[26843] in resnet
Re: Windows 7/2008 not connecting to network...
daemon@ATHENA.MIT.EDU (Brock, Adam)
Wed Oct 12 22:26:04 2011
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_C8B574F684FD134B924E723867DF15EC037ACFEF05FS1bayloredu_"
MIME-Version: 1.0
Message-ID: <C8B574F684FD134B924E723867DF15EC037ACFEF05@FS1.baylor.edu>
Date: Wed, 12 Oct 2011 21:21:58 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Brock, Adam" <Adam_Brock@baylor.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <CANtPpk5psMzJKJtbB1TucDiRMVAPh8CiTpwi82YXzJdUwMypWw@mail.gmail.com>
--_000_C8B574F684FD134B924E723867DF15EC037ACFEF05FS1bayloredu_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
To rule out a group policy issue, I'd create a new OU and block inheritance=
of all other policies. Then create the computer account there and join th=
e machine to the domain. If the issue still crops up, you know it's not gr=
oup policy. If it doesn't, start linking GPOs one by one.
You might want to compare rights on the BFE and Windows Firewall services u=
sing sc. If it's a rights issue (and it sounds like it might be), that can=
give you an idea of what permissions are being altered. On one occasion I=
made some typos modifying the permissions for a service, and it caused all=
sorts of wonky behavior.
sc sdshow bfe
sc sdshow mpssvc
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Mike King
Sent: Wednesday, October 12, 2011 4:56 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Re: [RESNET-L] Windows 7/2008 not connecting to network...
I've also had "Issues" with Cisco ASA's and Server 2008 being in the same s=
ubnet.
Short answer,
Cisco ASA's have a "feature" called proxy arp, where if a device is misconf=
igured with the wrong gateway, the ASA will still respond, and mimic the wr=
ong address, so your clients can connect to the network.
Server 2008/Windows 7 use proxy arp to detect ip address conflicts. This c=
auses them to completely freak out.
On a sad note, when you have an address conflict, it does not show a popup =
like XP used to. It will just show a different (usually APIPA address) as =
"Preferred" in the ipconfig /all
Mike
On Wed, Oct 12, 2011 at 3:49 PM, Adeel Siddiqui <asiddiqui@usao.edu<mailto:=
asiddiqui@usao.edu>> wrote:
We have a strange issue going on our campus that's causing our Windows 7 co=
mputers and Windows 2008 servers to completely lose network connectivity.
This is only happening to computers that are connected to the domain.
The issue seems to have started a few weeks ago after the last round of Win=
dows Updates were installed on those computers. As a result, the Windows Fi=
rewall services and its dependency services all got turned off on those com=
puters and can't be re-enabled either. Also, RDP access to those computers =
won't work either. I suspected a group policy of some sort might be the cau=
se but we use little to no group policy administration on our campus at all=
. Upon further investigation, we found that there seems to be some cause to=
this due to some registry permissions that seemed to have changed after th=
e aforementioned Windows Updates were installed. I have a feeling that the =
problem lies with how the computers are authenticating to the domain, but c=
an't confirm that prognosis.
I've tried everything to fix this issue from changing group policy settings=
, to removing/re-adding the computers to the domain. Nothing seems to have =
worked permanently or at least completely. We have managed to do some on th=
e spot MacGyvering to fix the issue (i.e. manually applying administrative =
permissions to certain keys in the registry on those computers as suggested=
by a few online articles) but they are temporary band-aids at best.
Has anyone else run into this? Any permanent fixes/solutions that you can s=
uggest?
regards,
Adeel Siddiqui
Network Administrator<http://www.usao.edu/staff/adeel-siddiqui>
Information, Research and Network Services
University of Science and Arts of Oklahoma<http://www.usao.edu/>
Chickasha, OK 73018
(405) 574-1319<tel:%28405%29%20574-1319>
asiddiqui@usao.edu<mailto:asiddiqui@usao.edu>
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_C8B574F684FD134B924E723867DF15EC037ACFEF05FS1bayloredu_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head><meta http-equiv=3DContent-Type content=
=3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
oft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span style=3D'f=
ont-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>To rule o=
ut a group policy issue, I’d create a new OU and block inheritance of=
all other policies. Then create the computer account there and join =
the machine to the domain. If the issue still crops up, you know it&#=
8217;s not group policy. If it doesn’t, start linking GPOs one =
by one.<o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:=
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p><=
/span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:=
"Calibri","sans-serif";color:#1F497D'>You might want to compare rights on t=
he BFE and Windows Firewall services using sc. If it’s a rights=
issue (and it sounds like it might be), that can give you an idea of what =
permissions are being altered. On one occasion I made some typos modi=
fying the permissions for a service, and it caused all sorts of wonky behav=
ior.<o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.=
0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></sp=
an></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D'>sc sdshow bfe<o:p></o:p></span></p><p cl=
ass=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans=
-serif";color:#1F497D'>sc sdshow mpssvc<o:p></o:p></span></p><p class=3DMso=
Normal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";c=
olor:#1F497D'><o:p> </o:p></span></p><p class=3DMsoNormal><b><span sty=
le=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><=
span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Resnet F=
orum [mailto:RESNET-L@LISTSERV.ND.EDU] <b>On Behalf Of </b>Mike King<br><b>=
Sent:</b> Wednesday, October 12, 2011 4:56 PM<br><b>To:</b> RESNET-L@LISTSE=
RV.ND.EDU<br><b>Subject:</b> Re: [RESNET-L] Windows 7/2008 not connecting t=
o network...<o:p></o:p></span></p><p class=3DMsoNormal><o:p> </o:p></p=
><p class=3DMsoNormal>I've also had "Issues" with Cisco ASA's and=
Server 2008 being in the same subnet.<o:p></o:p></p><div><p class=3DMsoNor=
mal><o:p> </o:p></p></div><div><p class=3DMsoNormal>Short answer,<o:p>=
</o:p></p></div><div><p class=3DMsoNormal>Cisco ASA's have a "feature&=
quot; called proxy arp, where if a device is misconfigured with the wrong g=
ateway, the ASA will still respond, and mimic the wrong address, so your cl=
ients can connect to the network.<o:p></o:p></p></div><div><p class=3DMsoNo=
rmal><o:p> </o:p></p></div><div><p class=3DMsoNormal>Server 2008/Windo=
ws 7 use proxy arp to detect ip address conflicts. This causes t=
hem to completely freak out.<o:p></o:p></p></div><div><p class=3DMsoNormal>=
<o:p> </o:p></p></div><div><p class=3DMsoNormal>On a sad note, when yo=
u have an address conflict, it does not show a popup like XP used to.  =
;It will just show a different (usually APIPA address) as "Preferred&q=
uot; in the ipconfig /all<o:p></o:p></p></div><div><p class=3DMsoNormal><o:=
p> </o:p></p></div><div><p class=3DMsoNormal style=3D'margin-bottom:12=
.0pt'>Mike<o:p></o:p></p><div><p class=3DMsoNormal>On Wed, Oct 12, 2011 at =
3:49 PM, Adeel Siddiqui <<a href=3D"mailto:asiddiqui@usao.edu">asiddiqui=
@usao.edu</a>> wrote:<o:p></o:p></p><div><div><p class=3DMsoNormal style=
=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>We have a strange i=
ssue going on our campus that’s causing our Windows 7 computers and W=
indows 2008 servers to completely lose network connectivity. <o:p></o:p></p=
><p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto'> <o:p></o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-a=
lt:auto;mso-margin-bottom-alt:auto'>This is only happening to computers tha=
t are connected to the domain. <o:p></o:p></p><p class=3DMsoNormal style=3D=
'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><=
p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto'>The issue seems to have started a few weeks ago after the last round =
of Windows Updates were installed on those computers. As a result, the Wind=
ows Firewall services and its dependency services all got turned off on tho=
se computers and can’t be re-enabled either. Also, RDP access to thos=
e computers won’t work either. I suspected a group policy of some sor=
t might be the cause but we use little to no group policy administration on=
our campus at all. Upon further investigation, we found that there seems t=
o be some cause to this due to some registry permissions that seemed to hav=
e changed after the aforementioned Windows Updates were installed. I have a=
feeling that the problem lies with how the computers are authenticating to=
the domain, but can’t confirm that prognosis.<o:p></o:p></p><p class=
=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&=
nbsp;<o:p></o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;m=
so-margin-bottom-alt:auto'>I’ve tried everything to fix this issue fr=
om changing group policy settings, to removing/re-adding the computers to t=
he domain. Nothing seems to have worked permanently or at least completely.=
We have managed to do some on the spot <i>MacGyvering</i> to fix the issue=
(i.e. manually applying administrative permissions to certain keys in the =
registry on those computers as suggested by a few online articles) but they=
are temporary band-aids at best. <o:p></o:p></p><p class=3DMsoNormal style=
=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></=
p><p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto'>Has anyone else run into this? Any permanent fixes/solutions that =
you can suggest?<o:p></o:p></p><p class=3DMsoNormal style=3D'mso-margin-top=
-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=3DMsoNo=
rmal style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span sty=
le=3D'font-size:10.0pt'><br></span>regards,<span style=3D'font-size:10.0pt'=
><br></span><i><span style=3D'color:black'>Adeel Siddiqui</span></i><b><i><=
span style=3D'font-size:14.0pt;color:black'><br></span></i></b><span style=
=3D'font-size:10.0pt'><br></span><i><span style=3D'font-size:8.0pt'><a href=
=3D"http://www.usao.edu/staff/adeel-siddiqui" target=3D"_blank">Network Adm=
inistrator</a><br></span></i><span style=3D'font-size:8.0pt'>Information, R=
esearch and Network Services<br><b><a href=3D"http://www.usao.edu/" target=
=3D"_blank">University of Science and Arts of Oklahoma</a></b><br>Chic=
kasha, OK 73018 <span style=3D'color:#1F497D'><br></span><a href=3D"tel:%28=
405%29%20574-1319" target=3D"_blank">(405) 574-1319</a><br><u><span style=
=3D'color:black'><a href=3D"mailto:asiddiqui@usao.edu" target=3D"_blank">as=
iddiqui@usao.edu</a></span></u></span><span style=3D'font-size:10.0pt'> </s=
pan><o:p></o:p></p><p class=3DMsoNormal style=3D'mso-margin-top-alt:auto;ms=
o-margin-bottom-alt:auto'> <o:p></o:p></p><p class=3DMsoNormal style=
=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></=
p></div></div><p class=3DMsoNormal>________________________________________=
___________ You are subscribed to the ResNet-L mailing list. <o:p></o:p></p=
><p>To subscribe, unsubscribe or search the archives, go to <a href=3D"http=
://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSER=
V.ND.EDU/archives/resnet-l.html</a> _______________________________________=
____________ <o:p></o:p></p></div><p class=3DMsoNormal><o:p> </o:p></p=
></div><p class=3DMsoNormal>_______________________________________________=
____ You are subscribed to the ResNet-L mailing list. <o:p></o:p></p><p>To =
subscribe, unsubscribe or search the archives, go to <a href=3D"http://LIST=
SERV.ND.EDU/archives/resnet-l.html">http://LISTSERV.ND.EDU/archives/resnet-=
l.html</a> ___________________________________________________ <o:p></o:p><=
/p></div></body></html>=
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_C8B574F684FD134B924E723867DF15EC037ACFEF05FS1bayloredu_--
