Home > IT Answers > Microsoft Windows > WinXP Pro PC cannot ping Win2003 DC after Win...
Help

Question

Asked:
Asked By:
Nov 18 2008   6:49 PM GMT
Erin0201   130 pts.

WinXP Pro PC cannot ping Win2003 DC after Windows Firewall configuration.


Active Directory, Firewalls, Windows Server 2003, Windows XP, TCP/IP, Group Policy, Network administration, Windows firewall, XP Professional, Domain Controller

I have been fighting with this issue for 2 days and I am going crazy.

We have 2 domain controllers, 1 on-site and 1 off-site as a backup.

Last week I configured a windows firewall group policy object to open: file and printer sharing, remote access, disable remote desktop, open ICMP for the subnet, allow local port exceptions, allow local program exceptions, allow UPnP framework, enabled protect all network connections, disabled prohibit broadcast, disabled do not allow exceptions and also opened some ports for our antivirus and microsoft office programs.

Luckily this group policy was deployed on 2 test pcs and on no others.
Both of my test computers are Windows XP Pro server Pack 2 and both lost their connection with the network after I applied this policy. Attempting to remove the policy does not work since the pcs are refusing to see domain controller at all in order to get this update.

I tried to remove one of the computers from the domain so that it's group policies would revert back to local policy and remove the firewall which I thought would at least allow me to connect, but it still could not find the domain controller and was still not able to connect to the internet. I restored the settings to an earlier date and the pcs settings are back to when it was part of the domain, but I still cannot access the internet and cannot access any network resources.

My 2 pcs are connected with another pc via a small dLink 8 port 10/100 ethernet switch and then to a lattishub in our com room. I have tried connecting them directly to the wall since my 3rd pc which is not a test pc can connect just fine.

I have tried ipconfig /release and renew and it seems to be able to renew it's iP address and information without a problem, but will still not recognize the domain controller nor browse the internet.

The computer will state that it is "Offiline" from the domain controller even when it has an active connection.

I have also tried flushing the dns, registering the dns, and resetting the TCP/IP settings via netsh. I can ping the control pc that is not a test pc from each test pc and can connect via ultravnc to each test pc from my control pc. I cannot ping the domain controller or any other pcs on the network.

I can't believe configuring windows firewall to actually "open" up some ports would cause both of the pcs to not have any connection whatsoever.

None of the other computers in our network are having this problem including the other xp pro sp2 pc that is sitting at my desk and using the same link.

The network adapters are onboard ethernet adapters so I have no tried using another NIC yet. I am trying to narrow down all software causes first since I know it was specifically related to updated the group policy and taking on the firewall configurations.

Thanks for your help!
Erin

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: Nov 19 2008  4:57 PM GMT  by Dwiebesick   1465 pts.




Do an ipconfig/all on all 3 workstations (2 test computer and the one on your desk). Do an ipconfig/all on the DC. Are there any differences in the settings? Are the workstations DNS setting ONLY the internal DNS for your domain? From the test computer and your desk computer, can you ping 4.2.2.2 and yahoo.com? What errors are in the event logs?

Let us know
dmw
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Microsoft Windows, Security and AS/400.

Looking for relevant Microsoft Windows Whitepapers? Visit the SearchEnterpriseDesktop.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

Erin0201   130 pts.  |   Nov 19 2008  6:07PM GMT

The only difference in the settings is on my pc it states our .com address instead of the .local address for the DNS suffix search list. But the .local address is listed on the test pcs and on the DC.
And of course DHCP is not enabled on the DC vs. all 3 workstations.

No, the workstations DNS settings are not only for the internal DC for our domain. They are for the DC and the backup DC at our corporate. They have both ip addresses listed as the DNS servers with the primary WINS server being our backup DC at corporate.

For pinging 4.2.2.2 and <a href="http://yahoo.com" title="http://yahoo. " target="_blank">yahoo.com</a> my desk pc received a timeout from both. The two test pcs received ping request timeout for the 4.2.2.2 and could not find host <a href="http://yahoo.com" title="http://yahoo. " target="_blank">yahoo.com</a>. Please check the name and try again for the <a href="http://yahoo.com" title="http://yahoo. " target="_blank">yahoo.com</a>

The event logs show errors such as:
No Domain Controller is available for domain X due to the following:
There are currently no logon servers avaialbe to service the logon request.
Make sure that the computer is connected to the network and try again. If the problem persist, please contact your domain administrator.

The time provider NtpClient is configured to acquire time from one or more time sources, however, none of the sources are currently accessible. No attempt to contact a source will be made for 959 minutes. NtpClient has no source of accurate time. (I have already checked to make sure that the test pcs are on the same time as the primary DC)

The kerberos subsytem encountered a PAC verification failure. This indicates that the PAC from the client X in realm x.LOCAL had a PAC which failed to verify or was modified. Contact your system admin.

(This is a new one today that I’ve noticed, but that doesn’t mean it wasn’t there yesterday. The event viewer is flooded with the antivirus trying to get updates)
The system failed to register host (A) resource records (RRs) for network adapter with settings: -( All of the settings are correct including the DNS server list and primary domain suffix x.Local.)
Sent update to server: <?>
The reason the system could nto register these RRs was because either (a) the DNS server does not support the DNS dynamic update protocol, or (b) the authoritative zone for the specified DNS domain name does not accept dynamic updates.

Let me know if you need anything else. I am definitely at a loss here. Everything “appears” to be right which is what I can’t quite figure out and these are the only 2 pcs that are experiencing this in an environment with over 80 pcs. And it only happened after configuring windows firewall which was supposed to “open” ports not deny all communication. ;)

Thanks so much for your help!
Erin

 

Erin0201   130 pts.  |   Nov 19 2008  8:26PM GMT

Alright, well the problem lies with our faulty switch. We have been having connection problems with this dell switch for awhile now. I will post back if anything changes, but currently all seems well since I’ve switched the connections over to the hub rather than the switch.

Thanks everyone :)
Erin

 

Technochic   35525 pts.  |   Nov 20 2008  4:13PM GMT

Great to know, thanks for posting your discovery!

 

Labnuke99   21120 pts.  |   Nov 20 2008  7:26PM GMT

Lots of problems can be solved at the physical or logical layers like this. Thanks for the update!