article ?> >> >> > > > On 7/29/06, *Kurt Falde* < [EMAIL PROTECTED]> [EMAIL PROTECTED]>> > [EMAIL PROTECTED] [EMAIL PROTECTED]>>> wrote:> >> > I would definitely get the tcpip.sys hotfixes applied as this> > sounds very symptomatic of ms05-019 issues. > >> > Kurt Falde> > Sent from my Windows Mobile Phone> >> >> > -Original Message-> > From: "HBooGz"< [EMAIL PROTECTED] [EMAIL PROTECTED]>> [EMAIL PROTECTED] [EMAIL PROTECTED]>>>> > Sent: 7/29/06 10:58:58 AM> > To: " ActiveDir@mail.activedir.org> ActiveDir@mail.activedir.org>> > ActiveDir@mail.activedir.org > ActiveDir@mail.activedir.org >>"<ActiveDir@mail.activedir.org> ActiveDir@mail.activedir.org>> > ActiveDir@mail.activedir.org> ActiveDir@mail.activedir.org>>>> > Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? > >> > I applied no post sp-1 fixes, but i would imagine it's worth> a try.> >> > do you guys want to hear something even more mind-boggling ? > >> > i can ping the server from workstations outside the main> office!!!> >> > i've remotely connected to workstations at our IPSEC vpns to> test > > login> > times and email access,a nd pinged the problematic server> just fine!!!> >> > arghhh> >> > Matheesha: > >> > Incoming connections i mean services that somehow are not> defined> > to the> > server. I run a repadmin /replsum from another dc and it > shows no> > errors. i> > run a dcdiag /s:problemserver with no problem. so it means that> > directory> > service traffic is allowed, but when i try to Dameware ( tcp > port> > 6129) to> > the machine it times out, when i try to the ping the box i get> > nothing from> > the main office!> > > > i checked the IPSEC domain and Standard profile and made> sure no IPSEC
Re: [ActiveDir] R2 In-Place Upgrade bug ?
back to square one i presume ?On 7/29/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED] > wrote:I think you are right.. I remember now they sucked in that fix to a later security bulletin.HBooGz wrote:> Thank you.>> So it looks like i should get the hotfix related to this article:>> http://support.microsoft.com/kb/898060 but it says in that article> that the download supplied is superceeded by the hotfix i applied> already : Security update 913446 (security bulletin MS06-007)> supersedes this update (898060). >> so which hotfixes do i really need ?>> what's the mystery is why can the clients and servers outside the> subnet connecting via VPN ping this server by name and IP succesfully.> >>> On 7/29/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*> <[EMAIL PROTECTED] [EMAIL PROTECTED] >> wrote:>> The trick here is go to the bulletin and check the caveats section> http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx >> Which links to> http://support.microsoft.com/kb/893066>> Which points to...>> Network connectivity between clients and servers may not work > after you> install security update MS05-019. For more information, click the> following article number to view the article in the Microsoft> Knowledge> Base:> 898060 ( http://support.microsoft.com/kb/898060/)> Installing security update MS05-019 or Windows Server 2003 Service> Pack> 1 may cause network connectivity between clients and servers to fail > • For more information, click the following article number> to view the> article in the Microsoft Knowledge Base:> 898542 ( http://support.microsoft.com/kb/898542/) Windows> Server 2003 systems using IPsec tunnel-mode functionality may> experience> problems after you install the original version of 893066 >>>> HBooGz wrote:> > I applied the related to article ending with MS06-007.mspx> > <> http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx> .> >> > do you happen to have the hotfix for the other article ?> >> >> >> > On 7/29/06, *Kurt Falde* < [EMAIL PROTECTED]> [EMAIL PROTECTED]>> > [EMAIL PROTECTED] [EMAIL PROTECTED]>>> wrote:> >> > I would definitely get the tcpip.sys hotfixes applied as this> > sounds very symptomatic of ms05-019 issues. > >> > Kurt Falde> > Sent from my Windows Mobile Phone> >> >> > -Original Message-> > From: "HBooGz"< [EMAIL PROTECTED] [EMAIL PROTECTED]>> [EMAIL PROTECTED] [EMAIL PROTECTED]>>>> > Sent: 7/29/06 10:58:58 AM> > To: " ActiveDir@mail.activedir.org> ActiveDir@mail.activedir.org>> > ActiveDir@mail.activedir.org> ActiveDir@mail.activedir.org >>"<ActiveDir@mail.activedir.org> ActiveDir@mail.activedir.org>> > ActiveDir@mail.activedir.org> ActiveDir@mail.activedir.org>>>> > Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? > >> > I applied no post sp-1 fixes, but i would imagine it's worth> a try.> >> > do you guys want to hear something even more mind-boggling ? > >> > i can ping the server from workstations outside the main> office!!!> >> > i've remotely connected to workstations at our IPSEC vpns to> test > > login> > times and email access,a nd pinged the problematic server> just fine!!!> >> > arghhh> >> > Matheesha: > >> > Incoming connections i mean services that somehow are not> defined> > to the> > server. I run a repadmin /replsum from another dc and it > shows no> > errors. i> > run a dcdiag /s:problemserver with no problem. so it means that> > directory> > service traffic is allowed, but when i try to Dameware ( tcp > port> > 6129) to> > the machine it times out, when i try to the ping the box i get> > nothing from> > the main office!> > > > i checked the IPSEC domain and Standard profile and made> sure no IPSEC> > polocies were applied.> >> > if it's the SCW -- how do i look at it ? > >> > could it someway be my checkpoint firewall at the local sit
Re: [ActiveDir] R2 In-Place Upgrade bug ?
I think you are right.. I remember now they sucked in that fix to a later security bulletin. HBooGz wrote: Thank you. So it looks like i should get the hotfix related to this article: http://support.microsoft.com/kb/898060 but it says in that article that the download supplied is superceeded by the hotfix i applied already : Security update 913446 (security bulletin MS06-007) supersedes this update (898060). so which hotfixes do i really need ? what's the mystery is why can the clients and servers outside the subnet connecting via VPN ping this server by name and IP succesfully. On 7/29/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: The trick here is go to the bulletin and check the caveats section http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx Which links to http://support.microsoft.com/kb/893066 Which points to... Network connectivity between clients and servers may not work after you install security update MS05-019. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 898060 ( http://support.microsoft.com/kb/898060/) Installing security update MS05-019 or Windows Server 2003 Service Pack 1 may cause network connectivity between clients and servers to fail • For more information, click the following article number to view the article in the Microsoft Knowledge Base: 898542 (http://support.microsoft.com/kb/898542/) Windows Server 2003 systems using IPsec tunnel-mode functionality may experience problems after you install the original version of 893066 HBooGz wrote: > I applied the related to article ending with MS06-007.mspx > < http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx> . > > do you happen to have the hotfix for the other article ? > > > > On 7/29/06, *Kurt Falde* < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote: > > I would definitely get the tcpip.sys hotfixes applied as this > sounds very symptomatic of ms05-019 issues. > > Kurt Falde > Sent from my Windows Mobile Phone > > > -Original Message- > From: "HBooGz"<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> > Sent: 7/29/06 10:58:58 AM > To: " ActiveDir@mail.activedir.org <mailto:ActiveDir@mail.activedir.org> > <mailto:ActiveDir@mail.activedir.org <mailto:ActiveDir@mail.activedir.org>>"mailto:ActiveDir@mail.activedir.org> > mailto:ActiveDir@mail.activedir.org>>> > Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? > > I applied no post sp-1 fixes, but i would imagine it's worth a try. > > do you guys want to hear something even more mind-boggling ? > > i can ping the server from workstations outside the main office!!! > > i've remotely connected to workstations at our IPSEC vpns to test > login > times and email access,a nd pinged the problematic server just fine!!! > > arghhh > > Matheesha: > > Incoming connections i mean services that somehow are not defined > to the > server. I run a repadmin /replsum from another dc and it shows no > errors. i > run a dcdiag /s:problemserver with no problem. so it means that > directory > service traffic is allowed, but when i try to Dameware ( tcp port > 6129) to > the machine it times out, when i try to the ping the box i get > nothing from > the main office! > > i checked the IPSEC domain and Standard profile and made sure no IPSEC > polocies were applied. > > if it's the SCW -- how do i look at it ? > > could it someway be my checkpoint firewall at the local site ? how > in the > world can it accept icmp from other workstations ( win2k pro) at > my remote > vpn sites ? > > > > > > On 7/29/06, Kurt Falde < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > mailto:[EMAIL PROTECTED]>>> wrote: > > > > Did you apply the post SP1 security hotfixes? I know there are > a couple
Re: [ActiveDir] R2 In-Place Upgrade bug ?
Thank you.So it looks like i should get the hotfix related to this article:http://support.microsoft.com/kb/898060 but it says in that article that the download supplied is superceeded by the hotfix i applied already : Security update 913446 (security bulletin MS06-007) supersedes this update (898060). so which hotfixes do i really need ?what's the mystery is why can the clients and servers outside the subnet connecting via VPN ping this server by name and IP succesfully. On 7/29/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote: The trick here is go to the bulletin and check the caveats sectionhttp://www.microsoft.com/technet/security/bulletin/MS05-019.mspx Which links tohttp://support.microsoft.com/kb/893066Which points to...Network connectivity between clients and servers may not work after you install security update MS05-019. For more information, click thefollowing article number to view the article in the Microsoft KnowledgeBase:898060 ( http://support.microsoft.com/kb/898060/)Installing security update MS05-019 or Windows Server 2003 Service Pack1 may cause network connectivity between clients and servers to fail• For more information, click the following article number to view the article in the Microsoft Knowledge Base:898542 (http://support.microsoft.com/kb/898542/) WindowsServer 2003 systems using IPsec tunnel-mode functionality may experience problems after you install the original version of 893066HBooGz wrote:> I applied the related to article ending with MS06-007.mspx> < http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx> .>> do you happen to have the hotfix for the other article ?>>>> On 7/29/06, *Kurt Falde* < [EMAIL PROTECTED]> [EMAIL PROTECTED]>> wrote:>> I would definitely get the tcpip.sys hotfixes applied as this> sounds very symptomatic of ms05-019 issues. >> Kurt Falde> Sent from my Windows Mobile Phone>>> -Original Message-> From: "HBooGz"<[EMAIL PROTECTED] [EMAIL PROTECTED]>>> Sent: 7/29/06 10:58:58 AM> To: " ActiveDir@mail.activedir.org > ActiveDir@mail.activedir.org>"<ActiveDir@mail.activedir.org> ActiveDir@mail.activedir.org>>> Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ?>> I applied no post sp-1 fixes, but i would imagine it's worth a try.>> do you guys want to hear something even more mind-boggling ? >> i can ping the server from workstations outside the main office!!!>> i've remotely connected to workstations at our IPSEC vpns to test> login> times and email access,a nd pinged the problematic server just fine!!! >> arghhh>> Matheesha:>> Incoming connections i mean services that somehow are not defined> to the> server. I run a repadmin /replsum from another dc and it shows no > errors. i> run a dcdiag /s:problemserver with no problem. so it means that> directory> service traffic is allowed, but when i try to Dameware ( tcp port> 6129) to > the machine it times out, when i try to the ping the box i get> nothing from> the main office!>> i checked the IPSEC domain and Standard profile and made sure no IPSEC> polocies were applied. >> if it's the SCW -- how do i look at it ?>> could it someway be my checkpoint firewall at the local site ? how> in the> world can it accept icmp from other workstations ( win2k pro) at > my remote> vpn sites ?>>>>>> On 7/29/06, Kurt Falde < [EMAIL PROTECTED]> [EMAIL PROTECTED]>> wrote:> >> > Did you apply the post SP1 security hotfixes? I know there are> a couple> > of updates for tcpip.sys which fix issues which will cause AD > repl issues> > from a couple times in the field. Check out> > http://support.microsoft.com/kb/898060 or for the latest tcpip.sys > > http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx .> >> >> >> > *Kurt Falde* > > --> >> > *From:* [EMAIL PROTECTED]> [EMAIL PROTECTED]> [mailto:> > [EMAIL PROTECTED]> [EMAIL PROTECTED]>] *On Behalf Of *HBooGz> > *Sent:* Saturday, July 29, 2006 5:39 AM> > *To:* ActiveDir@mail.activedir.org > ActiveDir@mail.activedir.org>> > *Subject:* [ActiveDir] R2 In-Place Upgrade bug ?> >> >> > > > Morning to all -> >> > I just spent the last 6 hours with dell gold software support> team trying> > to figure out the following occurrence:> > >
Re: [ActiveDir] R2 In-Place Upgrade bug ?
The trick here is go to the bulletin and check the caveats section http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx Which links to http://support.microsoft.com/kb/893066 Which points to... Network connectivity between clients and servers may not work after you install security update MS05-019. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 898060 (http://support.microsoft.com/kb/898060/) Installing security update MS05-019 or Windows Server 2003 Service Pack 1 may cause network connectivity between clients and servers to fail • For more information, click the following article number to view the article in the Microsoft Knowledge Base: 898542 (http://support.microsoft.com/kb/898542/) Windows Server 2003 systems using IPsec tunnel-mode functionality may experience problems after you install the original version of 893066 HBooGz wrote: I applied the related to article ending with MS06-007.mspx <http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx> . do you happen to have the hotfix for the other article ? On 7/29/06, *Kurt Falde* < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: I would definitely get the tcpip.sys hotfixes applied as this sounds very symptomatic of ms05-019 issues. Kurt Falde Sent from my Windows Mobile Phone -Original Message- From: "HBooGz"<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> Sent: 7/29/06 10:58:58 AM To: " ActiveDir@mail.activedir.org <mailto:ActiveDir@mail.activedir.org>"mailto:ActiveDir@mail.activedir.org>> Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? I applied no post sp-1 fixes, but i would imagine it's worth a try. do you guys want to hear something even more mind-boggling ? i can ping the server from workstations outside the main office!!! i've remotely connected to workstations at our IPSEC vpns to test login times and email access,a nd pinged the problematic server just fine!!! arghhh Matheesha: Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. i run a dcdiag /s:problemserver with no problem. so it means that directory service traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing from the main office! i checked the IPSEC domain and Standard profile and made sure no IPSEC polocies were applied. if it's the SCW -- how do i look at it ? could it someway be my checkpoint firewall at the local site ? how in the world can it accept icmp from other workstations ( win2k pro) at my remote vpn sites ? On 7/29/06, Kurt Falde < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: > > Did you apply the post SP1 security hotfixes? I know there are a couple > of updates for tcpip.sys which fix issues which will cause AD repl issues > from a couple times in the field. Check out > http://support.microsoft.com/kb/898060 or for the latest tcpip.sys > http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . > > > > *Kurt Falde* > -- > > *From:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> [mailto: > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>] *On Behalf Of *HBooGz > *Sent:* Saturday, July 29, 2006 5:39 AM > *To:* ActiveDir@mail.activedir.org <mailto:ActiveDir@mail.activedir.org> > *Subject:* [ActiveDir] R2 In-Place Upgrade bug ? > > > > Morning to all - > > I just spent the last 6 hours with dell gold software support team trying > to figure out the following occurrence: > > The upgraded R2 DC does not accept incoming connections, but it appears it > accepts certain connections. Particularly those related to directory > services. e.g. telnet *server ip* 389 from the mail server works. \\*serverip > or servername *brings up the shared printers and folders perfectly. > > outbound traffic and icmp works fine, inbound icmp returns a time out. > > scenario: > > Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to > R2. > connections to and from box were fine on 2003 sp1. > downgraded NIC drivers to match other r2 DC on identical server > hardware/model > installed new nic drivers and proset > upgraded to R2. > rebooted and noticed a ton of errors with services hanging upon boot. > checked connection t
Re: [ActiveDir] R2 In-Place Upgrade bug ?
Kurt -I applied the later of the tcpip.sys updates ( the one availble to download) and it updated the tcpip.sys file with a newer timestamp than what the other article would have given it -- is it even worth it ? at this point, i wouldn't be surprised.Thanks guys, i think we're almost there..On 7/29/06, HBooGz <[EMAIL PROTECTED] > wrote:I applied the related to article ending with MS06-007.mspx .do you happen to have the hotfix for the other article ?On 7/29/06, Kurt Falde < [EMAIL PROTECTED]> wrote:I would definitely get the tcpip.sys hotfixes applied as this sounds very symptomatic of ms05-019 issues. Kurt FaldeSent from my Windows Mobile Phone-Original Message-From: "HBooGz"< [EMAIL PROTECTED]>Sent: 7/29/06 10:58:58 AMTo: " ActiveDir@mail.activedir.org"< ActiveDir@mail.activedir.org>Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? I applied no post sp-1 fixes, but i would imagine it's worth a try.do you guys want to hear something even more mind-boggling ?i can ping the server from workstations outside the main office!!! i've remotely connected to workstations at our IPSEC vpns to test logintimes and email access,a nd pinged the problematic server just fine!!!arghhhMatheesha:Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. irun a dcdiag /s:problemserver with no problem. so it means that directoryservice traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing fromthe main office!i checked the IPSEC domain and Standard profile and made sure no IPSECpolocies were applied.if it's the SCW -- how do i look at it ? could it someway be my checkpoint firewall at the local site ? how in theworld can it accept icmp from other workstations ( win2k pro) at my remotevpn sites ?On 7/29/06, Kurt Falde < [EMAIL PROTECTED]> wrote:>> Did you apply the post SP1 security hotfixes? I know there are a couple > of updates for tcpip.sys which fix issues which will cause AD repl issues > from a couple times in the field. Check out> http://support.microsoft.com/kb/898060 or for the latest tcpip.sys> http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx .>>>> *Kurt Falde*> -->> *From:* [EMAIL PROTECTED] [mailto:> [EMAIL PROTECTED]] *On Behalf Of *HBooGz > *Sent:* Saturday, July 29, 2006 5:39 AM > *To:* ActiveDir@mail.activedir.org> *Subject:* [ActiveDir] R2 In-Place Upgrade bug ? >>>> Morning to all ->> I just spent the last 6 hours with dell gold software support team trying > to figure out the following occurrence:>> The upgraded R2 DC does not accept incoming connections, but it appears it> accepts certain connections. Particularly those related to directory > services. e.g. telnet *server ip* 389 from the mail server works. \\*serverip> or servername *brings up the shared printers and folders perfectly.>> outbound traffic and icmp works fine, inbound icmp returns a time out. >> scenario:>> Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to> R2.> connections to and from box were fine on 2003 sp1.> downgraded NIC drivers to match other r2 DC on identical server > hardware/model> installed new nic drivers and proset> upgraded to R2.> rebooted and noticed a ton of errors with services hanging upon boot.> checked connection to the box from workstations and servers, but all > requests timed out.> i made sure ICF was disabled.> i disabled IPSEC and entered dword value for ProhibitIpSec - nothing> i then enabled ICF configured exceptions - explicitly allowing ICMP, and > still nothing.> reset the TCP/ip stack and winsock using netsh, nothing> servers has two nics, one of which is disabled. changed binding order so> active is on top -- nothing> reinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- > nothing.>> i'm at a lost of ideas and sure could use to vast resources the> contributors of this group may have or know of.>> Thanks,>>>>> > --> HBooGz:\>>--HBooGz:\>List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx -- HBooGz:\> -- HBooGz:\>
RE: [ActiveDir] R2 In-Place Upgrade bug ?
http://support.microsoft.com/kb/898060 > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Falde > Sent: Saturday, July 29, 2006 5:19 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? > > I would definitely get the tcpip.sys hotfixes applied as this > sounds very symptomatic of ms05-019 issues. > > Kurt Falde > Sent from my Windows Mobile Phone > > > -Original Message- > From: "HBooGz"<[EMAIL PROTECTED]> > Sent: 7/29/06 10:58:58 AM > To: "ActiveDir@mail.activedir.org" > Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? > > I applied no post sp-1 fixes, but i would imagine it's worth a try. > > do you guys want to hear something even more mind-boggling ? > > i can ping the server from workstations outside the main office!!! > > i've remotely connected to workstations at our IPSEC vpns to > test login times and email access,a nd pinged the problematic > server just fine!!! > > arghhh > > Matheesha: > > Incoming connections i mean services that somehow are not > defined to the server. I run a repadmin /replsum from another > dc and it shows no errors. i run a dcdiag /s:problemserver > with no problem. so it means that directory service traffic > is allowed, but when i try to Dameware ( tcp port 6129) to > the machine it times out, when i try to the ping the box i > get nothing from the main office! > > i checked the IPSEC domain and Standard profile and made sure > no IPSEC polocies were applied. > > if it's the SCW -- how do i look at it ? > > could it someway be my checkpoint firewall at the local site > ? how in the world can it accept icmp from other workstations > ( win2k pro) at my remote vpn sites ? > > > > > > On 7/29/06, Kurt Falde <[EMAIL PROTECTED]> wrote: > > > > Did you apply the post SP1 security hotfixes? I know there are a > > couple of updates for tcpip.sys which fix issues which will > cause AD > > repl issues from a couple times in the field. Check out > > http://support.microsoft.com/kb/898060 or for the latest tcpip.sys > > http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . > > > > > > > > *Kurt Falde* > > -- > > > > *From:* [EMAIL PROTECTED] [mailto: > > [EMAIL PROTECTED] *On Behalf Of *HBooGz > > *Sent:* Saturday, July 29, 2006 5:39 AM > > *To:* ActiveDir@mail.activedir.org > > *Subject:* [ActiveDir] R2 In-Place Upgrade bug ? > > > > > > > > Morning to all - > > > > I just spent the last 6 hours with dell gold software support team > > trying to figure out the following occurrence: > > > > The upgraded R2 DC does not accept incoming connections, but it > > appears it accepts certain connections. Particularly those > related to > > directory services. e.g. telnet *server ip* 389 from the > mail server > > works. \\*serverip or servername *brings up the shared > printers and folders perfectly. > > > > outbound traffic and icmp works fine, inbound icmp returns > a time out. > > > > scenario: > > > > Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 > then upgrade > > to R2. > > connections to and from box were fine on 2003 sp1. > > downgraded NIC drivers to match other r2 DC on identical server > > hardware/model installed new nic drivers and proset upgraded to R2. > > rebooted and noticed a ton of errors with services hanging > upon boot. > > checked connection to the box from workstations and > servers, but all > > requests timed out. > > i made sure ICF was disabled. > > i disabled IPSEC and entered dword value for ProhibitIpSec > - nothing i > > then enabled ICF configured exceptions - explicitly > allowing ICMP, and > > still nothing. > > reset the TCP/ip stack and winsock using netsh, nothing servers has > > two nics, one of which is disabled. changed binding order > so active is > > on top -- nothing reinstalled the binaries of windows 2003 sp1 and > > upgraded to r2 again -- nothing. > > > > i'm at a lost of ideas and sure could use to vast resources the > > contributors of this group may have or know of. > > > > Thanks, > > > > > > > > > > > > -- > > HBooGz:\> > > > > > > -- > HBooGz:\> > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] R2 In-Place Upgrade bug ?
I applied the related to article ending with MS06-007.mspx .do you happen to have the hotfix for the other article ?On 7/29/06, Kurt Falde < [EMAIL PROTECTED]> wrote:I would definitely get the tcpip.sys hotfixes applied as this sounds very symptomatic of ms05-019 issues. Kurt FaldeSent from my Windows Mobile Phone-Original Message-From: "HBooGz"<[EMAIL PROTECTED]>Sent: 7/29/06 10:58:58 AMTo: " ActiveDir@mail.activedir.org"<ActiveDir@mail.activedir.org>Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? I applied no post sp-1 fixes, but i would imagine it's worth a try.do you guys want to hear something even more mind-boggling ?i can ping the server from workstations outside the main office!!! i've remotely connected to workstations at our IPSEC vpns to test logintimes and email access,a nd pinged the problematic server just fine!!!arghhhMatheesha:Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. irun a dcdiag /s:problemserver with no problem. so it means that directoryservice traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing fromthe main office!i checked the IPSEC domain and Standard profile and made sure no IPSECpolocies were applied.if it's the SCW -- how do i look at it ? could it someway be my checkpoint firewall at the local site ? how in theworld can it accept icmp from other workstations ( win2k pro) at my remotevpn sites ?On 7/29/06, Kurt Falde < [EMAIL PROTECTED]> wrote:>> Did you apply the post SP1 security hotfixes? I know there are a couple> of updates for tcpip.sys which fix issues which will cause AD repl issues > from a couple times in the field. Check out> http://support.microsoft.com/kb/898060 or for the latest tcpip.sys> http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx .>>>> *Kurt Falde*> -->> *From:* [EMAIL PROTECTED] [mailto:> [EMAIL PROTECTED]] *On Behalf Of *HBooGz> *Sent:* Saturday, July 29, 2006 5:39 AM > *To:* ActiveDir@mail.activedir.org> *Subject:* [ActiveDir] R2 In-Place Upgrade bug ?>>>> Morning to all ->> I just spent the last 6 hours with dell gold software support team trying > to figure out the following occurrence:>> The upgraded R2 DC does not accept incoming connections, but it appears it> accepts certain connections. Particularly those related to directory> services. e.g. telnet *server ip* 389 from the mail server works. \\*serverip> or servername *brings up the shared printers and folders perfectly.>> outbound traffic and icmp works fine, inbound icmp returns a time out. >> scenario:>> Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to> R2.> connections to and from box were fine on 2003 sp1.> downgraded NIC drivers to match other r2 DC on identical server > hardware/model> installed new nic drivers and proset> upgraded to R2.> rebooted and noticed a ton of errors with services hanging upon boot.> checked connection to the box from workstations and servers, but all > requests timed out.> i made sure ICF was disabled.> i disabled IPSEC and entered dword value for ProhibitIpSec - nothing> i then enabled ICF configured exceptions - explicitly allowing ICMP, and > still nothing.> reset the TCP/ip stack and winsock using netsh, nothing> servers has two nics, one of which is disabled. changed binding order so> active is on top -- nothing> reinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- > nothing.>> i'm at a lost of ideas and sure could use to vast resources the> contributors of this group may have or know of.>> Thanks,>>>>> > --> HBooGz:\>>--HBooGz:\>List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx-- HBooGz:\>
Re: [ActiveDir] R2 In-Place Upgrade bug ?
I would definitely get the tcpip.sys hotfixes applied as this sounds very symptomatic of ms05-019 issues. Kurt Falde Sent from my Windows Mobile Phone -Original Message- From: "HBooGz"<[EMAIL PROTECTED]> Sent: 7/29/06 10:58:58 AM To: "ActiveDir@mail.activedir.org" Subject: Re: [ActiveDir] R2 In-Place Upgrade bug ? I applied no post sp-1 fixes, but i would imagine it's worth a try. do you guys want to hear something even more mind-boggling ? i can ping the server from workstations outside the main office!!! i've remotely connected to workstations at our IPSEC vpns to test login times and email access,a nd pinged the problematic server just fine!!! arghhh Matheesha: Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. i run a dcdiag /s:problemserver with no problem. so it means that directory service traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing from the main office! i checked the IPSEC domain and Standard profile and made sure no IPSEC polocies were applied. if it's the SCW -- how do i look at it ? could it someway be my checkpoint firewall at the local site ? how in the world can it accept icmp from other workstations ( win2k pro) at my remote vpn sites ? On 7/29/06, Kurt Falde <[EMAIL PROTECTED]> wrote: > > Did you apply the post SP1 security hotfixes? I know there are a couple > of updates for tcpip.sys which fix issues which will cause AD repl issues > from a couple times in the field. Check out > http://support.microsoft.com/kb/898060 or for the latest tcpip.sys > http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . > > > > *Kurt Falde* > -- > > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *HBooGz > *Sent:* Saturday, July 29, 2006 5:39 AM > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] R2 In-Place Upgrade bug ? > > > > Morning to all - > > I just spent the last 6 hours with dell gold software support team trying > to figure out the following occurrence: > > The upgraded R2 DC does not accept incoming connections, but it appears it > accepts certain connections. Particularly those related to directory > services. e.g. telnet *server ip* 389 from the mail server works. \\*serverip > or servername *brings up the shared printers and folders perfectly. > > outbound traffic and icmp works fine, inbound icmp returns a time out. > > scenario: > > Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to > R2. > connections to and from box were fine on 2003 sp1. > downgraded NIC drivers to match other r2 DC on identical server > hardware/model > installed new nic drivers and proset > upgraded to R2. > rebooted and noticed a ton of errors with services hanging upon boot. > checked connection to the box from workstations and servers, but all > requests timed out. > i made sure ICF was disabled. > i disabled IPSEC and entered dword value for ProhibitIpSec - nothing > i then enabled ICF configured exceptions - explicitly allowing ICMP, and > still nothing. > reset the TCP/ip stack and winsock using netsh, nothing > servers has two nics, one of which is disabled. changed binding order so > active is on top -- nothing > reinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- > nothing. > > i'm at a lost of ideas and sure could use to vast resources the > contributors of this group may have or know of. > > Thanks, > > > > > > -- > HBooGz:\> > -- HBooGz:\> List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] R2 In-Place Upgrade bug ?
Laura --I'm running through the SCW and am not sure at which point do you want me to look at that determines if something is off. As i run through the SCW, i imagine the View needs to be set on Installed Options, which gives me an idea as to what is on the machine. It runs through the security config databse and then i have an option to View Configuration Database. Once i view that, there are almost every possible microsoft app avaible for the server. I go to the Windows firewall application and it omes up with a status of Installed, enabled -- this is defintely off because the service is disabled and is not applied to any adapters ? PS. I didn't have a rollback file to proceed.Then there is the role-based config wizardSecurity config wizard Where i have the option to uncheck the Windows firewalli have the options to skip the windows firewall and registry settings and audit policy, which effectively disables them on the machine And then the changed services , which has a lot of services listed and ones that it can disable -- in particular: Intersite messaging and RPC locator ( unnecessary on a dc ? )how should i proceed? On 7/29/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote: One amendment- even if you omit the /? and just type "scwcmd" at the command line, it will give you the syntax info. Oh, and I never answered your other question- IPsecmon was a command-line tool in 2000, but in Win2K3, it's an MMC snap-in, so just create an MMC and add the IP Security Monitor snap-in. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of HBooGzSent: Saturday, July 29, 2006 2:01 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] R2 In-Place Upgrade bug ? Thanks Laura:I've never implemented IPSEC polices on my network, either in windoows 2000 nor here in windows 2003.so, you're saying to try to run the SCW to determine if a security policy is installed ? if not create one then roll-it back ? where can i find the ipsec monitor ?UPDATE* -- i've enabled to the windows firewall just to see what can be done with regard to icmp.i've used the netsh command to add a custom port that DAMEWARE remote uses. netsh firewall add portopening TCP 6129 dameware.once i added that, i was able to dameware into the box ( which i wasn't able to do previously)i then adjust the ICMP setting to allow ALL icmp.netsh firewall set icmpsetting ALL enableand allowed incomingnetsh firewall set icmpsetting 8 enableC:\>netsh firewall show icmpsettingICMP configuration for Standard profile:Mode Type Description ---Enable 2 Allow outbound packet too bigEnable 3 Allow outbound destination unreachableEnable 4 Allow outbound source quench Enable 5 Allow redirectEnable 8 Allow inbound echo requestEnable 9 Allow inbound router requestEnable 11 Allow outbound time exceededEnable 12 Allow outbound parameter problem Enable 13 Allow inbound timestamp requestEnable 17 Allow inbound mask requestICMP configuration for Local Area Connection 7:Mode Type Description--- Enable 3 Allow outbound destination unreachableEnable 4 Allow outbound source quenchEnable 5 Allow redirectEnable 8 Allow inbound echo requestEnable 9 Allow inbound router request Enable 11 Allow outbound time exceededEnable 12 Allow outbound parameter problemEnable 13 Allow inbound timestamp requestEnable 17 Allow inbound mask requestthen - i disabled netsh opmode and enable's the exceptions on all the interfaces. I disabled the ICF service in the services console and restarted the machine. this is the output of the opmode syntax. C:\>netsh firewall show opmodeDomain profile configuration:---Operational mode = DisableException mode = Enable Standard profile configuration:---Operational mode = DisableException mode = EnableLocal Area Connection 7 firewall configuration: ---Operational mode = DisableLocal Area Connection 8 firewall configuration:--- Operational mode = DisableThis is my config: Looks like i might want to disable the ICF using the domain profile in gpo, since it looks enabled ?C:\>netsh firewall show configDomain profile configuration:
RE: [ActiveDir] R2 In-Place Upgrade bug ?
One amendment- even if you omit the /? and just type "scwcmd" at the command line, it will give you the syntax info. Oh, and I never answered your other question- IPsecmon was a command-line tool in 2000, but in Win2K3, it's an MMC snap-in, so just create an MMC and add the IP Security Monitor snap-in. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Saturday, July 29, 2006 2:01 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] R2 In-Place Upgrade bug ? Thanks Laura:I've never implemented IPSEC polices on my network, either in windoows 2000 nor here in windows 2003.so, you're saying to try to run the SCW to determine if a security policy is installed ? if not create one then roll-it back ? where can i find the ipsec monitor ?UPDATE* -- i've enabled to the windows firewall just to see what can be done with regard to icmp.i've used the netsh command to add a custom port that DAMEWARE remote uses. netsh firewall add portopening TCP 6129 dameware.once i added that, i was able to dameware into the box ( which i wasn't able to do previously)i then adjust the ICMP setting to allow ALL icmp.netsh firewall set icmpsetting ALL enableand allowed incomingnetsh firewall set icmpsetting 8 enableC:\>netsh firewall show icmpsettingICMP configuration for Standard profile:Mode Type Description ---Enable 2 Allow outbound packet too bigEnable 3 Allow outbound destination unreachableEnable 4 Allow outbound source quench Enable 5 Allow redirectEnable 8 Allow inbound echo requestEnable 9 Allow inbound router requestEnable 11 Allow outbound time exceededEnable 12 Allow outbound parameter problem Enable 13 Allow inbound timestamp requestEnable 17 Allow inbound mask requestICMP configuration for Local Area Connection 7:Mode Type Description--- Enable 3 Allow outbound destination unreachableEnable 4 Allow outbound source quenchEnable 5 Allow redirectEnable 8 Allow inbound echo requestEnable 9 Allow inbound router request Enable 11 Allow outbound time exceededEnable 12 Allow outbound parameter problemEnable 13 Allow inbound timestamp requestEnable 17 Allow inbound mask requestthen - i disabled netsh opmode and enable's the exceptions on all the interfaces. I disabled the ICF service in the services console and restarted the machine. this is the output of the opmode syntax. C:\>netsh firewall show opmodeDomain profile configuration:---Operational mode = DisableException mode = Enable Standard profile configuration:---Operational mode = DisableException mode = EnableLocal Area Connection 7 firewall configuration: ---Operational mode = DisableLocal Area Connection 8 firewall configuration:--- Operational mode = DisableThis is my config: Looks like i might want to disable the ICF using the domain profile in gpo, since it looks enabled ?C:\>netsh firewall show configDomain profile configuration:---Operational mode = DisableException mode = EnableMulticast/broadcast response mode = Enable Notification mode = EnableService configuration for Domain profile:Mode Customized Name---Enable No File and Printer Sharing Port configuration for Domain profile:Port Protocol Mode Name---139 TCP Enable NetBIOS Session Service445 TCP Enable SMB over TCP 137 UDP Enable NetBIOS Name Service138 UDP Enable NetBIOS Datagram ServiceStandard profile configuration:---Operational mode = Disable Exception mode = EnableMulticast/broadcast response mode = EnableNotification mode = EnableService configuration for Standard profile:Mode Customized Name---Enable No File and Printer
RE: [ActiveDir] R2 In-Place Upgrade bug ?
No, I'm saying to run SCW first with the "rollback a previously applied policy" radio button selected to see if there was even one applied. Then, if there wasn't one applied, start the wizard over and begin the process of creating a new policy, but don't complete it. When you work through the wizard, it will actually show you all of the existing settings in place on the server. If nothing looks "off" at that point, then just cancel the wizard. If, however, you find that something is messed up, you may choose to either fix it manually or to actually create an SCW policy to fix it at that point. In fact, the SCW lets you take a policy you create and import it as a GPO, so if you wanted to be able to reproduce the settings, you could. The tool to do this is scwcmd; just type scwcmd /? at a command prompt and you'll get the options list. As far as whether or not this is a bug in the TCP/IP stack, I'll withhold judgement pending further testing. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Saturday, July 29, 2006 2:01 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] R2 In-Place Upgrade bug ? Thanks Laura:I've never implemented IPSEC polices on my network, either in windoows 2000 nor here in windows 2003.so, you're saying to try to run the SCW to determine if a security policy is installed ? if not create one then roll-it back ? where can i find the ipsec monitor ?UPDATE* -- i've enabled to the windows firewall just to see what can be done with regard to icmp.i've used the netsh command to add a custom port that DAMEWARE remote uses. netsh firewall add portopening TCP 6129 dameware.once i added that, i was able to dameware into the box ( which i wasn't able to do previously)i then adjust the ICMP setting to allow ALL icmp.netsh firewall set icmpsetting ALL enableand allowed incomingnetsh firewall set icmpsetting 8 enableC:\>netsh firewall show icmpsettingICMP configuration for Standard profile:Mode Type Description ---Enable 2 Allow outbound packet too bigEnable 3 Allow outbound destination unreachableEnable 4 Allow outbound source quench Enable 5 Allow redirectEnable 8 Allow inbound echo requestEnable 9 Allow inbound router requestEnable 11 Allow outbound time exceededEnable 12 Allow outbound parameter problem Enable 13 Allow inbound timestamp requestEnable 17 Allow inbound mask requestICMP configuration for Local Area Connection 7:Mode Type Description--- Enable 3 Allow outbound destination unreachableEnable 4 Allow outbound source quenchEnable 5 Allow redirectEnable 8 Allow inbound echo requestEnable 9 Allow inbound router request Enable 11 Allow outbound time exceededEnable 12 Allow outbound parameter problemEnable 13 Allow inbound timestamp requestEnable 17 Allow inbound mask requestthen - i disabled netsh opmode and enable's the exceptions on all the interfaces. I disabled the ICF service in the services console and restarted the machine. this is the output of the opmode syntax. C:\>netsh firewall show opmodeDomain profile configuration:---Operational mode = DisableException mode = Enable Standard profile configuration:---Operational mode = DisableException mode = EnableLocal Area Connection 7 firewall configuration: ---Operational mode = DisableLocal Area Connection 8 firewall configuration:--- Operational mode = DisableThis is my config: Looks like i might want to disable the ICF using the domain profile in gpo, since it looks enabled ?C:\>netsh firewall show configDomain profile configuration:---Operational mode = DisableException mode = EnableMulticast/broadcast response mode = Enable Notification mode = EnableService configuration for Domain profile:Mode Customized Name---Enable No File and Printer Sharing Port configuration for Domain profile:Port Protocol Mode Name
Re: [ActiveDir] R2 In-Place Upgrade bug ?
w outbound parameter problemEnable 13 Allow inbound timestamp requestEnable 17 Allow inbound mask requestLog configuration:--- File location = C:\WINNT\pfirewall.logMax file size = 4096 KBDropped packets = EnableConnections = DisableLocal Area Connection 7 firewall configuration:--- Operational mode = DisablePort configuration for Local Area Connection 7:Port Protocol Mode Name---3389 TCP Enable Remote Desktop ICMP configuration for Local Area Connection 7:Mode Type Description---Enable 3 Allow outbound destination unreachableEnable 4 Allow outbound source quench Enable 5 Allow redirectEnable 8 Allow inbound echo requestEnable 9 Allow inbound router requestEnable 11 Allow outbound time exceededEnable 12 Allow outbound parameter problem Enable 13 Allow inbound timestamp requestEnable 17 Allow inbound mask requestLocal Area Connection 8 firewall configuration:--- Operational mode = DisableThis is increasingly looking like a bug in the tcpip stack --what do you think laura ? activedir group ? On 7/29/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote: Two quick questions- 1. Are you positive there are no IPsec policies applied to this machine? 2. Are you also positive that the machines from which you've been testing *also* have no IPsec policies in place? I can't think of a reason why this problem would surface only after you'd upgraded to R2, but it might not hurt to take a look with the IP security monitor just in case. As far as how to check whether or not it's a problem with the Security Configuration Wizard (which was introduced in Win2K3 SP1 and hasn't gone anywhere since it's quite new), you can read the log files as Matheesha mentioned, or you can run SCW against the server and it will allow you to rollback a previously applied policy (if applicable). If you try to rollback a policy and none was ever applied, it will tell you on about the third page of the wizard. You could then start over and select the option to create a new policy, which would show you the current configuration of the machine as part of the process of making the policy. If you're not sure where to find SCW, go to Add/Remove Programs, Add Windows Components to add or remove it, and when it's installed, it shows up in your Administrative Tools folder. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of HBooGzSent: Saturday, July 29, 2006 10:54 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] R2 In-Place Upgrade bug ? I applied no post sp-1 fixes, but i would imagine it's worth a try.do you guys want to hear something even more mind-boggling ?i can ping the server from workstations outside the main office!!!i've remotely connected to workstations at our IPSEC vpns to test login times and email access,a nd pinged the problematic server just fine!!! arghhhMatheesha:Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. i run a dcdiag /s:problemserver with no problem. so it means that directory service traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing from the main office! i checked the IPSEC domain and Standard profile and made sure no IPSEC polocies were applied. if it's the SCW -- how do i look at it ?could it someway be my checkpoint firewall at the local site ? how in the world can it accept icmp from other workstations ( win2k pro) at my remote vpn sites ? On 7/29/06, Kurt Falde <[EMAIL PROTECTED]> wrote: Did you apply the post SP1 security hotfixes? I know there are a couple of updates for tcpip.sys which fix issues which will cause AD repl issues from a couple times in the field. Check out http://support.microsoft.com/kb/898060 or for the latest tcpip.sys http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . Kurt Falde From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGzSent: Saturday, July 29, 2006 5:39 AMTo: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 In-Place Upgrade bug ? Morning to all -I just spent the last 6 hours with dell gold software support team trying to figure out the following occurrence:The upgraded R2 DC does not accept incomin
RE: [ActiveDir] R2 In-Place Upgrade bug ?
Two quick questions- 1. Are you positive there are no IPsec policies applied to this machine? 2. Are you also positive that the machines from which you've been testing *also* have no IPsec policies in place? I can't think of a reason why this problem would surface only after you'd upgraded to R2, but it might not hurt to take a look with the IP security monitor just in case. As far as how to check whether or not it's a problem with the Security Configuration Wizard (which was introduced in Win2K3 SP1 and hasn't gone anywhere since it's quite new), you can read the log files as Matheesha mentioned, or you can run SCW against the server and it will allow you to rollback a previously applied policy (if applicable). If you try to rollback a policy and none was ever applied, it will tell you on about the third page of the wizard. You could then start over and select the option to create a new policy, which would show you the current configuration of the machine as part of the process of making the policy. If you're not sure where to find SCW, go to Add/Remove Programs, Add Windows Components to add or remove it, and when it's installed, it shows up in your Administrative Tools folder. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Saturday, July 29, 2006 10:54 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] R2 In-Place Upgrade bug ? I applied no post sp-1 fixes, but i would imagine it's worth a try.do you guys want to hear something even more mind-boggling ?i can ping the server from workstations outside the main office!!!i've remotely connected to workstations at our IPSEC vpns to test login times and email access,a nd pinged the problematic server just fine!!! arghhhMatheesha:Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. i run a dcdiag /s:problemserver with no problem. so it means that directory service traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing from the main office! i checked the IPSEC domain and Standard profile and made sure no IPSEC polocies were applied. if it's the SCW -- how do i look at it ?could it someway be my checkpoint firewall at the local site ? how in the world can it accept icmp from other workstations ( win2k pro) at my remote vpn sites ? On 7/29/06, Kurt Falde <[EMAIL PROTECTED]> wrote: Did you apply the post SP1 security hotfixes? I know there are a couple of updates for tcpip.sys which fix issues which will cause AD repl issues from a couple times in the field. Check out http://support.microsoft.com/kb/898060 or for the latest tcpip.sys http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . Kurt Falde From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGzSent: Saturday, July 29, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] R2 In-Place Upgrade bug ? Morning to all -I just spent the last 6 hours with dell gold software support team trying to figure out the following occurrence:The upgraded R2 DC does not accept incoming connections, but it appears it accepts certain connections. Particularly those related to directory services. e.g. telnet server ip 389 from the mail server works. \\serverip or servername brings up the shared printers and folders perfectly.outbound traffic and icmp works fine, inbound icmp returns a time out.scenario:Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to R2.connections to and from box were fine on 2003 sp1. downgraded NIC drivers to match other r2 DC on identical server hardware/modelinstalled new nic drivers and prosetupgraded to R2.rebooted and noticed a ton of errors with services hanging upon boot.checked connection to the box from workstations and servers, but all requests timed out. i made sure ICF was disabled.i disabled IPSEC and entered dword value for ProhibitIpSec - nothingi then enabled ICF configured exceptions - explicitly allowing ICMP, and still nothing.reset the TCP/ip stack and winsock using netsh, nothing servers has two nics, one of which is disabled. changed binding order so active is on top -- nothingreinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- nothing.i'm at a lost of ideas and sure could use to vast resources the contributors of this group may have or know of. Thanks,-- HBooGz:\> -- HBooGz:\>
Re: [ActiveDir] R2 In-Place Upgrade bug ?
I dont think its SCW anymore. Admittedly I havent used SCW but I am aware of it. If policies were applied, the change logs will be in %windir%\security\msscw\ChangeConfigurationLogs. if I understand correctly, Port 445 must be open because your file shares and the like are accessible. According to GPO help docs that means ICMP is also allowed by the server. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound echo requests, even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow file and printer sharing exception," "Windows Firewall: Allow remote administration exception," and "Windows Firewall: Define port exceptions." When you say you cant ping from the main office, are you talking of workstations/servers that belong to the same subnet of the DC they are pinging?I assume you did a trace to see ICMP coming into the server and whether its leaving the server. I'm curious now as to whats happening. M@On 7/29/06, HBooGz <[EMAIL PROTECTED]> wrote: I applied no post sp-1 fixes, but i would imagine it's worth a try.do you guys want to hear something even more mind-boggling ? i can ping the server from workstations outside the main office!!!i've remotely connected to workstations at our IPSEC vpns to test login times and email access,a nd pinged the problematic server just fine!!! arghhhMatheesha:Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. i run a dcdiag /s:problemserver with no problem. so it means that directory service traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing from the main office! i checked the IPSEC domain and Standard profile and made sure no IPSEC polocies were applied. if it's the SCW -- how do i look at it ?could it someway be my checkpoint firewall at the local site ? how in the world can it accept icmp from other workstations ( win2k pro) at my remote vpn sites ? On 7/29/06, Kurt Falde < [EMAIL PROTECTED]> wrote: Did you apply the post SP1 security hotfixes? I know there are a couple of updates for tcpip.sys which fix issues which will cause AD repl issues from a couple times in the field. Check out http://support.microsoft.com/kb/898060 or for the latest tcpip.sys http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . Kurt Falde From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGz Sent: Saturday, July 29, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 In-Place Upgrade bug ? Morning to all - I just spent the last 6 hours with dell gold software support team trying to figure out the following occurrence: The upgraded R2 DC does not accept incoming connections, but it appears it accepts certain connections. Particularly those related to directory services. e.g. telnet server ip 389 from the mail server works. \\serverip or servername brings up the shared printers and folders perfectly. outbound traffic and icmp works fine, inbound icmp returns a time out. scenario: Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to R2. connections to and from box were fine on 2003 sp1. downgraded NIC drivers to match other r2 DC on identical server hardware/model installed new nic drivers and proset upgraded to R2. rebooted and noticed a ton of errors with services hanging upon boot. checked connection to the box from workstations and servers, but all requests timed out. i made sure ICF was disabled. i disabled IPSEC and entered dword value for ProhibitIpSec - nothing i then enabled ICF configured exceptions - explicitly allowing ICMP, and still nothing. reset the TCP/ip stack and winsock using netsh, nothing servers has two nics, one of which is disabled. changed binding order so active is on top -- nothing reinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- nothing. i'm at a lost of ideas and sure could use to vast resources the contributors of this group may have or know of. Thanks, -- HBooGz:\> -- HBooGz:\>
Re: [ActiveDir] R2 In-Place Upgrade bug ?
I applied no post sp-1 fixes, but i would imagine it's worth a try.do you guys want to hear something even more mind-boggling ?i can ping the server from workstations outside the main office!!!i've remotely connected to workstations at our IPSEC vpns to test login times and email access,a nd pinged the problematic server just fine!!! arghhhMatheesha:Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. i run a dcdiag /s:problemserver with no problem. so it means that directory service traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing from the main office! i checked the IPSEC domain and Standard profile and made sure no IPSEC polocies were applied. if it's the SCW -- how do i look at it ?could it someway be my checkpoint firewall at the local site ? how in the world can it accept icmp from other workstations ( win2k pro) at my remote vpn sites ? On 7/29/06, Kurt Falde <[EMAIL PROTECTED]> wrote: Did you apply the post SP1 security hotfixes? I know there are a couple of updates for tcpip.sys which fix issues which will cause AD repl issues from a couple times in the field. Check out http://support.microsoft.com/kb/898060 or for the latest tcpip.sys http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . Kurt Falde From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of HBooGz Sent: Saturday, July 29, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 In-Place Upgrade bug ? Morning to all - I just spent the last 6 hours with dell gold software support team trying to figure out the following occurrence: The upgraded R2 DC does not accept incoming connections, but it appears it accepts certain connections. Particularly those related to directory services. e.g. telnet server ip 389 from the mail server works. \\serverip or servername brings up the shared printers and folders perfectly. outbound traffic and icmp works fine, inbound icmp returns a time out. scenario: Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to R2. connections to and from box were fine on 2003 sp1. downgraded NIC drivers to match other r2 DC on identical server hardware/model installed new nic drivers and proset upgraded to R2. rebooted and noticed a ton of errors with services hanging upon boot. checked connection to the box from workstations and servers, but all requests timed out. i made sure ICF was disabled. i disabled IPSEC and entered dword value for ProhibitIpSec - nothing i then enabled ICF configured exceptions - explicitly allowing ICMP, and still nothing. reset the TCP/ip stack and winsock using netsh, nothing servers has two nics, one of which is disabled. changed binding order so active is on top -- nothing reinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- nothing. i'm at a lost of ideas and sure could use to vast resources the contributors of this group may have or know of. Thanks, -- HBooGz:\> -- HBooGz:\>
RE: [ActiveDir] R2 In-Place Upgrade bug ?
Did you apply the post SP1 security hotfixes? I know there are a couple of updates for tcpip.sys which fix issues which will cause AD repl issues from a couple times in the field. Check out http://support.microsoft.com/kb/898060 or for the latest tcpip.sys http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx . Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: Saturday, July 29, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 In-Place Upgrade bug ? Morning to all - I just spent the last 6 hours with dell gold software support team trying to figure out the following occurrence: The upgraded R2 DC does not accept incoming connections, but it appears it accepts certain connections. Particularly those related to directory services. e.g. telnet server ip 389 from the mail server works. \\serverip or servername brings up the shared printers and folders perfectly. outbound traffic and icmp works fine, inbound icmp returns a time out. scenario: Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to R2. connections to and from box were fine on 2003 sp1. downgraded NIC drivers to match other r2 DC on identical server hardware/model installed new nic drivers and proset upgraded to R2. rebooted and noticed a ton of errors with services hanging upon boot. checked connection to the box from workstations and servers, but all requests timed out. i made sure ICF was disabled. i disabled IPSEC and entered dword value for ProhibitIpSec - nothing i then enabled ICF configured exceptions - explicitly allowing ICMP, and still nothing. reset the TCP/ip stack and winsock using netsh, nothing servers has two nics, one of which is disabled. changed binding order so active is on top -- nothing reinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- nothing. i'm at a lost of ideas and sure could use to vast resources the contributors of this group may have or know of. Thanks, -- HBooGz:\>
Re: [ActiveDir] R2 In-Place Upgrade bug ?
So it works while its W2k3-SP1 but then breaks once upgraded to R2?What did you mean by incoming connections? Did you just mean ICMP? or actual connections like to certain services? Are the other DCs allowing incoming ICMP echo requests and allowing replies out? Are they also W2K3 -SP1? I assume there is no other firewall software from thirdparty AV or anything else installed.Just an idea. Is it worth checking the rsop.msc for Computer Configuration/Administrative Templates/Network/Network Connections/WIndows Firewall/Domain Profile and Standard Profile /Allow ICMP exceptions? Sounds to me like a security configuration wizard was run on it.I'd wait for someone more knowledgeable to say something if I were you ;-) Still, it doesnt hurt to check.CheersM@ On 7/29/06, HBooGz <[EMAIL PROTECTED]> wrote: Morning to all -I just spent the last 6 hours with dell gold software support team trying to figure out the following occurrence:The upgraded R2 DC does not accept incoming connections, but it appears it accepts certain connections. Particularly those related to directory services. e.g. telnet server ip 389 from the mail server works. \\serverip or servername brings up the shared printers and folders perfectly. outbound traffic and icmp works fine, inbound icmp returns a time out.scenario:Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to R2.connections to and from box were fine on 2003 sp1. downgraded NIC drivers to match other r2 DC on identical server hardware/modelinstalled new nic drivers and prosetupgraded to R2.rebooted and noticed a ton of errors with services hanging upon boot.checked connection to the box from workstations and servers, but all requests timed out. i made sure ICF was disabled.i disabled IPSEC and entered dword value for ProhibitIpSec - nothingi then enabled ICF configured exceptions - explicitly allowing ICMP, and still nothing.reset the TCP/ip stack and winsock using netsh, nothing servers has two nics, one of which is disabled. changed binding order so active is on top -- nothingreinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- nothing.i'm at a lost of ideas and sure could use to vast resources the contributors of this group may have or know of. Thanks,-- HBooGz:\>