*** cannot connect to my internal domain ***********

  • Thread starter Thread starter Darren
  • Start date Start date
D

Darren

Hi, All
I have over 20 webservers run win2000 SP3, on my DMZ.
I recently upgraded a few of my webservers to SP4 and the latest security
patch MS03-026 and MS03-030, since then I'M now receiving a long delay when
login in especially at the logon screen " applying security setting" about 5
mins then I'm able to successfully login.
After checking the event log I saw two event errors that reoccuring every 2
hours . The first error: source Userenv Event ID 1000 "Windows cannot
establish a connection to mydomain.com with (1311)" and the 2nd error source
Userenv Event ID 1000 "Windows cannot query for the list of group policy
object.
This is happening on server that have SP4 and is on my DMZ. I have server
that are not on the DMZ with SP4 and don't receive this error.
Is this because my webserver on my DMZ are not looking to communicate
through port 1311 . Do I need to have this port open on my DMZ ?
P.S My DNS and DC's are behind my DMZ.
Thanks
-Darren
 
In
posted their thoughts said:
Hi, All
I have over 20 webservers run win2000 SP3, on my DMZ.
I recently upgraded a few of my webservers to SP4 and the latest
security patch MS03-026 and MS03-030, since then I'M now receiving a
long delay when login in especially at the logon screen " applying
security setting" about 5 mins then I'm able to successfully login.
After checking the event log I saw two event errors that reoccuring
every 2 hours . The first error: source Userenv Event ID 1000
"Windows cannot establish a connection to mydomain.com with (1311)"
and the 2nd error source Userenv Event ID 1000 "Windows cannot query
for the list of group policy object.
This is happening on server that have SP4 and is on my DMZ. I have
server that are not on the DMZ with SP4 and don't receive this error.
Is this because my webserver on my DMZ are not looking to communicate
through port 1311 . Do I need to have this port open on my DMZ ?
P.S My DNS and DC's are behind my DMZ.
Thanks
-Darren
Click to expand...

Let's see an unedited ipconfig /all from the offending server and the name
of the AD domain name as shown in ADUC.

This could be a combination of issues, basically starting with your DNS
configuration on the client machines (DCs and DNS servers are also clients
of themselves), your Primary DNS Suffix if properly set, the AD domain name
(as shown in ADUC), and the zone settings in DNS to allow updates. Firewalls
just complicate the issue. Going thru a NAT won't even work because it can't
translate RPC, LDAP or Kerberos traffic. The best suggestions is to use an
L2TP or PPTP VPN thru the firewall or a PPTP VPN thru a NAT and just open up
only the ports required by the VPN.

If you have a member server in a DMZ with a firewall (not a NAT device)
separating them, then you would need to open up quite a few ports for domain
communication, not just DNS. I believe it's around 30 ports that are needed
to be opened.:

Active Directory Replication over Firewalls - Microsoft Service Providers:
http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.asp

Active Directory Replication over Firewalls - Microsoft Service Providers:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Q289241 - A List of the Windows 2000 Domain Controller Default Ports:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q289241&

154596 - Configuring RPC Dynamic Port Allocation to Work With Firewall :
http://support.microsoft.com/default.aspx?scid=kb;EN-US;154596

179442 - How to Configure a Firewall for Domains and Trusts:
http://support.microsoft.com/?id=179442

http--securityadmin.info-faq.htm - Domain traffic thru a firewall:
http://securityadmin.info/faq.htm#6.10




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hi, Ace
Thank you for the recommendations and step, however I'm a bit puzzle why
these error are being logged now after install MS03-030 and MS03-026 on only
servers on my DMZ. Can you confirm with me if what port are being close
after applying the security patches, I think ports 1000-5000 are being close
and this will make sense since my servers are looking to communicated with
A/D via 1311..
What do you think ?
Thanks once again
-Darren
 
In
posted their thoughts said:
Hi, Ace
Thank you for the recommendations and step, however I'm a bit puzzle
why these error are being logged now after install MS03-030 and
MS03-026 on only servers on my DMZ. Can you confirm with me if what
port are being close after applying the security patches, I think
ports 1000-5000 are being close and this will make sense since my
servers are looking to communicated with A/D via 1311..
What do you think ?
Thanks once again
-Darren
"Ace Fekay [MVP]"
Click to expand...

Those hotfixes don't close any ports. They just plug up the vulnerability in
the service.

I still think it's a configuration issue, which the Event ID 1000's lead me
to believe.

Please PLEASE, let me see:
And I can rule out configuration for you. Othewise it's tough to guess
without more info.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hi, Ace
I have discovered that when I logon with a different domain account on my
webservers I'm able to login without any delay, however only a few accounts
seems to work without any delay the majority of domain accounts experiences
a delay of 1-5min when login "applying security settings" then the two
errors are being logged . The first error: source Userenv Event ID 1000
"Windows cannot establish a connection to mydomain.com with (1311)"
and the 2nd error source Userenv Event ID 1000
"Windows cannot query for the list of group policy object.
I did a dcdiag and netdiag all looks clean on my DC's
What do you think ?
I prefer send the requested info to your personal address can you send me
your address..
 
In
posted their thoughts said:
Hi, Ace
I have discovered that when I logon with a different domain account
on my webservers I'm able to login without any delay, however only a
few accounts seems to work without any delay the majority of domain
accounts experiences a delay of 1-5min when login "applying security
settings" then the two errors are being logged . The first error:
source Userenv Event ID 1000 "Windows cannot establish a connection
to mydomain.com with (1311)" and the 2nd error source Userenv Event
ID 1000 "Windows cannot query for the list of group policy object.
I did a dcdiag and netdiag all looks clean on my DC's
What do you think ?
I prefer send the requested info to your personal address can you
send me your address..
Click to expand...

No problem, send it privately:
acefekay AT hotmail.com.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
you got mail..
Thanks once again
Ace Fekay said:
In

No problem, send it privately:
acefekay AT hotmail.com.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
Click to expand...
 
Back
Top