Cannot add PC to Domain
I add those ports to the Checkpoint FW and add my XP as source and DC ad detination. but is still giving me this:
Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.
The domain name tlv might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.
If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain tlv:
The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.tlv
The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
10.0.0.1
Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
For more information on how to correct this problem, click Help.eternals81
July 4th, 2012 11:47am
that ports:
135/TCP RPC
389/TCP/UDP LDAP
636/TCP LDAP SSL
3268/TCP LDAP GC
3269/TCP LDAP GC SSL
53/TCP/UDP DNS
88/TCP/UDP Kerberos
445/TCP SMB
from: http://www.petri.co.il/forums/showthread.php?t=37062
please help!
eternals81
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2012 11:49am
Why not ask Checkpoint?
Bill
July 4th, 2012 11:54pm
Because checkpoint has not have a good forum and they have never answered me for any of my questions.eternals81
Free Windows Admin Tool Kit Click here and download it now
July 5th, 2012 12:10pm
Can you turn on complete logging on checkpoint firewall to see which packets go through the firewall and which packets are dropped?
Like logging debug - I write now as a "CISCO routers and ASA" language...
Matjaz
July 10th, 2012 4:26am
you mean in the monitor or track view not in the dashboard right???
10x.eternals81
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2012 2:52am
Please, read KB832017. NetLogon needs UDP ports 137,138 (NetBIOS), TCP ports 139, 445 and arbitary TCP ports in the range 1024-65535 (2000, XP, 2003) or 49152-65535 (Vista, Seven, 2008).
You've had error " timeout period expired" when Your PC try to resolv "SRV record for
_ldap._tcp.dc._msdcs.tlv". This means firewall blocked DNS traffic (from Your PC with UDP/arbitary high port to DNS with UDP/53) and/or revers: from DNS with UDP/53 to Your PC with UDP arbitary hight port.
July 17th, 2012 11:37pm
thanks for reply but it is still do not work but another message:
Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain tlv.local:
The query was for the SRV record for _ldap._tcp.dc._msdcs.tlv.local
The following domain controllers were identified by the query:
dc03.tlv.local
Common causes of this error include:
- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
For information about correcting this problem, click Help.
eternals81
Free Windows Admin Tool Kit Click here and download it now
July 18th, 2012 11:22am
and i did add the new ports to R70 like you've told me to.
( NetLogon needs UDP ports 137,138 (NetBIOS), TCP ports 139, 445 and arbitary TCP ports in the range 1024-65535 (2000, XP, 2003) or 49152-65535 (Vista, Seven, 2008).)eternals81
July 18th, 2012 11:25am
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain tlv.local:
The query was for the SRV record for _ldap._tcp.dc._msdcs.tlv.local
The following domain controllers were identified by the query:
dc03.tlv.local
Common causes of this error include:
- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
OK. This is good. Your PC was able to get the info about DC (domain controller) from DNS. Now, Your must enable connection between Your PC and computer dc03.tlv.local on Your firewall.
PS. Please, check IP address of computer dc03.tlv.local with NSLOOKUP.EXE on Your PC.
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2012 2:34am
By connection you mean ping(icmp)? if so then it is enabled. i will check the nslookup and i will let you know.
10x man.eternals81
July 19th, 2012 11:37am
here you go sir: eternals81
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2012 1:39pm
By connection you mean ping(icmp)?
No. Ping may be permitted, but the UDP and/or TCP - no. You must check the firewall rules.
July 19th, 2012 11:14pm
Here are my rules:
something is wrong with my rules?
eternals81
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2012 2:35am
log when i am trying to add PC to DC:
eternals81
July 20th, 2012 2:47am
and after few minutes there is the same log just the source port=1124.eternals81
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2012 3:00am
something is wrong with my rules?
Yes. You permitted traffic from DMZ to DMZ and from LAN to LAN. You must permit traffic from LAN to DMZ and (probably) from DMZ to LAN in rule 2.
July 20th, 2012 7:04am
and now i did like you said and even installed policy after change, but it is still not working sir.
eternals81
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2012 7:27am
Please, see to the log file of Your firewall, which kind of traffic between Your client and Yuor DC is blocked by DENY_ANY rule, then add this to rule "Join To Domain".
July 23rd, 2012 7:51am
Please, see to the log file of Your firewall, which kind of traffic between Your client and Yuor DC is blocked by DENY_ANY rule, then add this to rule "Join To Domain".
Very smart Sergey, but where i can find the log file?eternals81
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2012 11:47am
yeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaassssssss i finaly made it i finaly added the PC to the domain thank you my brother!!!!!!!!!!!!!!!!!!!!! true love!eternals81
July 24th, 2012 12:40pm
now all i have left is to let PC from LAN get to the internet i mean WAN. And to let user from LAN send email to the internet. is it hard to do???eternals81
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2012 1:06pm
now all i have left is to let PC from LAN get to the internet i mean WAN. And to let user from LAN send email to the internet. is it hard to do?
Best practice is intsall and set up some HTTP-proxy for clients inet access and some MTA (SMTP-server) for send e-mail. Then You can audit users activity (track getting inet resource, control e-mail, und so waiter).
Using NAT/PAT (or other kind of addresses translation) is not recommended by security reasons.
July 24th, 2012 11:13pm
SMTP server i should put in my DMZ? http-proxy i should put in my LAN?eternals81
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2012 1:23am
SMTP server i should put in my DMZ? http-proxy i should put in my LAN?
SMTP server and HTTP-proxy should be placed in DMZ area. Direct access from any LAN hosts to any inet hosts should be forbidden (in best practice).
July 25th, 2012 2:09am
Can i place my Edge server and Exchange server to DMZ and use it as Email-Relay? But where the HTTP-proxy service is placed or installed? Who will be used as DHCP server that distribute IP to its LAN stations???
10x.eternals81
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2012 9:02am