The sites are logically separated with firewalls, not physically separated by any great distance. All six domain controllers are located in two buildings only a few hundred yards from each other and connected via a robust network. All are behind corporate firewalls, BUT as an educational environment we have a great deal of non-desirable network traffic within the corporate firewall. We use the Windows Firewall to open ports to our systems in order to block the unknown traffic. The domain controllers sync over IPSEC.
In our secure area the Windows Firewall is off, but in two other network segments the windows firewall has come in helpful at times, so I need to leave it on but I just don't get why it's listed as Non-Domain settings. (sorry if this is a double post, I wanted my reply public and it appears to have been private.) On Wed, Mar 18, 2009 at 12:38 PM, Terry Jezewski < [email protected]> wrote: > One of our new clients had this issue and since their sites are behind > Sonic WALL firewalls, we turned off the WFW. Are your sites connected via > VPN or point to point? > ------------------------------ > > * From: *Stephen Wimberly [[email protected]] > * Sent: *03/18/2009 12:00 PM AST > * To: *"Active Directory Admin Issues" < > [email protected]> > * Subject: *Windows Firewall is using your non-domain settings... On a > Domain Controller??? > > I have six domain controllers, two in each of three AD sites. Two are > Windows Server 2008 and four are Windows Server 2003 R2. > > My 2003 DCs are all displaying "Windows Firewall is using your non-domain > settings" and I would much rather they use the domain settings. My 2008 DCs > show domain settings. > > I've poured over the following articles: > Best practice for DNS Settings on Windows 2000 and 2003 Domain Controllers: > http://support.microsoft.com/default.aspx/kb/825036 > Cable guy reports how it's decided upon: > http://technet.microsoft.com/en-us/library/bb878049.aspx > > I found that NLA Service must start up automatic to get going quick enough, > so that's done. I've also found that sync errors could cause an issue with > the NLA. > > Last resort was to demote a DC pull it from the domain and then add it back > to the domain and dcpromo it back to a DC. Just after doing that, the DC > showed domain settings, but after just one restart it went back to > non-domain settings. > > Has anyone seen this before, and better yet, know something that might kick > it back into gear??? > > Thanks! > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > ~ ~ > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > ~ ~ > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
