WinXP Pro PC cannot ping Win2003 DC after Windows Firewall configuration.

Register

Forgot Password

Site FAQ

Home > IT Answers > Microsoft Windows > WinXP Pro PC cannot ping Win2003 DC after Win...

Erin0201

210 pts.

WinXP Pro PC cannot ping Win2003 DC after Windows Firewall configuration.

Active Directory, Firewalls, Windows Server 2003, Windows XP, TCP/IP, Group Policy, Network administration, Windows firewall, XP Professional, Domain Controller

I have been fighting with this issue for 2 days and I am going crazy.

We have 2 domain controllers, 1 on-site and 1 off-site as a backup.

Last week I configured a windows firewall group policy object to open: file and printer sharing, remote access, disable remote desktop, open ICMP for the subnet, allow local port exceptions, allow local program exceptions, allow UPnP framework, enabled protect all network connections, disabled prohibit broadcast, disabled do not allow exceptions and also opened some ports for our antivirus and microsoft office programs.

Luckily this group policy was deployed on 2 test pcs and on no others.
Both of my test computers are Windows XP Pro server Pack 2 and both lost their connection with the network after I applied this policy. Attempting to remove the policy does not work since the pcs are refusing to see domain controller at all in order to get this update.

I tried to remove one of the computers from the domain so that it's group policies would revert back to local policy and remove the firewall which I thought would at least allow me to connect, but it still could not find the domain controller and was still not able to connect to the internet. I restored the settings to an earlier date and the pcs settings are back to when it was part of the domain, but I still cannot access the internet and cannot access any network resources.

My 2 pcs are connected with another pc via a small dLink 8 port 10/100 ethernet switch and then to a lattishub in our com room. I have tried connecting them directly to the wall since my 3rd pc which is not a test pc can connect just fine.

I have tried ipconfig /release and renew and it seems to be able to renew it's iP address and information without a problem, but will still not recognize the domain controller nor browse the internet.

The computer will state that it is "Offiline" from the domain controller even when it has an active connection.

I have also tried flushing the dns, registering the dns, and resetting the TCP/IP settings via netsh. I can ping the control pc that is not a test pc from each test pc and can connect via ultravnc to each test pc from my control pc. I cannot ping the domain controller or any other pcs on the network.

I can't believe configuring windows firewall to actually "open" up some ports would cause both of the pcs to not have any connection whatsoever.

None of the other computers in our network are having this problem including the other xp pro sp2 pc that is sitting at my desk and using the same link.

The network adapters are onboard ethernet adapters so I have no tried using another NIC yet. I am trying to narrow down all software causes first since I know it was specifically related to updated the group policy and taking on the firewall configurations.

Thanks for your help!
Erin

ASKED: Nov 18 2008 6:49 PM GMT

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RELATED QUESTIONS

Dwiebesick

1740 pts.

RATE THIS ANSWER

0
Click to Vote:

Do an ipconfig/all on all 3 workstations (2 test computer and the one on your desk). Do an ipconfig/all on the DC. Are there any differences in the settings? Are the workstations DNS setting ONLY the internal DNS for your domain? From the test computer and your desk computer, can you ping 4.2.2.2 and yahoo.com? What errors are in the event logs?

Let us know
dmw

Last Answered: Nov 19 2008 4:57 PM GMT by Dwiebesick

1740 pts.

View History

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Erin0201 210 pts. | Nov 19 2008 6:07PM GMT

The only difference in the settings is on my pc it states our .com address instead of the .local address for the DNS suffix search list. But the .local address is listed on the test pcs and on the DC.
And of course DHCP is not enabled on the DC vs. all 3 workstations.

No, the workstations DNS settings are not only for the internal DC for our domain. They are for the DC and the backup DC at our corporate. They have both ip addresses listed as the DNS servers with the primary WINS server being our backup DC at corporate.

For pinging 4.2.2.2 and <a href="http://yahoo.com" title="http://yahoo. " target="_blank">yahoo.com</a> my desk pc received a timeout from both. The two test pcs received ping request timeout for the 4.2.2.2 and could not find host <a href="http://yahoo.com" title="http://yahoo. " target="_blank">yahoo.com</a>. Please check the name and try again for the <a href="http://yahoo.com" title="http://yahoo. " target="_blank">yahoo.com</a>

The event logs show errors such as:
No Domain Controller is available for domain X due to the following:
There are currently no logon servers avaialbe to service the logon request.
Make sure that the computer is connected to the network and try again. If the problem persist, please contact your domain administrator.
–
The time provider NtpClient is configured to acquire time from one or more time sources, however, none of the sources are currently accessible. No attempt to contact a source will be made for 959 minutes. NtpClient has no source of accurate time. (I have already checked to make sure that the test pcs are on the same time as the primary DC)
–
The kerberos subsytem encountered a PAC verification failure. This indicates that the PAC from the client X in realm x.LOCAL had a PAC which failed to verify or was modified. Contact your system admin.
–
(This is a new one today that I’ve noticed, but that doesn’t mean it wasn’t there yesterday. The event viewer is flooded with the antivirus trying to get updates)
The system failed to register host (A) resource records (RRs) for network adapter with settings: -( All of the settings are correct including the DNS server list and primary domain suffix x.Local.)
Sent update to server: <?>
The reason the system could nto register these RRs was because either (a) the DNS server does not support the DNS dynamic update protocol, or (b) the authoritative zone for the specified DNS domain name does not accept dynamic updates.
–

Let me know if you need anything else. I am definitely at a loss here. Everything “appears” to be right which is what I can’t quite figure out and these are the only 2 pcs that are experiencing this in an environment with over 80 pcs. And it only happened after configuring windows firewall which was supposed to “open” ports not deny all communication.

Thanks so much for your help!
Erin

Erin0201 210 pts. | Nov 19 2008 8:26PM GMT

Alright, well the problem lies with our faulty switch. We have been having connection problems with this dell switch for awhile now. I will post back if anything changes, but currently all seems well since I’ve switched the connections over to the hub rather than the switch.

Thanks everyone
Erin

Technochic 40140 pts. | Nov 20 2008 4:13PM GMT

Great to know, thanks for posting your discovery!

Labnuke99 26360 pts. | Nov 20 2008 7:26PM GMT

Lots of problems can be solved at the physical or logical layers like this. Thanks for the update!

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.

All Rights Reserved, Copyright 1999-2009, TechTarget | Read our Privacy Policy | Site Map

Browse IT Answers by Topic