How to access a domain server which is targeted by Group Policy set to block Inbound and Outbound connections

Hi,
I have a practice lab with two physical servers 2012 R2, one of them is Hyper-V host and one of VMs is a domain controller. I was doeing some exercises with firewall rule deployment through Group Policy, so I created an outbound rule to block port 80 which
was targeted to Domain Computers. Now my other physical server has inbound and outbound connections set to block and domain controller cannot be contacted to update policy ( with rule removed ). At least that is my understanding. Maybe I messed up something
with the profiles too, because port 80 would not have block all outband traffic, or?
I am new to IT so my understanding is still poor.
Best
Robert

Hi Robert,
If we block inbound connections, all connections that do not have firewall rules that explicitly allow the connection will be blocked.
If we block outbound connections, all connections that do not have firewall rules that explicitly allow the connection will be blocked.
If we block outbound TCP port 80, it will mean all websites will be unreachable, for TCP port 80 is for HTTP.
Regarding Windows firewall security settings, the following article can be referred to for more information.
Windows Firewall with Advanced Security Properties Page
http://technet.microsoft.com/en-us/library/cc753002.aspx
Best regards,
Frank Shen

Similar Messages

  • How to access the SAP Server Console? Through VPN

    How to access the SAP Server Console? Through VPN
    Sudhakar

    Hi,
    You need to contact your system admin as they will enable the port in ur system so that u can access client servers.It should also be allowed from client side also i mean access.
    You will connect thru weblink with user name and pw and SAP with logon details.
    Thanks
    Suresh

  • The processing of Group Policy failed because of lack of network connectivity to a domain controller

    We are setting up a new AD environment  with one AD/DC running DNS services,  and a secondary DNS server configured with secondary zone. The problem is that none of the machines in the the domain are getting GPO.
    When I run a gpupdate /force from a machine, I get the following output:
    "Updating Policy...
    User Policy update has completed successfully.
    Computer policy could not be updated successfully. The following errors were enc
    ountered:
    The processing of Group Policy failed because of lack of network connectivity to
     a domain controller. This may be a transient condition. A success message would
     be generated once the machine gets connected to the domain controller and Group
     Policy has succesfully processed. If you do not see a success message for sever
    al hours, then contact your administrator.
    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results."
    While the system event log outputs the following:
    "The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy
    has succesfully processed. If you do not see a success message for several hours, then contact your administrator." 
    All the machines that were joined to the domain are able to resolve in forward and reverse lookups, ping the DC and ping each other so  I dont understand how the error can be resolved.
    Here are few things I have tried:
    1. I came across this KB which checked ok for me: http://support.microsoft.com/kb/241515
    2. Made a copy of the default GPO, applied to a OU with one machine, and made sure to remove any GPO links from above
    3. Enabled the following  two local Group policies on a test member:
    GP slow link detection
    Startup policy processing wait time
    4. Modified firewall to allow everything on both member and DC
    5. Verified DSN logs, SRV records, access to sysvol ( added authenticated users to sysvol)
    I have yet to figure out the reason for this issue. Has anyone seen anything like this before?

    1. I checked the NIC, it only has one IP. and I followed your article. I set the primary DNS to its own IP and the secondary DNS to the loopback ip
    2. This is a new DC and DNS server. I dont have old records yet. I also check the DNS event logs. No errors
    3. I made sure the member server is pointing only to the only DC/DNS server
    4. Here is the output from the dcdiag....  everything passed except, the Netlogons part. I'm not sure what means or how to fix it yet:
          Starting test: NetLogons
             * Warning BUILTIN\Administrators did not have the "Access this
             computer
             "*   from network" right.
             [hostname] An net use or LsaPolicy operation failed with error
             1, Incorrect function..
             ......................... hostname failed test NetLogons
    Complete output:
    > hostname
    Server:  hostname.domain.local
    Address:  X.X.X.95
    > ^C
    C:\Windows\system32>
    C:\Windows\system32>nslookup
    > set type=all
    >
    >
    >
    > _ldap._tcp.dc._msdcs.domainname
    _ldap._tcp.dc._msdcs.domain.local SRV service location:
              priority       = 0
              weight         = 100
              port           = 389
              svr hostname   = hostname.domain.local
    hostname.domain.local      internet address = X.X.X.95
    > ^C
    C:\Windows\system32>cd ..
    C:\Windows>cd SYSVOL
    C:\Windows\SYSVOL>cd sysvol
    C:\Windows\SYSVOL\sysvol>dir
     Volume in drive C has no label.
     Volume Serial Number is F624-CDB2
     Directory of C:\Windows\SYSVOL\sysvol
    10/29/2014  08:25 PM    <DIR>          .
    10/29/2014  08:25 PM    <DIR>          ..
    10/29/2014  08:25 PM    <JUNCTION>     domain.local [C:\Windows\SYSVOL\domain]
                   0 File(s)              0 bytes
                   3 Dir(s)  63,971,037,184 bytes free
    C:\Windows\SYSVOL\sysvol>dcdiag
    Directory Server Diagnosis
    Performing initial setup:
       Trying to find home server...
       Home Server = hostname
       * Identified AD Forest.
       Done gathering initial info.
    Doing initial required tests
       Testing server: Default-First-Site-Name\hostname
          Starting test: Connectivity
             ......................... hostname passed test Connectivity
    Doing primary tests
       Testing server: Default-First-Site-Name\hostname
          Starting test: Advertising
             ......................... hostname passed test Advertising
          Starting test: FrsEvent
             ......................... hostname passed test FrsEvent
          Starting test: DFSREvent
             ......................... hostname passed test DFSREvent
          Starting test: SysVolCheck
             ......................... hostname passed test SysVolCheck
          Starting test: KccEvent
             ......................... hostname passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... hostname passed test
             KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... hostname passed test MachineAccount
          Starting test: NCSecDesc
             ......................... hostname passed test NCSecDesc
          Starting test: NetLogons
             * Warning BUILTIN\Administrators did not have the "Access this
             computer
             "*   from network" right.
             [hostname] An net use or LsaPolicy operation failed with error
             1, Incorrect function..
             ......................... hostname failed test NetLogons
          Starting test: ObjectsReplicated
             ......................... hostname passed test
             ObjectsReplicated
          Starting test: Replications
             ......................... hostname passed test Replications
          Starting test: RidManager
             ......................... hostname passed test RidManager
          Starting test: Services
             ......................... hostname passed test Services
          Starting test: SystemLog
             A warning event occurred.  EventID: 0x000003F6
                Time Generated: 03/04/2015   18:23:06
                Event String:
                Name resolution for the name ctldl.windowsupdate.com timed out after
     none of the configured DNS servers responded.
             ......................... hostname passed test SystemLog
          Starting test: VerifyReferences
             ......................... hostname passed test VerifyReferences
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
       Running partition tests on : emcdsm
          Starting test: CheckSDRefDom
             ......................... emcdsm passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... emcdsm passed test CrossRefValidation
       Running enterprise tests on : domain.local
          Starting test: LocatorCheck
             ......................... domain.local passed test LocatorCheck
          Starting test: Intersite
             ......................... domain.local passed test Intersite
    C:\Windows\SYSVOL\sysvol>

  • How to do inbound and outbound interfacing using UTL_FILE?

    dear members,
    How can we do interfacing from a legacy system to oracle and vice versa using the UTL_FILE package. I mean how to do an INBOUND and OUTBOUND interfacing using utl_file.
    regards
    sandeep

    Hi Sandeep,
    I do not know if I got your question correct.
    Here is my understanding of it, pls correct me if I am wrong:
    You want to read from and write to the OS from inside the DB? Right?
    There are differnt waysa to do so, depanding on your Oracle version:
    1. you can use the initialization parameter UTL_FILE_DIR to specify a directory on OS where you can read from and write to through the package UTL_FILE.
    2. You can use a directory object in the DB to manage read write access to the OS. This is also usable with the package UTL_FILE as location where to read from and write to.
    => CREATE DIRECTORY my_dir AS '/home/oracle/my_directory';
    GRANT read , write ON DIRECTORY my_dir TO scott;
    SELECT * FROM dba_directories;
    You need CREATE ANY DIRECTORY system privilege for this.
    You can use directory objects also for external tables.
    With these you can read from flat files in teh directory on OS with a select statement as if it were a table inside the DB.
    Does this go into the direction you were thinking of?
    Hope it helps for the first.
    Regards,
    Lutz

  • How to do an inbound and outbound interfacing using UTL_FILE ?

    dear members,
    How can we do interfacing from a legacy system to oracle and vice versa using the UTL_FILE package. I mean how to do an INBOUND and OUTBOUND interfacing using utl_file.
    regards
    sandeep

    in/
    file/
    bad/
    done/
    out/
    file/
    bad/
    done/
    I would start by ftping / putting the file in in/file/ folder, once ftp has completed move it to complete/ folder and process the file. If errorrs are generated move the file over to bad folder. If completed successfully move over to done folder.
    Having said that you would use UTL_FILE_DIR init parameter to set your directory.
    ALTER SYSTEM SET UTL_FILE_DIR='directory1','directory2' scope=spfile;
    Then you would use the regular utl_file packages to read / write to the files.
    UTL_FILE.FOPEN and so on.

  • How to do IDOC debugging for both inbound and outbound

    Hi
    can somebody please help me on how to debug the idoc both inbound and outbound in SAP PI.
    Regards
    Blue

    Hi,
    Yes, i have checked but did not get any satisfactory answer.
    here is the solution:
    Inbound:
    We19, Give the idoc #,
    click on the inbound functional module and select the radio button in the fore ground
    check the check box call in debug mode, this will enter in the functional module debugging.
    Outbound:
    Check BD73, give the idoc # and execute
    or
    RSNASTED program and set the breakpoint there
    is this correct, i have not tested/ checked yet.
    Regards
    Blue

  • I have a problem how can I solve it I want give permissions to groupA to edit the people picker and I want to restrict groupB to edit the people picker what is the solution boss.. in InfoPath form is it possible..

     i have  a problem how can I solve it I want give permissions to groupA to edit the people picker and I want to restrict groupB to edit the people picker what is the solution boss.. in InfoPath form is it possible..

    Hi,
    To hide/disable controls based on user group in an InfoPath form, a solution is that we can call User Profile Service to check the group of current user, then hide/disable
    specific controls by setting some rules in form.
    Here is a demo with steps in details would be helpful to you:
    http://blog.symprogress.com/2011/05/infopath-list-form-hidedisable-fields-based-on-sharepoint-group-membership/
    More information about checking if a user is a member in a SharePoint group within web InfoPath 2010 forms:
    http://www.hishamqaddomi.ca/spg/index.php/sharepoint-2010/infopath-2010/65-checking-if-a-user-is-a-member-in-a-sharepoint-group-within-web-infopath-2010-forms
    Thanks 
    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
    [email protected]

  • Users cannot access removable devices after you enable and then disable a Group Policy setting in Windows 7 64 Bit

    Users cannot access removable devices after you enable and then disable a Group Policy setting on Windows 7 64 bit machines.
    on the 32 bit machines I was able to apply this hotfix
    http://support2.microsoft.com/kb/2738898
    But it will not install on 64 bit machines. 
    Is there a hotfix for 64 bit?  If not, what is the work around?
    Thanks!
    Robert

    Select "Show hotfixes for all platforms and languages", then download x64 hotfix:
    Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

  • How to access the e-mails which are stored in different folders via Mac

    Hi guys, I am new to Mac. My problem is about the setting of Mac Mail.
    There are 8 folders with my hotmail account in order to automatically sort e-mail into folders. I only can get the e-mails of inbox folder via Mac Mail software. I am wondering how to access the other e-mails which are stored in other folders.
    Thanks a lot!

    I don't think that things have changed going from 10.5 Mail to 10.6 Mail in this regard (I need to log on to my laptop more often). So, assuming that my premise is correct, in the left hand column of the mail window, underneath your inbox, drafts, sent, trash, and junk mailboxes, there should be the descriptive name of your mail account, written in gray capital letters, with a gray triangle to the left of that name. If the gray triangle is pointing to the right, click on it so that it points downward. That will expand the account view of mailboxes on the server. You should be able to see all of the other folders.

  • How to access the apps server inside guest  from host.

    my setup is
    windows 7 - host
    OEL 5 - virtualbox guest
    i have it setup with bridged networking with static IP 192.168.1.91.
    my virtualbox guest is running oracle ebs 12. i can access from firefox inside the guest the url http://xt12:8000
    i can ping the guest ip from host .
    however when i try to open the url(http://192.168.1.91:8000) from Internet Explorer browser inside the host it do not open.
    appreciate any suggestion.
    thanks in advance.
    -Kart

    user12046749 wrote:
    however when i try to open the url(http://192.168.1.91:8000) from Internet Explorer browser inside the host it do not open.
    appreciate any suggestion.Check iptables inside the guest: a default Oracle Linux install has the firewall enabled, which will block inbound connections.

  • How to access the Terminal Server on a Macintosh computer

    Hi everyone,
    Actually i have a Macintosh Computer Os X v.10.8.5
    i have tried to acess the Terminal Server with 2 methods:
    1) The 1st method: i tried the application: "Microsoft Remote Desktop client 2.1.1" but il doesn't work at all. It appears: "impossible to connect"
    2 The 2nd method: i downloaded the application "Microsoft Remote Desktop app 8.0.3" from itunes.
    I filled all configurations but when i tried to connect, i had a black screen with "Connecting" in the middle of my screen and nothing else happened.
    I need your help please, someone who use an access the Terminal Server on a Macintosh
    (Computer Os X v.10.8.5 or later)
    All suggestions are welcome
    Thanks a lot
    Minh VAN-TRAN
    e-mail: [email protected]

    What are you trying to remote desktop to? A Windows PC?
    Are you able to ping the computer you are trying to connect to using RDP?
    You can use the in-built network tools on OS X to Ping the target computer.
    If you cannot ping the target then this could indicate either:
    There is an incorrectly configured firewall on the target machine that isn't configured to allow incoming RDP
    You don't have network access to the target machine.
    If the target machine is Windows based Check the Remote options are as below:
    Try to configure the connection properties using the target machines IP address rather than Hostname.
    If you get just a blank screen i have seen this in the past where that is the mac struggling to resolve the target computer details but this is over a VPN to my work place, reconnecting the VPN resolves this every time though.

  • Which account should I use to set up Nokia 822 and...

    Thank you in advance for your help.  
    I recently bought the Lumia 822 and set it up under my personal outlook.com account.  I also have two Microsoft 365 Exchange accounts which I synchronized to the phone, in addition to a few gmail accounts used for different purposes.  
    I had no problem importing contacts using the Nokia data transfer from my iPhone 4, but had trouble with importing and continuing to syncrhonize the calendar.  With the iPhone, my calendar and contacts were continuously syncrhonized with Outlook 2010 on my PC via iCloud and I could add appointments either place.  With the Lumia, my calendar is not being syncrhonized on my macbook (using Office for Mac 2011) or iCal.  I'm wondering if the problem there is that outlook.com accounts can only be added to the Mac as pop3 accounts, rather than exchange.  Because of the inability to sync those accounts with my mac or iPad, I'm thinking I should reset my phone and use my business account as my Nokia/Microsoft account, since it is an exchange account through Microsoft 365.  Do you think that would work?  I didn't want to do that originally because my 365 account is a yearly license and expensive and I might choose not to renew one year and then be faced with losing everything I've put on my phone.  Any ideas how I should set up my phone so that it syncs with all devices the way the iPhone did?  I had an iphone weekly calendar app which allowed me to add appointments as work, home, for my son, etc.  Very helpful.  I'd like to be able to keep the same categories.
    Another problem - all of my contacts are listed under People on the phone, but most of them are not accessible in my car.  How can voice dial not access all my contacts?  Or do you think that is a car issue and I should try to import my contacts again?
    Finally, any idea where I can buy a  second battery?  The battery life is very poor (might because I have so many email accounts, but most of them are set to either check manually or every two hours), despite my having read and followed the suggestions in this forum.  
    FYI, there are so many things I love about the phone - spellcheck almost as good as the BlackBerry, a screen I can see easily, the ablity to use it with gloves on, the microsd card (still, I wish it came as a 32gb phone), the replaceable battery.  
    Thanks again for your help.  I'm thinking I set my phone up wrong and that I should start with scratch using one of my other accounts.  Ideally, I'd like to keep it under my outlook.com account, but not if I can't synchronize the calendar, etc.

    When it rejects your email is it telling you that a snapfish account may exist? If so you may have to go to snapfish.com, and do a forgot password with that email. After that try logging in to eprintcenter with that information.
    Jon-W
    I work on behalf of HP
    Please click “Accept as Solution ” on the post that solves your issue to help others find the solution.
    Click the KUDOS STAR on the left to say “Thanks” for helping!

  • Extreme slow login on Server 2008 R2 TS at Group Policy Preferences - Printers

    I see references to this problem everywhere, going back to 2010.  However I'm not finding any real answers.
    I have Group Policy Preferences installing printers to Terminal Server Users.  I have one policy that applies to 4 terminal servers.  One of them is a 2008 R2, the others are 2003 x64.  Only for the 2008 R2 server, after all of the printers
    show (in event viewer) as successfully loaded, there is a long hang.  I have many printers applied to me, and that results in my load time being the longest of all at about 3 minutes.  I am an administrator on the machine.  Others have the exact
    same problem, just a bit less pronounced depending on the number of printers. 
    The policy preference is set to UPDATE, so it's not loading the driver... again, the printer is already successfully applied.
    I've tried setting UAC to "Never" on the server.  No effect.  I've played with the Point and Print policy at both computer and user level, finally just setting both to disabled, but prior to that setting them to Enabled with the "do
    not show warning" on both settings.  No effect (which makes sense since that is for non-admins and I am having this problem as an admin).
    My logging pasted below shows this same thing in all cases.
    Is there an answer to this that I am just not finding?
    2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Filters passed.
    2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Adding child elements to RSOP.
    2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Set user security context.
    2013-12-06 09:11:44.289 [pid=0x388,tid=0xca0] Set system security context.
    2013-12-06 09:14:13.873 [pid=0x388,tid=0xca0] Set user security context.
    2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] Set system security context.
    2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] Properties handled.
    2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] RunOnce value created [SUCCEEDED(S_FALSE)]

    Hi,
    Based on your description, I want to confirm whether we have used Item-level Targeting of GPP for printer deploying.
    GP Preferences settings that use Item- Level Targeting (ILT) are not inherently harmful. However, certain kinds of Item Level Targeting queries can
    take more time to run.
    Regarding this issue, the following article can be referred to for more information and the hotfix in the article can be downloaded to fix the issue.
    You experience a long domain logon time in Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2 after you deploy Group Policy preferences
    to the computer
    http://support.microsoft.com/kb/2561285/en-us
    In addition, regarding group policy and logon impact, the following article can be referred to for more information.
    Group Policy and Logon Impact
    http://blogs.technet.com/b/grouppolicy/archive/2013/05/23/group-policy-and-logon-impact.aspx
    Best regards,
    Frank Shen

  • How to deploy 9.3.2 incremental patch (msp) over group policy

    Hello to all,
    i have deployed Reader 9.3.1 via group policy in windows (software installation package).
    It was installed on all clients successfully.
    Now that 9.3.2 msp file came out i need to distribute the new incremental patch to all hosts in the domain.
    I wanted to slipstream the 9.3.2 msp update into the 9.3.1 msi,so i tried the following command:
    msiexec /a AdbeRdr931_en_us.msi /p AdbeRdrUpd932_all_incr.msp
    I also tried msiexec /a AdbeRdr930_en_us.msi /p AdbeRdrUpd932_all_incr.msp supposing that it needs the 9.3.0 initial package to work.
    But the following error comes out in both commands:
    The upgrade patch cannot be installed by the windows installer service  because the program to be upgraded may be missing, or the upgrade patch  may update a different version of the program.  Verify that the program  to be upgraded exists on your computer and that you have the correct  upgrade patch.
    What could be wrong?
    What is the recomended way to deploy an incremental patch msp file to an already deployed earlier version?

    I used this MSIEXEC.exe command this morning VIA a GPO and installed on both 9.3.0 &
    9.3.1
    MSIEXEC.EXE /update \\xxxxxxx\xxx\adobereader932\adberdrupd932_all_incr.msp /quiet
    This must be put in the login script under the Computer system in the GPO.
    I just used Notepad and created a *.bat file, yes not good as a *.MSI but it works.

  • How To access MS SQL Server 2000 in Linux

    I have a MS SQL Server 2000 on Windows2000,
    For some speical reasons,I need to write a JAVA
    Program running on Linux which can access datas
    in MS SQL Server....How do I code????

    You should be able to it, but I think you'll need to use a third party JDBC driver.
    I've used a driver from http://www.jturbo.com and another from http://www.inetsoftware.de/ , and if my memory is correct both worked quite well. You can search for other 3rd party drivers here: http://industry.java.sun.com/products/jdbc/drivers
    Good luck.

Maybe you are looking for