XP SP2 Firewall with GPO in Domain



Hi All,

I am trying to turn the firewall off on all my Domain PC's. Basically I
have set the domain profile to turn this off, however randomly PC's will run
with the "Standard Profile"

I know the profile checks the DNS suffix and compares it with:-


I have run out of ideas. I am about to set the Standard profile to turn
the firewall off also, but this will cause a problem when staff take laptops

The environment is a fully switched Cisco network, 1 VLAN, all pc's on the
same subnet, 3 domain controllers running W2K3 Sp1, pcs are all WinXP SP2
fully updated. All Domain Controllers are Global Catalogs.

Could it be something to do with turning LAB’s of PC’s on all on at once.
i.e is there a limit of how many requests a domain controller can handle at
any given time?







Steven L Umbach

It would not have anything to do with turning off the computers all at one
time as Group Policy is not refreshed at shutdown/logoff. There seems to be
some debate on exactly what the computer does check to see if it uses
standard or domain profile but it is related to accessing a domain
controller at startup. Also if any of the computers are using wireless
network adapters to connect to the domain that can cause problems as often
the wireless adapter will not initialize fast enough to contact a domain
controller at startup.

What I would do is to verify that all the computers are configured correctly
for DNS in that they point only to domain controllers as their preferred DNS
server and NEVER an ISP DNS server in the list as shown by Ipconfig /all. I
would also look in the logs on the problem computers to see if any userenv
errors/warnings are recorded or anything else that would indicate a problem
contacting a domain controller. Run the support tool netdiag on a problem
workstation and your domain controllers to see if any problems are found
with DNS, dc discovery, trust/secure channel, etc. Then run dcdiag and
gpotool on your domain controllers and check their logs via Event Viewer for
any related problems. Gpotool is great in reporting problems with Group
Policy replicating properly. Also run rsop.msc on a couple of the problem
domain computers to see exactly what is reported as Group Policy settings
for the settings in question and the winning GPO. Offhand I am not sure if
rsop.msc reports as much as gpresult [try selecting computer
configuration/properties for rsop.msc results] which will also show the last
time Group Policy was applied for the computer and from which domain
controller. --- Steve

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question