Darren,
RPC connects
initially on 135 and then the
DC tells the client to establish a new connection on one of the free
high
ports. They start at 1024 and move up from there, so if there are
already 2
clients connected starting at 1024, then the next client would be told
to
connect to the DC on port 1026 and so on. At least that’s my
understanding of it.
Good to know
Justin. Exactly where were
higher ports blocked? At the DCs? Did MS say what was expecting
to use those higher ports? Presumably some RPC communication?
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On
Behalf Of Clay, Justin (ITS)
Sent: Friday, June 02,
2006 2:30
PM
To:
[email protected]
Subject: RE:
[ActiveDir] PCs hang
at "Applying computer settings" after upgradingDCs to 2K3 SP1
Well
everyone, it’s fixed.
It’s something that even MS is a bit surprised at, although they say
they
have seen it before. Essentially, the last year since this forest has
been
deployed, high ports (1024-65535) have been blocked at the firewall but
for
whatever reason, everything seemed to work fine. Installing SP1
apparently
changed something, or fixed something that finally made it a
requirement to
have those high ports open.
They opened
1024-65535 on our Checkpoint
firewall and the login times instantly went from 4-8 minutes back down
to the
usual few seconds. It sucks to have to learn about things like this by
killing
a production environment for 4 hours and burning some Premiere Support
hours,
but at least we know what to look for when we upgrade some of our other
domains
to SP1!
Thanks to
everyone for all the suggestions
and help, it’s always appreciated!
Also, to
everyone else that was
experiencing this issue, I’d be interested to know if a firewall or
router ACL blocking high ports is the cause of the problem for you!
Nope, I can
get to them from the client
PCs just fine…I was able to drill down into all of the policies that I
tried.
On
6/2/06, Clay,
Justin (ITS) <[EMAIL PROTECTED]>
wrote:
Hopefully
the attachment comes through. The interesting part,
and where most of the time delay is seen is here:
USERENV(42c.2f0)
12:36:47:528 ProcessGPOs: Machine role
is 2.
USERENV(42c.2f0)
12:37:50:606 MyGetUserName:
GetUserNameEx failed with 1753.
USERENV(42c.2f0)
12:37:50:606 MyGetUserName: Retrying
call to GetUserNameEx in 1/2 second.
USERENV(42c.2f0)
12:38:54:371 MyGetUserName:
GetUserNameEx failed with 1753.
USERENV(42c.2f0)
12:38:54:371 MyGetUserName: Retrying
call to GetUserNameEx in 1/2 second.
USERENV(42c.2f0)
12:39:58:027 MyGetUserName:
GetUserNameEx failed with 1753.
USERENV(42c.2f0)
12:39:58:027 MyGetUserName: Retrying
call to GetUserNameEx in 1/2 second.
USERENV(42c.2f0)
12:41:01:573 MyGetUserName:
GetUserNameEx failed with 1753.
USERENV(42c.2f0)
12:41:01:573 ProcessGPOs: MyGetUserName
failed with 1753.
USERENV(42c.2f0)
12:41:01:573 ProcessGPOs: No WMI logging
done in this policy cycle.
USERENV(42c.2f0)
12:41:01:573 ProcessGPOs: Processing failed
with error 1753.
I think a
different thread mentioned that DNS was about 90% of the cause of this
type of
behavior. It's not the only one however.
What
keeps rebooting? The DC? Or the workstations? If the workstations, not
only ethereal but Darren's suggestion of logging is a good idea.
On
6/2/06, Za Vue < [EMAIL PROTECTED]>
wrote:
Finally..someone
is also experiencing this problem. My DCs are Windows 2003 SP1 also. It
seems
to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag,
Repl,
DCDiag, Nslookup all show no error. Nothing is reported in logs. It is
not
firewall. I have play with NetBIOS, changing Provider Order in Network
Neighborhood->Advanced Settings..nada.
This week has been quiet. If someone calls again I have ethereal setup
and
ready to capture. The thing about my environment is I do not manage the
switches or router. I don't know if someone is messing with something.
, Justin (ITS) wrote:
Hello,
Last
night we upgraded our 3 Win2K3 domain controllers to SP1. This morning,
we're
getting tons and tons of calls from users who report that their
computer sits
at "Applying computer settings" for a good 10 minutes, then another
10 or so minutes at "Applying your personalized settings"
After
the upgrade we did start seeing DCOM errors in the System event log,
which I've
found many people online have experienced. I "fixed it" (or at least
the DCOM errors went away) by granting Network Service the following
rights:
Local
Launch
Remote
Launch
Local
Activation
Remote
Activation
In
the Launch and Activation Permissions dialog on the Security tab of the
netman
component. However, even after the DCOM errors have gone away, we
continue to
see the same results on the clients.
Any
ideas? I'm considering calling Premier Support, but I figured you guys
would be
better help than them.
Thanks,
Justin
Clay
ITS
Enterprise Services
Metropolitan
Government
of Nashville and Davidson County
Howard School Building
Phone:
(615) 880-2573
|
ITS ENTERPRISE SERVICES EMAIL NOTICE
The information contained in this email and any attachments is
confidential and may be subject to copyright or other intellectual
property protection. If you are not the intended recipient, you are not
authorized to use or disclose this information, and we request that you
notify us by reply mail or telephone and delete the original message
from your mail system.
|
|
ITS ENTERPRISE SERVICES EMAIL NOTICE
The information contained in this email and any attachments is
confidential and may be subject to copyright or other intellectual
property protection. If you are not the intended recipient, you are not
authorized to use or disclose this information, and we request that you
notify us by reply mail or telephone and delete the original message
from your mail system.
|
|
ITS ENTERPRISE SERVICES EMAIL NOTICE
The information contained in this email and any attachments is
confidential and may be subject to copyright or other intellectual
property protection. If you are not the intended recipient, you are not
authorized to use or disclose this information, and we request that you
notify us by reply mail or telephone and delete the original message
from your mail system.
|
|
ITS ENTERPRISE SERVICES EMAIL NOTICE
The information contained in this email and any attachments is
confidential and may be subject to copyright or other intellectual
property protection. If you are not the intended recipient, you are not
authorized to use or disclose this information, and we request that you
notify us by reply mail or telephone and delete the original message
from your mail system.
|
