How to access a domain server which is targeted by Group Policy set to block Inbound and Outbound connections
Hi,
I have a practice lab with two physical servers 2012 R2, one of them is Hyper-V host and one of VMs is a domain controller. I was doeing some exercises with firewall rule deployment through Group Policy, so I created an outbound rule to block port 80 which
was targeted to Domain Computers. Now my other physical server has inbound and outbound connections set to block and domain controller cannot be contacted to update policy ( with rule removed ). At least that is my understanding. Maybe I messed up something
with the profiles too, because port 80 would not have block all outband traffic, or?
I am new to IT so my understanding is still poor.
Best
Robert
Hi Robert,
If we block inbound connections, all connections that do not have firewall rules that explicitly allow the connection will be blocked.
If we block outbound connections, all connections that do not have firewall rules that explicitly allow the connection will be blocked.
If we block outbound TCP port 80, it will mean all websites will be unreachable, for TCP port 80 is for HTTP.
Regarding Windows firewall security settings, the following article can be referred to for more information.
Windows Firewall with Advanced Security Properties Page
http://technet.microsoft.com/en-us/library/cc753002.aspx
Best regards,
Frank Shen
Similar Messages
-
How to access the SAP Server Console? Through VPN
How to access the SAP Server Console? Through VPN
SudhakarHi,
You need to contact your system admin as they will enable the port in ur system so that u can access client servers.It should also be allowed from client side also i mean access.
You will connect thru weblink with user name and pw and SAP with logon details.
Thanks
Suresh -
The processing of Group Policy failed because of lack of network connectivity to a domain controller
We are setting up a new AD environment with one AD/DC running DNS services, and a secondary DNS server configured with secondary zone. The problem is that none of the machines in the the domain are getting GPO.
When I run a gpupdate /force from a machine, I get the following output:
"Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed because of lack of network connectivity to
a domain controller. This may be a transient condition. A success message would
be generated once the machine gets connected to the domain controller and Group
Policy has succesfully processed. If you do not see a success message for sever
al hours, then contact your administrator.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results."
While the system event log outputs the following:
"The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy
has succesfully processed. If you do not see a success message for several hours, then contact your administrator."
All the machines that were joined to the domain are able to resolve in forward and reverse lookups, ping the DC and ping each other so I dont understand how the error can be resolved.
Here are few things I have tried:
1. I came across this KB which checked ok for me: http://support.microsoft.com/kb/241515
2. Made a copy of the default GPO, applied to a OU with one machine, and made sure to remove any GPO links from above
3. Enabled the following two local Group policies on a test member:
GP slow link detection
Startup policy processing wait time
4. Modified firewall to allow everything on both member and DC
5. Verified DSN logs, SRV records, access to sysvol ( added authenticated users to sysvol)
I have yet to figure out the reason for this issue. Has anyone seen anything like this before?1. I checked the NIC, it only has one IP. and I followed your article. I set the primary DNS to its own IP and the secondary DNS to the loopback ip
2. This is a new DC and DNS server. I dont have old records yet. I also check the DNS event logs. No errors
3. I made sure the member server is pointing only to the only DC/DNS server
4. Here is the output from the dcdiag.... everything passed except, the Netlogons part. I'm not sure what means or how to fix it yet:
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Complete output:
> hostname
Server: hostname.domain.local
Address: X.X.X.95
> ^C
C:\Windows\system32>
C:\Windows\system32>nslookup
> set type=all
>
>
>
> _ldap._tcp.dc._msdcs.domainname
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = hostname.domain.local
hostname.domain.local internet address = X.X.X.95
> ^C
C:\Windows\system32>cd ..
C:\Windows>cd SYSVOL
C:\Windows\SYSVOL>cd sysvol
C:\Windows\SYSVOL\sysvol>dir
Volume in drive C has no label.
Volume Serial Number is F624-CDB2
Directory of C:\Windows\SYSVOL\sysvol
10/29/2014 08:25 PM <DIR> .
10/29/2014 08:25 PM <DIR> ..
10/29/2014 08:25 PM <JUNCTION> domain.local [C:\Windows\SYSVOL\domain]
0 File(s) 0 bytes
3 Dir(s) 63,971,037,184 bytes free
C:\Windows\SYSVOL\sysvol>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = hostname
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\hostname
Starting test: Connectivity
......................... hostname passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\hostname
Starting test: Advertising
......................... hostname passed test Advertising
Starting test: FrsEvent
......................... hostname passed test FrsEvent
Starting test: DFSREvent
......................... hostname passed test DFSREvent
Starting test: SysVolCheck
......................... hostname passed test SysVolCheck
Starting test: KccEvent
......................... hostname passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... hostname passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... hostname passed test MachineAccount
Starting test: NCSecDesc
......................... hostname passed test NCSecDesc
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Starting test: ObjectsReplicated
......................... hostname passed test
ObjectsReplicated
Starting test: Replications
......................... hostname passed test Replications
Starting test: RidManager
......................... hostname passed test RidManager
Starting test: Services
......................... hostname passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/04/2015 18:23:06
Event String:
Name resolution for the name ctldl.windowsupdate.com timed out after
none of the configured DNS servers responded.
......................... hostname passed test SystemLog
Starting test: VerifyReferences
......................... hostname passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : emcdsm
Starting test: CheckSDRefDom
......................... emcdsm passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... emcdsm passed test CrossRefValidation
Running enterprise tests on : domain.local
Starting test: LocatorCheck
......................... domain.local passed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite
C:\Windows\SYSVOL\sysvol> -
How to do inbound and outbound interfacing using UTL_FILE?
dear members,
How can we do interfacing from a legacy system to oracle and vice versa using the UTL_FILE package. I mean how to do an INBOUND and OUTBOUND interfacing using utl_file.
regards
sandeepHi Sandeep,
I do not know if I got your question correct.
Here is my understanding of it, pls correct me if I am wrong:
You want to read from and write to the OS from inside the DB? Right?
There are differnt waysa to do so, depanding on your Oracle version:
1. you can use the initialization parameter UTL_FILE_DIR to specify a directory on OS where you can read from and write to through the package UTL_FILE.
2. You can use a directory object in the DB to manage read write access to the OS. This is also usable with the package UTL_FILE as location where to read from and write to.
=> CREATE DIRECTORY my_dir AS '/home/oracle/my_directory';
GRANT read , write ON DIRECTORY my_dir TO scott;
SELECT * FROM dba_directories;
You need CREATE ANY DIRECTORY system privilege for this.
You can use directory objects also for external tables.
With these you can read from flat files in teh directory on OS with a select statement as if it were a table inside the DB.
Does this go into the direction you were thinking of?
Hope it helps for the first.
Regards,
Lutz -
How to do an inbound and outbound interfacing using UTL_FILE ?
dear members,
How can we do interfacing from a legacy system to oracle and vice versa using the UTL_FILE package. I mean how to do an INBOUND and OUTBOUND interfacing using utl_file.
regards
sandeepin/
file/
bad/
done/
out/
file/
bad/
done/
I would start by ftping / putting the file in in/file/ folder, once ftp has completed move it to complete/ folder and process the file. If errorrs are generated move the file over to bad folder. If completed successfully move over to done folder.
Having said that you would use UTL_FILE_DIR init parameter to set your directory.
ALTER SYSTEM SET UTL_FILE_DIR='directory1','directory2' scope=spfile;
Then you would use the regular utl_file packages to read / write to the files.
UTL_FILE.FOPEN and so on. -
How to do IDOC debugging for both inbound and outbound
Hi
can somebody please help me on how to debug the idoc both inbound and outbound in SAP PI.
Regards
BlueHi,
Yes, i have checked but did not get any satisfactory answer.
here is the solution:
Inbound:
We19, Give the idoc #,
click on the inbound functional module and select the radio button in the fore ground
check the check box call in debug mode, this will enter in the functional module debugging.
Outbound:
Check BD73, give the idoc # and execute
or
RSNASTED program and set the breakpoint there
is this correct, i have not tested/ checked yet.
Regards
Blue -
i have a problem how can I solve it I want give permissions to groupA to edit the people picker and I want to restrict groupB to edit the people picker what is the solution boss.. in InfoPath form is it possible..
Hi,
To hide/disable controls based on user group in an InfoPath form, a solution is that we can call User Profile Service to check the group of current user, then hide/disable
specific controls by setting some rules in form.
Here is a demo with steps in details would be helpful to you:
http://blog.symprogress.com/2011/05/infopath-list-form-hidedisable-fields-based-on-sharepoint-group-membership/
More information about checking if a user is a member in a SharePoint group within web InfoPath 2010 forms:
http://www.hishamqaddomi.ca/spg/index.php/sharepoint-2010/infopath-2010/65-checking-if-a-user-is-a-member-in-a-sharepoint-group-within-web-infopath-2010-forms
Thanks
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Users cannot access removable devices after you enable and then disable a Group Policy setting on Windows 7 64 bit machines.
on the 32 bit machines I was able to apply this hotfix
http://support2.microsoft.com/kb/2738898
But it will not install on 64 bit machines.
Is there a hotfix for 64 bit? If not, what is the work around?
Thanks!
RobertSelect "Show hotfixes for all platforms and languages", then download x64 hotfix:
Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks. -
How to access the e-mails which are stored in different folders via Mac
Hi guys, I am new to Mac. My problem is about the setting of Mac Mail.
There are 8 folders with my hotmail account in order to automatically sort e-mail into folders. I only can get the e-mails of inbox folder via Mac Mail software. I am wondering how to access the other e-mails which are stored in other folders.
Thanks a lot!I don't think that things have changed going from 10.5 Mail to 10.6 Mail in this regard (I need to log on to my laptop more often). So, assuming that my premise is correct, in the left hand column of the mail window, underneath your inbox, drafts, sent, trash, and junk mailboxes, there should be the descriptive name of your mail account, written in gray capital letters, with a gray triangle to the left of that name. If the gray triangle is pointing to the right, click on it so that it points downward. That will expand the account view of mailboxes on the server. You should be able to see all of the other folders.
-
How to access the apps server inside guest from host.
my setup is
windows 7 - host
OEL 5 - virtualbox guest
i have it setup with bridged networking with static IP 192.168.1.91.
my virtualbox guest is running oracle ebs 12. i can access from firefox inside the guest the url http://xt12:8000
i can ping the guest ip from host .
however when i try to open the url(http://192.168.1.91:8000) from Internet Explorer browser inside the host it do not open.
appreciate any suggestion.
thanks in advance.
-Kartuser12046749 wrote:
however when i try to open the url(http://192.168.1.91:8000) from Internet Explorer browser inside the host it do not open.
appreciate any suggestion.Check iptables inside the guest: a default Oracle Linux install has the firewall enabled, which will block inbound connections. -
How to access the Terminal Server on a Macintosh computer
Hi everyone,
Actually i have a Macintosh Computer Os X v.10.8.5
i have tried to acess the Terminal Server with 2 methods:
1) The 1st method: i tried the application: "Microsoft Remote Desktop client 2.1.1" but il doesn't work at all. It appears: "impossible to connect"
2 The 2nd method: i downloaded the application "Microsoft Remote Desktop app 8.0.3" from itunes.
I filled all configurations but when i tried to connect, i had a black screen with "Connecting" in the middle of my screen and nothing else happened.
I need your help please, someone who use an access the Terminal Server on a Macintosh
(Computer Os X v.10.8.5 or later)
All suggestions are welcome
Thanks a lot
Minh VAN-TRAN
e-mail: [email protected]What are you trying to remote desktop to? A Windows PC?
Are you able to ping the computer you are trying to connect to using RDP?
You can use the in-built network tools on OS X to Ping the target computer.
If you cannot ping the target then this could indicate either:
There is an incorrectly configured firewall on the target machine that isn't configured to allow incoming RDP
You don't have network access to the target machine.
If the target machine is Windows based Check the Remote options are as below:
Try to configure the connection properties using the target machines IP address rather than Hostname.
If you get just a blank screen i have seen this in the past where that is the mac struggling to resolve the target computer details but this is over a VPN to my work place, reconnecting the VPN resolves this every time though. -
Which account should I use to set up Nokia 822 and...
Thank you in advance for your help.
I recently bought the Lumia 822 and set it up under my personal outlook.com account. I also have two Microsoft 365 Exchange accounts which I synchronized to the phone, in addition to a few gmail accounts used for different purposes.
I had no problem importing contacts using the Nokia data transfer from my iPhone 4, but had trouble with importing and continuing to syncrhonize the calendar. With the iPhone, my calendar and contacts were continuously syncrhonized with Outlook 2010 on my PC via iCloud and I could add appointments either place. With the Lumia, my calendar is not being syncrhonized on my macbook (using Office for Mac 2011) or iCal. I'm wondering if the problem there is that outlook.com accounts can only be added to the Mac as pop3 accounts, rather than exchange. Because of the inability to sync those accounts with my mac or iPad, I'm thinking I should reset my phone and use my business account as my Nokia/Microsoft account, since it is an exchange account through Microsoft 365. Do you think that would work? I didn't want to do that originally because my 365 account is a yearly license and expensive and I might choose not to renew one year and then be faced with losing everything I've put on my phone. Any ideas how I should set up my phone so that it syncs with all devices the way the iPhone did? I had an iphone weekly calendar app which allowed me to add appointments as work, home, for my son, etc. Very helpful. I'd like to be able to keep the same categories.
Another problem - all of my contacts are listed under People on the phone, but most of them are not accessible in my car. How can voice dial not access all my contacts? Or do you think that is a car issue and I should try to import my contacts again?
Finally, any idea where I can buy a second battery? The battery life is very poor (might because I have so many email accounts, but most of them are set to either check manually or every two hours), despite my having read and followed the suggestions in this forum.
FYI, there are so many things I love about the phone - spellcheck almost as good as the BlackBerry, a screen I can see easily, the ablity to use it with gloves on, the microsd card (still, I wish it came as a 32gb phone), the replaceable battery.
Thanks again for your help. I'm thinking I set my phone up wrong and that I should start with scratch using one of my other accounts. Ideally, I'd like to keep it under my outlook.com account, but not if I can't synchronize the calendar, etc.When it rejects your email is it telling you that a snapfish account may exist? If so you may have to go to snapfish.com, and do a forgot password with that email. After that try logging in to eprintcenter with that information.
Jon-W
I work on behalf of HP
Please click “Accept as Solution ” on the post that solves your issue to help others find the solution.
Click the KUDOS STAR on the left to say “Thanks” for helping! -
Extreme slow login on Server 2008 R2 TS at Group Policy Preferences - Printers
I see references to this problem everywhere, going back to 2010. However I'm not finding any real answers.
I have Group Policy Preferences installing printers to Terminal Server Users. I have one policy that applies to 4 terminal servers. One of them is a 2008 R2, the others are 2003 x64. Only for the 2008 R2 server, after all of the printers
show (in event viewer) as successfully loaded, there is a long hang. I have many printers applied to me, and that results in my load time being the longest of all at about 3 minutes. I am an administrator on the machine. Others have the exact
same problem, just a bit less pronounced depending on the number of printers.
The policy preference is set to UPDATE, so it's not loading the driver... again, the printer is already successfully applied.
I've tried setting UAC to "Never" on the server. No effect. I've played with the Point and Print policy at both computer and user level, finally just setting both to disabled, but prior to that setting them to Enabled with the "do
not show warning" on both settings. No effect (which makes sense since that is for non-admins and I am having this problem as an admin).
My logging pasted below shows this same thing in all cases.
Is there an answer to this that I am just not finding?
2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Filters passed.
2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Adding child elements to RSOP.
2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Set user security context.
2013-12-06 09:11:44.289 [pid=0x388,tid=0xca0] Set system security context.
2013-12-06 09:14:13.873 [pid=0x388,tid=0xca0] Set user security context.
2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] Set system security context.
2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] Properties handled.
2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] RunOnce value created [SUCCEEDED(S_FALSE)]Hi,
Based on your description, I want to confirm whether we have used Item-level Targeting of GPP for printer deploying.
GP Preferences settings that use Item- Level Targeting (ILT) are not inherently harmful. However, certain kinds of Item Level Targeting queries can
take more time to run.
Regarding this issue, the following article can be referred to for more information and the hotfix in the article can be downloaded to fix the issue.
You experience a long domain logon time in Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2 after you deploy Group Policy preferences
to the computer
http://support.microsoft.com/kb/2561285/en-us
In addition, regarding group policy and logon impact, the following article can be referred to for more information.
Group Policy and Logon Impact
http://blogs.technet.com/b/grouppolicy/archive/2013/05/23/group-policy-and-logon-impact.aspx
Best regards,
Frank Shen -
How to deploy 9.3.2 incremental patch (msp) over group policy
Hello to all,
i have deployed Reader 9.3.1 via group policy in windows (software installation package).
It was installed on all clients successfully.
Now that 9.3.2 msp file came out i need to distribute the new incremental patch to all hosts in the domain.
I wanted to slipstream the 9.3.2 msp update into the 9.3.1 msi,so i tried the following command:
msiexec /a AdbeRdr931_en_us.msi /p AdbeRdrUpd932_all_incr.msp
I also tried msiexec /a AdbeRdr930_en_us.msi /p AdbeRdrUpd932_all_incr.msp supposing that it needs the 9.3.0 initial package to work.
But the following error comes out in both commands:
The upgrade patch cannot be installed by the windows installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch.
What could be wrong?
What is the recomended way to deploy an incremental patch msp file to an already deployed earlier version?I used this MSIEXEC.exe command this morning VIA a GPO and installed on both 9.3.0 &
9.3.1
MSIEXEC.EXE /update \\xxxxxxx\xxx\adobereader932\adberdrupd932_all_incr.msp /quiet
This must be put in the login script under the Computer system in the GPO.
I just used Notepad and created a *.bat file, yes not good as a *.MSI but it works. -
How To access MS SQL Server 2000 in Linux
I have a MS SQL Server 2000 on Windows2000,
For some speical reasons,I need to write a JAVA
Program running on Linux which can access datas
in MS SQL Server....How do I code????You should be able to it, but I think you'll need to use a third party JDBC driver.
I've used a driver from http://www.jturbo.com and another from http://www.inetsoftware.de/ , and if my memory is correct both worked quite well. You can search for other 3rd party drivers here: http://industry.java.sun.com/products/jdbc/drivers
Good luck.
Maybe you are looking for
-
have an iphone4 and my husband merge his numbers with mine and i think it was deleted can you tell me how can he get his number back on his phone
-
Problem with getting currentRowIndex using ADF11g
Hi, I have a Transient VO dragged onto .jsff page and when I am trying to retrieve the currentRowIndex, I am always getting the value as '0' irrespective of the row I have selected. Below is the code snippet #{bindings.TestTVO.currentRowIndex} Any in
-
How to allow multiple selection of nodes in a JTree
How to allow multiple selection of nodes in a JTree ? Thanks S.Satish
-
hi friends, i am new to field exit.i want to write field exit for ebeln. when user tries to change po number error message should get display. what logic i have to write in function module. can any any one help me plz . sonu
-
Is there any detailed documentation available on the server parameter setti
It would be great to have examples and more information on what the consequences are if parameters are set too high or too low. It would be great to have some real life examples that tell you what to consider when setting the lower memory threshold f