[26936] in resnet
Re: Windows 7/2008 not connecting to network...
daemon@ATHENA.MIT.EDU (Adeel Siddiqui)
Tue Oct 25 23:03:02 2011
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_GXUTJdRJ47LNObStQoeTDw)"
Content-language: en-us
Message-ID: <023b01cc938a$99310bc0$cb932340$@edu>
Date: Tue, 25 Oct 2011 21:54:35 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Adeel Siddiqui <asiddiqui@usao.edu>
To: RESNET-L@listserv.nd.edu
This is a multi-part message in MIME format.
--Boundary_(ID_GXUTJdRJ47LNObStQoeTDw)
Content-type: text/plain; CHARSET=US-ASCII
Content-transfer-encoding: 7BIT
Much thanks to all who replied. Especially to Adam Brock who confirmed my
original prognosis and provided further insight.
After a lot of trial and error, I believe I have established that the issue
was definitely to do with group policy settings. I've currently got an
indefinite solution in place to stop the issue from happening again to any
new Windows 7/2008 computers added to the domain...but I don't have a
solution to push a network-wide fix for already affected machines. There
are a lot of random pieces to this puzzle that originally seemed irrelevant;
but if it helps anyone else, here's the prognosis:
1. We are using Windows 2000 domain controllers on our campus. For the
past several weeks, we have been in the process of slowly replacing them
with Windows 2008 domain controllers. The data transfer process for
migrating the Active Directory database required updating the Active
Directory schema to the newest version (47, I believe). Only then could the
adprep commands be run which would eventually allow data migration to the
new Windows 2008 DCs. As a by-product, the schema update activated some
latent features from the client-side group policy preferences on Windows
2003/7/2008 computers (only the computers that were on the domain). That is
my best educated guess because otherwise no changes no were made to any
group policy settings.
2. As I had mentioned in my earlier email, we use little to
practically no group policy features on our domain. But nonetheless, we
still have had the default domain group policy on the W2K domain controllers
actively propagating itself to all authenticated domain clients (with all
settings un-configured). I found out that Windows 2000 domain controllers
don't have GP management ability for the BFE (Base Filtering Engine) service
which is a key networking service used on all Windows OS's since Win2k3 (so
Windows XP computers on the domain were not at all affected).
3. The BFE service controls RPC, DCOM, DPS, DHCP, RDP and the Windows
ICS/Firewall services. The lack of management for BFE from the Win2k group
policy management server caused the affected machines to not have a way to
authenticate registry permissions for the Windows Firewall local/network
service accounts (MpsSvc) on those services (on the affected computers). The
MpsSvc account needs full control on those registry entries to allow them to
start when the computer is authenticated to the domain at logon.
Subsequently, because this registry permission setting was missing on the
Win2k DCs, it was also removed from all the Windows 2003/7/2008 computers on
the domain. This article from Microsoft describes the issue:
http://support.microsoft.com/kb/943996 (the article is for Windows Vista,
but it applies to any Windows OS released after Windows XP). Manually
reapplying the permissions only worked briefly to restore full networking
services until the GP was next refreshed on the affected machines.
4. At this point, it became a catch-22 to fix the issue. There's no
way to apply the required registry permissions through group policy from the
Win2k domain controllers. And manually applying the registry permissions
(very tediously on several Windows 7 computers) would revert as soon as the
GP was refreshed across the domain or on the affected computers at logon.
5. I finally just decided to block GP inheritance on all the OUs in
AD, and de-link the domain policy as well as disable the GPO all together.
Nothing else was affected from this action since we don't use any active GP
settings on our domain anyway. So this will stop any future added Windows 7
computers (added to the domain) from being affected. But it will not fix any
past affected computers. On those we will just have to manually re-apply the
necessary registry permissions.
6. A permanent solution to this would be to completely remove the old
Windows 2000 domain controllers from the equation, and continue with the
migration to the new Windows 2008 servers. That is still in the works, but
there are so many of these gotchas along the way that I'm treading very very
lightly (I don't want to spend another few weeks figuring out the cause for
some esoteric issue we'll face along the way).
If anyone else has any other insight, feel free to contribute.
regards,
Adeel Siddiqui
Network Administrator <http://www.usao.edu/staff/adeel-siddiqui>
Information, Research and Network Services
University <http://www.usao.edu/> of Science and Arts of Oklahoma
Chickasha, OK 73018
(405) 574-1319
asiddiqui@usao.edu
_____
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Brock,
Adam
Sent: Wednesday, October 12, 2011 9:22 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Re: Windows 7/2008 not connecting to network...
To rule out a group policy issue, I'd create a new OU and block inheritance
of all other policies. Then create the computer account there and join the
machine to the domain. If the issue still crops up, you know it's not group
policy. If it doesn't, start linking GPOs one by one.
You might want to compare rights on the BFE and Windows Firewall services
using SC. If it's a rights issue (and it sounds like it might be), that can
give you an idea of what permissions are being altered. On one occasion I
made some typos modifying the permissions for a service, and it caused all
sorts of wonky behavior.
sc sdshow bfe
sc sdshow mpssvc
From: Adeel Siddiqui [mailto:asiddiqui@usao.edu]
Sent: Wednesday, October 12, 2011 2:50 PM
To: Resnet Forum
Subject: Windows 7/2008 not connecting to network...
We have a strange issue going on our campus that's causing our Windows 7
computers and Windows 2008 servers to completely lose network connectivity.
This is only happening to computers that are connected to the domain.
The issue seems to have started a few weeks ago after the last round of
Windows Updates were installed on those computers. As a result, the Windows
Firewall services and its dependency services all got turned off on those
computers and can't be re-enabled either. Also, RDP access to those
computers won't work either. I suspected a group policy of some sort might
be the cause but we use little to no group policy administration on our
campus at all. Upon further investigation, we found that there seems to be
some cause to this due to some registry permissions that seemed to have
changed after the aforementioned Windows Updates were installed. I have a
feeling that the problem lies with how the computers are authenticating to
the domain, but can't confirm that prognosis.
I've tried everything to fix this issue from changing group policy settings,
to removing/re-adding the computers to the domain. Nothing seems to have
worked permanently or at least completely. We have managed to do some on the
spot MacGyvering to fix the issue (i.e. manually applying administrative
permissions to certain keys in the registry on those computers as suggested
by a few online articles) but they are temporary band-aids at best.
Has anyone else run into this? Any permanent fixes/solutions that you can
suggest?
regards,
Adeel Siddiqui
Network Administrator <http://www.usao.edu/staff/adeel-siddiqui>
Information, Research and Network Services
University <http://www.usao.edu/> of Science and Arts of Oklahoma
Chickasha, OK 73018
(405) 574-1319
asiddiqui@usao.edu
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--Boundary_(ID_GXUTJdRJ47LNObStQoeTDw)
Content-type: text/html; CHARSET=US-ASCII
Content-transfer-encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" =
xmlns:rtc=3D"http://microsoft.com/officenet/conferencing" =
xmlns:D=3D"DAV:" xmlns:Repl=3D"http://schemas.microsoft.com/repl/" =
xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/meetings/" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" =
xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc" =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" =
xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"=
xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" =
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" =
xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap" =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" =
xmlns:udcp2p=3D"http://schemas.microsoft.com/data/udc/parttopart" =
xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/" =
xmlns:dsss=3D"http://schemas.microsoft.com/office/2006/digsig-setup" =
xmlns:dssi=3D"http://schemas.microsoft.com/office/2006/digsig" =
xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/2006/digital-sig=
nature" =
xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006=
" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi=
ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages" =
xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"=
=
xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/messag=
es" =
xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/=
" =
xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPortalServer/Pub=
lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" =
xmlns:st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 12 =
(filtered medium)"><!--[if !mso]><style>v\:* =
{behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:332995177;
mso-list-type:hybrid;
mso-list-template-ids:-1477132642 67698703 67698713 67698715 67698703 =
67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.25in;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span =
style=3D'color:#1F497D'>Much thanks to all who replied. Especially to =
Adam Brock who confirmed my original prognosis and provided further =
insight.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:#1F497D'>After a lot of trial and =
error, I believe I have established that the issue was definitely to do =
with <u>group policy</u> settings. I’ve currently got an =
indefinite solution in place to stop the issue from happening again to =
any new Windows 7/2008 computers added to the domain…..but I =
don’t have a solution to push a network-wide fix for already =
affected machines. There are a lot of random pieces to this puzzle =
that originally seemed irrelevant; but if it helps anyone else, =
here’s the prognosis:<o:p></o:p></span></p><p =
class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><p =
class=3DMsoListParagraph =
style=3D'margin-left:.25in;text-indent:-.25in;mso-list:l0 level1 =
lfo1'><![if !supportLists]><span style=3D'color:#1F497D'><span =
style=3D'mso-list:Ignore'>1.<span style=3D'font:7.0pt "Times New =
Roman"'> =
</span></span></span><![endif]><span dir=3DLTR></span><span =
style=3D'color:#1F497D'>We are using </span><span =
style=3D'color:black'>Windows 2000</span><span style=3D'color:#1F497D'> =
</span><span style=3D'color:black'>domain</span><span =
style=3D'color:#1F497D'> </span><span =
style=3D'color:black'>controllers</span><span style=3D'color:#1F497D'> =
on our campus. For the past several weeks, we have been in the process =
of slowly replacing them with Windows 2008 domain controllers. The data =
transfer process for migrating the Active Directory database required =
updating the Active Directory schema to the newest version (47, I =
believe). Only then could the <i>adprep</i> commands be run which would =
eventually allow data migration to the new Windows 2008 DCs. As a =
by-product, the schema update activated some latent features from the =
client-side group policy preferences on Windows 2003/7/2008 computers =
(only the computers that were on the domain). That is my best educated =
guess because otherwise no changes no were made to any group policy =
settings.<br><br><o:p></o:p></span></p><p class=3DMsoListParagraph =
style=3D'margin-left:.25in;text-indent:-.25in;mso-list:l0 level1 =
lfo1'><![if !supportLists]><span style=3D'color:#1F497D'><span =
style=3D'mso-list:Ignore'>2.<span style=3D'font:7.0pt "Times New =
Roman"'> =
</span></span></span><![endif]><span dir=3DLTR></span><span =
style=3D'color:#1F497D'>As I had mentioned in my earlier email, we use =
little to practically no group policy features on our domain. But =
nonetheless, we still have had the <i>default</i> domain group policy on =
the W2K domain controllers actively propagating itself to all =
authenticated domain clients (with all settings un-configured). I found =
out that Windows 2000 domain controllers don’t have GP management =
ability for the </span><b><span =
style=3D'color:black'>BFE</span></b><span style=3D'color:black'> (Base =
Filtering Engine)</span><span style=3D'color:#1F497D'> service which is =
a key networking service used on all Windows OS’s since Win2k3 (so =
Windows XP computers on the domain were not at all affected). =
<br><br><o:p></o:p></span></p><p class=3DMsoListParagraph =
style=3D'margin-left:.25in;text-indent:-.25in;mso-list:l0 level1 =
lfo1'><![if !supportLists]><span style=3D'color:#1F497D'><span =
style=3D'mso-list:Ignore'>3.<span style=3D'font:7.0pt "Times New =
Roman"'> =
</span></span></span><![endif]><span dir=3DLTR></span><span =
style=3D'color:#1F497D'>The BFE service controls </span><span =
style=3D'color:black'>RPC, DCOM, DPS, DHCP, RDP and the Windows =
ICS/Firewall</span><span style=3D'color:#1F497D'> services. The lack of =
management for BFE from the Win2k group policy management server caused =
the affected machines to <u>not</u> have a way to authenticate registry =
permissions for the Windows Firewall local/network service accounts =
(MpsSvc) on those services (on the affected computers). The MpsSvc =
account needs full control on those registry entries to allow them to =
start when the computer is authenticated to the domain at logon. =
Subsequently, because this registry permission setting was missing on =
the Win2k DCs, it was also removed from all the Windows 2003/7/2008 =
computers on the domain. This article from Microsoft describes the =
issue: <a =
href=3D"http://support.microsoft.com/kb/943996">http://support.microsoft.=
com/kb/943996</a> (the article is for Windows Vista, but it applies to =
any Windows OS released after Windows XP). Manually reapplying the =
permissions only worked briefly to restore full networking services =
until the GP was next refreshed on the affected machines. =
<br><br><o:p></o:p></span></p><p class=3DMsoListParagraph =
style=3D'margin-left:.25in;text-indent:-.25in;mso-list:l0 level1 =
lfo1'><![if !supportLists]><span style=3D'color:#1F497D'><span =
style=3D'mso-list:Ignore'>4.<span style=3D'font:7.0pt "Times New =
Roman"'> =
</span></span></span><![endif]><span dir=3DLTR></span><span =
style=3D'color:#1F497D'>At this point, it became a catch-22 to fix the =
issue. There’s no way to apply the required registry permissions =
through group policy from the Win2k domain controllers. And manually =
applying the registry permissions (very tediously on several Windows 7 =
computers) </span><span style=3D'color:black'>would revert as soon as =
the GP was refreshed across the domain or on the affected computers at =
logon</span><span =
style=3D'color:#1F497D'>.<br><br><o:p></o:p></span></p><p =
class=3DMsoListParagraph =
style=3D'margin-left:.25in;text-indent:-.25in;mso-list:l0 level1 =
lfo1'><![if !supportLists]><span style=3D'color:#1F497D'><span =
style=3D'mso-list:Ignore'>5.<span style=3D'font:7.0pt "Times New =
Roman"'> =
</span></span></span><![endif]><span dir=3DLTR></span><span =
style=3D'color:#1F497D'>I finally just decided to block GP inheritance =
on all the OUs in AD, and de-link the domain policy as well as disable =
the GPO all together. Nothing else was affected from this action since =
we don’t use any active GP settings on our domain anyway. So this =
will stop any future added Windows 7 computers (added to the domain) =
from being affected. But it will <u>not</u> fix any past affected =
computers. On those we will just have to manually re-apply the necessary =
registry permissions. <o:p></o:p></span></p><p class=3DMsoListParagraph =
style=3D'margin-left:.25in'><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><p =
class=3DMsoListParagraph =
style=3D'margin-left:.25in;text-indent:-.25in;mso-list:l0 level1 =
lfo1'><![if !supportLists]><span style=3D'color:#1F497D'><span =
style=3D'mso-list:Ignore'>6.<span style=3D'font:7.0pt "Times New =
Roman"'> =
</span></span></span><![endif]><span dir=3DLTR></span><span =
style=3D'color:#1F497D'>A permanent solution to this would be to =
completely remove the old Windows 2000 domain controllers from the =
equation, and continue with the migration to the new Windows 2008 =
servers. That is still in the works, but there are so many of these =
<i>gotchas</i> along the way that I’m treading very very lightly =
(I don’t want to spend another few weeks figuring out the cause =
for some esoteric issue we’ll face along the =
way).<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:#1F497D'>If anyone else has any =
other insight, feel free to contribute.<o:p></o:p></span></p><p =
class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'=
><br></span><span style=3D'color:#1F497D'>regards,</span><span =
style=3D'font-size:10.0pt;color:#1F497D'><br></span><i><span =
style=3D'font-size:12.0pt;color:black'>Adeel =
Siddiqui</span></i><b><i><span =
style=3D'font-size:14.0pt;color:black'><br></span></i></b><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'=
><br></span><i><span =
style=3D'font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D'>=
<a href=3D"http://www.usao.edu/staff/adeel-siddiqui">Network =
Administrator</a></span></i><i><span =
style=3D'font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D'>=
<br></span></i><span =
style=3D'font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D'>=
Information, Research and Network Services<br><b><a =
href=3D"http://www.usao.edu/">University of Science and Arts of =
Oklahoma</a></b><br>Chickasha, OK 73018</span><span =
style=3D'font-size:8.0pt;color:#1F497D'> <br></span><span =
style=3D'font-size:8.0pt;font-family:"Arial","sans-serif";color:#1F497D'>=
(405) 574-1319<br></span><u><span =
style=3D'font-size:8.0pt;font-family:"Arial","sans-serif";color:black'><a=
=
href=3D"mailto:asiddiqui@usao.edu">asiddiqui@usao.edu</a></span></u><span=
=
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'=
> <o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><div =
class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><span =
style=3D'color:#1F497D'><hr size=3D2 width=3D"100%" =
align=3Dcenter></span></div><p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> =
Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] <b>On Behalf Of =
</b>Brock, Adam<br><b>Sent:</b> Wednesday, October 12, 2011 9:22 =
PM<br><b>To:</b> RESNET-L@LISTSERV.ND.EDU<br><b>Subject:</b> Re: Windows =
7/2008 not connecting to network...<o:p></o:p></span></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'>To rule out a group policy issue, I’d =
create a new OU and block inheritance of all other policies. Then =
create the computer account there and join the machine to the =
domain. If the issue still crops up, you know it’s not group =
policy. If it doesn’t, start linking GPOs one by =
one.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:#1F497D'>You might want to =
compare rights on the BFE and Windows Firewall services using SC. =
If it’s a rights issue (and it sounds like it might be), that can =
give you an idea of what permissions are being altered. On one =
occasion I made some typos modifying the permissions for a service, and =
it caused all sorts of wonky behavior.<o:p></o:p></span></p><p =
class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:#1F497D'>sc sdshow =
bfe<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'>sc sdshow mpssvc</span><span =
style=3D'color:#1F497D'><o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p> </o:p></span></p><div><div =
style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in'><p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> =
Adeel Siddiqui [mailto:asiddiqui@usao.edu] <br><b>Sent:</b> Wednesday, =
October 12, 2011 2:50 PM<br><b>To:</b> Resnet Forum<br><b>Subject:</b> =
Windows 7/2008 not connecting to =
network...<o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>We have a =
strange issue going on our campus that’s causing our Windows 7 =
computers and Windows 2008 servers to completely lose network =
connectivity. <o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>This is only =
happening to computers that are connected to the domain. =
<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal>The issue seems to have started a few weeks ago after =
the last round of Windows Updates were installed on those computers. As =
a result, the Windows Firewall services and its dependency services all =
got turned off on those computers and can’t be re-enabled either. =
Also, RDP access to those computers won’t work either. I suspected =
a group policy of some sort might be the cause but we use little to no =
group policy administration on our campus at all. Upon further =
investigation, we found that there seems to be some cause to this due to =
some registry permissions that seemed to have changed after the =
aforementioned Windows Updates were installed. I have a feeling that the =
problem lies with how the computers are authenticating to the domain, =
but can’t confirm that prognosis.<o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>I’ve =
tried everything to fix this issue from changing group policy settings, =
to removing/re-adding the computers to the domain. Nothing seems to have =
worked permanently or at least completely. We have managed to do some on =
the spot <i>MacGyvering</i> to fix the issue (i.e. manually applying =
administrative permissions to certain keys in the registry on those =
computers as suggested by a few online articles) but they are temporary =
band-aids at best. <o:p></o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal>Has anyone =
else run into this? Any permanent fixes/solutions that you can =
suggest?<o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'><br></span>re=
gards,<span style=3D'font-size:10.0pt'><br></span><i><span =
style=3D'font-size:12.0pt;color:black'>Adeel =
Siddiqui</span></i><b><i><span =
style=3D'font-size:14.0pt;color:black'><br></span></i></b><span =
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'><br></span><i=
><span style=3D'font-size:8.0pt;font-family:"Arial","sans-serif"'><a =
href=3D"http://www.usao.edu/staff/adeel-siddiqui">Network =
Administrator</a><br></span></i><span =
style=3D'font-size:8.0pt;font-family:"Arial","sans-serif"'>Information, =
Research and Network Services<br><b><a =
href=3D"http://www.usao.edu/">University of Science and Arts of =
Oklahoma</a></b><br>Chickasha, OK 73018</span><span =
style=3D'font-size:8.0pt'> <span =
style=3D'color:#1F497D'><br></span></span><span =
style=3D'font-size:8.0pt;font-family:"Arial","sans-serif"'>(405) =
574-1319<br><u><span style=3D'color:black'><a =
href=3D"mailto:asiddiqui@usao.edu">asiddiqui@usao.edu</a></span></u></spa=
n><span style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'> =
<o:p></o:p></span></p><p class=3DMsoNormal><o:p> </o:p></p><p =
class=3DMsoNormal><o:p> </o:p></p></div></body></html>=
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--Boundary_(ID_GXUTJdRJ47LNObStQoeTDw)--
