I think your Norton ISFE is blocking ports AD needs and also blocking Netbeui over TCP/IP. The 1042 is a very possible correct windows port if you are using IP over token ring. Or if your Kerberos keys are incompatible.
port 389 is ldap (Lightweight Directory Access Protocol) used by AD (Active Directory) see http://support.microsoft.com/default.aspx?scid=%2fsearch%2fviewDoc.aspx%3fdo cID%3dKC.Q266657%26dialogID%3d2991630%26iterationID%3d1%26sessionID%3danonym ous%7c2667341 from the knowledge base. it's also Q266657. I know this sounds blase' , but I'd not worry about the Bla Trojan at the moment, since your system isn't up enough to communicate anyway. I think the port 1042 errors are systemic of a problem with active directory and your ability to find other machines on the network, not the bla Trojan. First step, record the event errors. second step, turn off the Norton. (safe mode boot, stop the thing from running reboot.) third see what errors you have now. Compare to previous logs. fourth Start searching TechNet for the event id's and error messages. Fix all you can. fifth, post the events errors and id's of those you cannot fix and we'll see if some of us who've seen more errors than we care to admit can shed some light. Hint: I've seen many problems related to time skewed servers and badly created DNS settings that sound like what you have too. Just as a troubleshooting procedure, you can stop the windows time service (disable) to stop all the w32time errors, if you are seeing them. They would be caused by DNS problems finding the NTP server. We need more data. D. Weiss MCSE/CCNA/SSP2 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, January 25, 2002 1:34 AM To: [EMAIL PROTECTED] Subject: W2K Kerberos Ports Hi, I use W2K Client and now also W2K Server. In addition I have Norton Internet Security Family Edition installed, just for test whether it is suitable for untrained users. The W2K Server is new, just out of the box, my client has been hardened a bit before for the NT Server. When I now login to the W2K Server (before we had NT4), it takes a really long time to connect. An Alert Window from Norton pops up and asks me whether I want to block or enable the outbound TCP connection from Winlogon to ldap (389) on the server. Whatever I do, the client crashed with a short blue screen and a dump. Checking the Norton log reveals also that before the outbound TCP to 389 I get an inbound UDP from Server, Kerberos to Client, 1042. And wherever I look, port 1042 always comes in connection with Trojan Bla. Is port 1042 a regular port, Kerberos accesses? Did Bla just hijack this port? Could it be that the program Kerberos is not using this port on the server, but another program is using the port normally associated with Kerberos? I get numerous other error messages in the Event Log as well, like NetBT cannot connect, userenv cannot be located, GPO cannot be accessed. I guess, this mail would be too long to describe them all here. Any idea, where I can get a detailed description about the W2K Kerberos and other implementations, like ldap or epmap? Best Regards, Andreas
