Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1

[Za Vue]

I know almost every admin would probably say it is DNS, but if nslookup,Dcdiag,NetDiag, DC replication, GPOs all work properly or show no error one should assume DNS is working properly. No problem accessing DFS shares. If you sit down on a machine and restart the machine 3-4 times in a row, it would hang at least once. That is my problem. Yes.. I have a Portqry.exe batch file that checks the DC ports every time there is a problem. I have another Portqry script that checks other random ports that are not suppose to be opened-just to make sure the firewall is working properly.  There hasn't been a problem. I also run Sniffer Pro v.5.  However, things has been quiet this past week so I will wait and see anyone else calls in about it. -Z.V. Al Mulnick wrote: For you it just started?     Are you familiar with tools such as portqry? I know you're familiar with packet sniffers. It might be good to have a look and at least rule out the personal firewalls, the network acls, network firewalls, and the other network issues that can be introduced outside your control.   Al   On 6/3/06, Za Vue <[EMAIL PROTECTED]> wrote: This doesn't sound right. I have been running SP1 since it was released. This just started last month. -Z.V. Clay, Justin (ITS) wrote: Well everyone, it's fixed. It's something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open.   They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1!   Thanks to everyone for all the suggestions and help, it's always appreciated!   Also, to everyone else that was experiencing this issue, I'd be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you!