WinXP Pro PC cannot ping Win2003 DC after Windows Firewall configuration.

215 pts.
Tags:
Active Directory
Domain Controller
Firewalls
Group Policy
Network administration
TCP/IP
Windows firewall
Windows Server 2003
Windows XP
XP Professional
I have been fighting with this issue for 2 days and I am going crazy. We have 2 domain controllers, 1 on-site and 1 off-site as a backup. Last week I configured a windows firewall group policy object to open: file and printer sharing, remote access, disable remote desktop, open ICMP for the subnet, allow local port exceptions, allow local program exceptions, allow UPnP framework, enabled protect all network connections, disabled prohibit broadcast, disabled do not allow exceptions and also opened some ports for our antivirus and microsoft office programs. Luckily this group policy was deployed on 2 test pcs and on no others. Both of my test computers are Windows XP Pro server Pack 2 and both lost their connection with the network after I applied this policy. Attempting to remove the policy does not work since the pcs are refusing to see domain controller at all in order to get this update. I tried to remove one of the computers from the domain so that it's group policies would revert back to local policy and remove the firewall which I thought would at least allow me to connect, but it still could not find the domain controller and was still not able to connect to the internet. I restored the settings to an earlier date and the pcs settings are back to when it was part of the domain, but I still cannot access the internet and cannot access any network resources. My 2 pcs are connected with another pc via a small dLink 8 port 10/100 ethernet switch and then to a lattishub in our com room. I have tried connecting them directly to the wall since my 3rd pc which is not a test pc can connect just fine. I have tried ipconfig /release and renew and it seems to be able to renew it's iP address and information without a problem, but will still not recognize the domain controller nor browse the internet. The computer will state that it is "Offiline" from the domain controller even when it has an active connection. I have also tried flushing the dns, registering the dns, and resetting the TCP/IP settings via netsh. I can ping the control pc that is not a test pc from each test pc and can connect via ultravnc to each test pc from my control pc. I cannot ping the domain controller or any other pcs on the network. I can't believe configuring windows firewall to actually "open" up some ports would cause both of the pcs to not have any connection whatsoever. None of the other computers in our network are having this problem including the other xp pro sp2 pc that is sitting at my desk and using the same link. The network adapters are onboard ethernet adapters so I have no tried using another NIC yet. I am trying to narrow down all software causes first since I know it was specifically related to updated the group policy and taking on the firewall configurations. Thanks for your help! Erin

Answer Wiki

Thanks. We'll let you know when a new response is added.

Do an ipconfig/all on all 3 workstations (2 test computer and the one on your desk). Do an ipconfig/all on the DC. Are there any differences in the settings? Are the workstations DNS setting ONLY the internal DNS for your domain? From the test computer and your desk computer, can you ping 4.2.2.2 and yahoo.com? What errors are in the event logs?

Let us know
dmw

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • erin0201
    The only difference in the settings is on my pc it states our .com address instead of the .local address for the DNS suffix search list. But the .local address is listed on the test pcs and on the DC. And of course DHCP is not enabled on the DC vs. all 3 workstations. No, the workstations DNS settings are not only for the internal DC for our domain. They are for the DC and the backup DC at our corporate. They have both ip addresses listed as the DNS servers with the primary WINS server being our backup DC at corporate. For pinging 4.2.2.2 and yahoo.com my desk pc received a timeout from both. The two test pcs received ping request timeout for the 4.2.2.2 and could not find host yahoo.com. Please check the name and try again for the yahoo.com The event logs show errors such as: No Domain Controller is available for domain X due to the following: There are currently no logon servers avaialbe to service the logon request. Make sure that the computer is connected to the network and try again. If the problem persist, please contact your domain administrator. -- The time provider NtpClient is configured to acquire time from one or more time sources, however, none of the sources are currently accessible. No attempt to contact a source will be made for 959 minutes. NtpClient has no source of accurate time. (I have already checked to make sure that the test pcs are on the same time as the primary DC) -- The kerberos subsytem encountered a PAC verification failure. This indicates that the PAC from the client X in realm x.LOCAL had a PAC which failed to verify or was modified. Contact your system admin. -- (This is a new one today that I've noticed, but that doesn't mean it wasn't there yesterday. The event viewer is flooded with the antivirus trying to get updates) The system failed to register host (A) resource records (RRs) for network adapter with settings: -( All of the settings are correct including the DNS server list and primary domain suffix x.Local.) Sent update to server: <?> The reason the system could nto register these RRs was because either (a) the DNS server does not support the DNS dynamic update protocol, or (b) the authoritative zone for the specified DNS domain name does not accept dynamic updates. -- Let me know if you need anything else. I am definitely at a loss here. Everything "appears" to be right which is what I can't quite figure out and these are the only 2 pcs that are experiencing this in an environment with over 80 pcs. And it only happened after configuring windows firewall which was supposed to "open" ports not deny all communication. ;) Thanks so much for your help! Erin
    215 pointsBadges:
    report
  • erin0201
    Alright, well the problem lies with our faulty switch. We have been having connection problems with this dell switch for awhile now. I will post back if anything changes, but currently all seems well since I've switched the connections over to the hub rather than the switch. Thanks everyone :) Erin
    215 pointsBadges:
    report
  • Technochic
    Great to know, thanks for posting your discovery!
    57,010 pointsBadges:
    report
  • Labnuke99
    Lots of problems can be solved at the physical or logical layers like this. Thanks for the update!
    32,960 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following