RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1

[Brian Desmond]

Probably some ports were open on the firewalls so crapshoot if you hit them – network traceor tcpdump on the nokia’s would have revelealed this straight away…   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Saturday, June 03, 2006 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1   Yeah, you would want to assume that DNS was ok in that situation.  Network would be more of a suspect given those symtpoms. Possibly even at the nic level, but could be anywhere else as well.   The thing to do, (I'm sure I'm not telling you anything new, but rather thinking out loud) is to find the commonality of the problem occurence.  Every 3-4 times you reboot is not a very good problem definition to work with as it's not repeatable in the sense that you can make a change and see the results. It's every 3-4 times.  That's odd. Almost sounds like a port mismatch at the switch or discarded packets somewhere vs. a client/server issue. But, doing the due dilligence is still needed right?   Al   On 6/3/06, Za Vue <[EMAIL PROTECTED]> wrote: I know almost every admin would probably say it is DNS, but if nslookup,Dcdiag,NetDiag, DC replication, GPOs all work properly or show no error one should assume DNS is working properly. No problem accessing DFS shares. If you sit down on a machine and restart the machine 3-4 times in a row, it would hang at least once. That is my problem. Yes.. I have a Portqry.exe batch file that checks the DC ports every time there is a problem. I have another Portqry script that checks other random ports that are not suppose to be opened-just to make sure the firewall is working properly.  There hasn't been a problem. I also run Sniffer Pro v.5.  However, things has been quiet this past week so I will wait and see anyone else calls in about it.   -Z.V. Al Mulnick wrote: For you it just started?     Are you familiar with tools such as portqry? I know you're familiar with packet sniffers. It might be good to have a look and at least rule out the personal firewalls, the network acls, network firewalls, and the other network issues that can be introduced outside your control.   Al   On 6/3/06, Za Vue <[EMAIL PROTECTED]> wrote: This doesn't sound right. I have been running SP1 since it was released. This just started last month. -Z.V. Clay, Justin (ITS) wrote: Well everyone, it's fixed. It's something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open.   They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1!   Thanks to everyone for all the suggestions and help, it's always appreciated!   Also, to everyone else that was experiencing this issue, I'd be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you!