Darren,
RPC connects
initially on 135 and then the DC tells the client to establish a new
connection on one of the free high ports. They start at 1024 and move up from
there, so if there are already 2 clients connected starting at 1024, then the
next client would be told to connect to the DC on port 1026 and so on. At
least that’s my understanding of it.
Good to know Justin.
Exactly where were higher ports blocked? At the DCs? Did MS say what
was expecting to use those higher ports? Presumably some RPC
communication?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Clay, Justin
(ITS)
Sent: Friday, June 02,
2006 2:30 PM
To: [email protected]
Subject: RE: [ActiveDir] PCs hang at
"Applying computer settings" after upgradingDCs to 2K3 SP1
Well everyone, it’s
fixed. It’s something that even MS is a bit surprised at, although they say
they have seen it before. Essentially, the last year since this forest has
been deployed, high ports (1024-65535) have been blocked at the firewall but
for whatever reason, everything seemed to work fine. Installing SP1 apparently
changed something, or fixed something that finally made it a requirement to
have those high ports open.
They opened
1024-65535 on our Checkpoint firewall and the login times instantly went from
4-8 minutes back down to the usual few seconds. It sucks to have to learn
about things like this by killing a production environment for 4 hours and
burning some Premiere Support hours, but at least we know what to look for
when we upgrade some of our other domains to SP1!
Thanks to everyone
for all the suggestions and help, it’s always appreciated!
Also, to everyone
else that was experiencing this issue, I’d be interested to know if a firewall
or router ACL blocking high ports is the cause of the problem for
you!
Nope, I can get to
them from the client PCs just fine…I was able to drill down into all of the
policies that I tried.
On 6/2/06, Clay, Justin (ITS) <[EMAIL PROTECTED]>
wrote:
Hopefully the
attachment comes through. The interesting part, and where most of the time
delay is seen is here:
USERENV(42c.2f0)
12:36:47:528 ProcessGPOs: Machine role is 2.
USERENV(42c.2f0)
12:37:50:606 MyGetUserName: GetUserNameEx failed with
1753.
USERENV(42c.2f0)
12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2
second.
USERENV(42c.2f0)
12:38:54:371 MyGetUserName: GetUserNameEx failed with
1753.
USERENV(42c.2f0)
12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2
second.
USERENV(42c.2f0)
12:39:58:027 MyGetUserName: GetUserNameEx failed with
1753.
USERENV(42c.2f0)
12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2
second.
USERENV(42c.2f0)
12:41:01:573 MyGetUserName: GetUserNameEx failed with
1753.
USERENV(42c.2f0)
12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753.
USERENV(42c.2f0)
12:41:01:573 ProcessGPOs: No WMI logging done in this policy
cycle.
USERENV(42c.2f0)
12:41:01:573 ProcessGPOs: Processing failed with error 1753.
I think a
different thread mentioned that DNS was about 90% of the cause of this type of
behavior. It's not the only one however.
What
keeps rebooting? The DC? Or the workstations? If the workstations, not
only ethereal but Darren's suggestion of logging is a good idea.
On
6/2/06, Za Vue < [EMAIL PROTECTED]> wrote:
Finally..someone is also experiencing this problem. My
DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first
thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error.
Nothing is reported in logs. It is not firewall. I have play with NetBIOS,
changing Provider Order in Network Neighborhood->Advanced Settings..nada.
This week has been quiet. If someone calls again I have ethereal setup
and ready to capture. The thing about my environment is I do not manage the
switches or router. I don't know if someone is messing with something.
,
Justin (ITS) wrote:
Hello,
Last night we upgraded our 3
Win2K3 domain controllers to SP1. This morning, we're getting tons and tons of
calls from users who report that their computer sits at "Applying computer
settings" for a good 10 minutes, then another 10 or so minutes at "Applying
your personalized settings"
After the upgrade we did start
seeing DCOM errors in the System event log, which I've found many people
online have experienced. I "fixed it" (or at least the DCOM errors went away)
by granting Network Service the following rights:
Local Launch
Remote Launch
Local Activation
Remote
Activation
In the Launch and Activation
Permissions dialog on the Security tab of the netman component. However, even
after the DCOM errors have gone away, we continue to see the same results on
the clients.
Any ideas? I'm considering calling
Premier Support, but I figured you guys would be better help than
them.
Thanks,
Justin
Clay
ITS
Enterprise Services
Metropolitan
Government of Nashville and Davidson County
Howard School
Building
Phone:
(615) 880-2573
|
ITS ENTERPRISE SERVICES
EMAIL NOTICE
The information contained in this email and any
attachments is confidential and may be subject to copyright or other
intellectual property protection. If you are not the intended recipient,
you are not authorized to use or disclose this information, and we
request that you notify us by reply mail or telephone and delete the
original message from your mail system.
|
|
ITS ENTERPRISE SERVICES
EMAIL NOTICE
The information contained in this email and any
attachments is confidential and may be subject to copyright or other
intellectual property protection. If you are not the intended recipient,
you are not authorized to use or disclose this information, and we
request that you notify us by reply mail or telephone and delete the
original message from your mail system.
|
|
ITS ENTERPRISE SERVICES
EMAIL NOTICE
The information contained in this email and any
attachments is confidential and may be subject to copyright or other
intellectual property protection. If you are not the intended recipient,
you are not authorized to use or disclose this information, and we
request that you notify us by reply mail or telephone and delete the
original message from your mail
system.
|
|
ITS ENTERPRISE SERVICES
EMAIL NOTICE
The information contained in this email and any
attachments is confidential and may be subject to copyright or other
intellectual property protection. If you are not the intended recipient,
you are not authorized to use or disclose this information, and we
request that you notify us by reply mail or telephone and delete the
original message from your mail
system.
|
