GPResult looks 'normal'. It shows the three policies it's assigned and none others.
I created a firewall rule, a domain firewall rule, when I assign it the domain controller shows it in the list of applied computer policies, but also lists it in the filtered list. When I pulled one domain controller from the domain and put it back, the domain firewall policy applied, but after one restart it was filtered and the WFW started using the non-domain settings, so I assume it was filtered because the server feels it is not authenticating against the domain. On Thu, Mar 19, 2009 at 12:23 PM, Cameron <[email protected]> wrote: > Try to run GPResult on one of the ones that is not working. > > > > *From:* Stephen Wimberly [mailto:[email protected]] > *Sent:* March-19-09 7:50 AM > *To:* Active Directory Admin Issues > *Subject:* Re: Re: Windows Firewall is using your non-domain settings... > On a Domain Controller??? > > > > I'm still trying to verify that the few policies we have as original > 'default' policies were not altered. (verify _everything_) Where I don't > believe the Default policies have been altered, I'm not "the only cook in > the kitchen" and I'm having a hard time finding a document that spells out > the original settings. I may have to set up a new domain on an old server > and see what happens! ;) > > I've never applied policies to the domain controllers via GPO, we are > really just starting to think about doing that. So the only GPO objects the > domain controllers get are: > > Default Domain Policy (_shouldn't_ be altered from original install) > Default Domain Controllers Policy (_shouldn't_ be altered from original > install) > Our WSUS policy which points them to our WSUS server and sets the WSUS > group) > > > That's it, fairly straightforward. We try to run a fairly standard MS shop > in case we ever need their help on something. I don't see anything in these > policies that would have any affect on the network location awareness. > > I should mention we are a single forest single domain environment. (Keep > It Simple S...) > > Thanks again! > -Stephen > > On Wed, Mar 18, 2009 at 12:57 PM, Terry Jezewski < > [email protected]> wrote: > > Hmm mm.. > > I'd check the gpo on the sites and also the dc container first. > Let me think further on this. Got to love campus networks > > Terry > ------------------------------ > > * From: *riversidekid > * Sent: *03/18/2009 04:51 PM GMT > * To: *Terry Jezewski > * Subject: *Re: Re: Windows Firewall is using your non-domain settings... > On a Domain Controller??? > > > The sites are logically separated with firewalls, not physically separated > by any great distance. All six domain controllers are located in two > buildings only a few hundred yards from each other and connected via a > robust network. All are behind corporate firewalls, BUT as an educational > environment we have a great deal of non-desirable network traffic within the > corporate firewall. We use the Windows Firewall to open ports to our systems > in order to block the unknown traffic. The domain controllers sync over > IPSEC. > > In our secure area the Windows Firewall is off, but in two other network > segments the windows firewall has come in helpful at times, so I need to > leave it on but I just don't get why it's listed as Non-Domain settings. > > > > On Mar 18, 2009 12:38pm, Terry Jezewski <[email protected]> > wrote: > > > > One of our new clients had this issue and since their sites are behind > Sonic WALL firewalls, we turned off the WFW. Are your sites connected via > VPN or point to point? > > > > From: Stephen Wimberly [[email protected]] > > Sent: 03/18/2009 12:00 PM AST > > To: "Active Directory Admin Issues" [email protected] > > > > Subject: Windows Firewall is using your non-domain settings... On a > Domain Controller??? > > > > > > I have six domain controllers, two in each of three AD sites. Two are > Windows Server 2008 and four are Windows Server 2003 R2. > > > > My 2003 DCs are all displaying "Windows Firewall is using your non-domain > settings" and I would much rather they use the domain settings. My 2008 DCs > show domain settings. > > > > > > I've poured over the following articles: > > Best practice for DNS Settings on Windows 2000 and 2003 Domain > Controllers: http://support.microsoft.com/default.aspx/kb/825036 > > > > > > Cable guy reports how it's decided upon: > http://technet.microsoft.com/en-us/library/bb878049.aspx > > > > > > I found that NLA Service must start up automatic to get going quick > enough, so that's done. I've also found that sync errors could cause an > issue with the NLA. > > > > Last resort was to demote a DC pull it from the domain and then add it > back to the domain and dcpromo it back to a DC. Just after doing that, the > DC showed domain settings, but after just one restart it went back to > non-domain settings. > > > > > > Has anyone seen this before, and better yet, know something that might > kick it back into gear??? > > > > Thanks! > > > > > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > > ~ ~ > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > ~ ~ > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
