I add those ports to the Checkpoint FW and add my XP as source and DC ad detination. but is still giving me this: Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt. The domain name tlv might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS. If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration. The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain tlv: The error was: "This operation returned because the timeout period expired." (error code 0x000005B4 ERROR_TIMEOUT) The query was for the SRV record for _ldap._tcp.dc._msdcs.tlv The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses: 10.0.0.1 Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running. For more information on how to correct this problem, click Help.eternals81

that ports: 135/TCP RPC 389/TCP/UDP LDAP 636/TCP LDAP SSL 3268/TCP LDAP GC 3269/TCP LDAP GC SSL 53/TCP/UDP DNS 88/TCP/UDP Kerberos 445/TCP SMB from: http://www.petri.co.il/forums/showthread.php?t=37062 please help! eternals81

Why not ask Checkpoint? Bill

Because checkpoint has not have a good forum and they have never answered me for any of my questions.eternals81

Can you turn on complete logging on checkpoint firewall to see which packets go through the firewall and which packets are dropped? Like logging debug - I write now as a "CISCO routers and ASA" language... Matjaz

you mean in the monitor or track view not in the dashboard right??? 10x.eternals81

Please, read KB832017. NetLogon needs UDP ports 137,138 (NetBIOS), TCP ports 139, 445 and arbitary TCP ports in the range 1024-65535 (2000, XP, 2003) or 49152-65535 (Vista, Seven, 2008). You've had error " timeout period expired" when Your PC try to resolv "SRV record for _ldap._tcp.dc._msdcs.tlv". This means firewall blocked DNS traffic (from Your PC with UDP/arbitary high port to DNS with UDP/53) and/or revers: from DNS with UDP/53 to Your PC with UDP arbitary hight port.

thanks for reply but it is still do not work but another message: Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt. DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain tlv.local: The query was for the SRV record for _ldap._tcp.dc._msdcs.tlv.local The following domain controllers were identified by the query: dc03.tlv.local Common causes of this error include: - Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses. - Domain controllers registered in DNS are not connected to the network or are not running. For information about correcting this problem, click Help. eternals81

and i did add the new ports to R70 like you've told me to. ( NetLogon needs UDP ports 137,138 (NetBIOS), TCP ports 139, 445 and arbitary TCP ports in the range 1024-65535 (2000, XP, 2003) or 49152-65535 (Vista, Seven, 2008).)eternals81

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain tlv.local: The query was for the SRV record for _ldap._tcp.dc._msdcs.tlv.local The following domain controllers were identified by the query: dc03.tlv.local Common causes of this error include: - Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses. - Domain controllers registered in DNS are not connected to the network or are not running. OK. This is good. Your PC was able to get the info about DC (domain controller) from DNS. Now, Your must enable connection between Your PC and computer dc03.tlv.local on Your firewall. PS. Please, check IP address of computer dc03.tlv.local with NSLOOKUP.EXE on Your PC.

By connection you mean ping(icmp)? if so then it is enabled. i will check the nslookup and i will let you know. 10x man.eternals81

here you go sir: eternals81

By connection you mean ping(icmp)? No. Ping may be permitted, but the UDP and/or TCP - no. You must check the firewall rules.

Here are my rules: something is wrong with my rules? eternals81

log when i am trying to add PC to DC: eternals81

and after few minutes there is the same log just the source port=1124.eternals81

something is wrong with my rules? Yes. You permitted traffic from DMZ to DMZ and from LAN to LAN. You must permit traffic from LAN to DMZ and (probably) from DMZ to LAN in rule 2.

and now i did like you said and even installed policy after change, but it is still not working sir. eternals81

Please, see to the log file of Your firewall, which kind of traffic between Your client and Yuor DC is blocked by DENY_ANY rule, then add this to rule "Join To Domain".

Please, see to the log file of Your firewall, which kind of traffic between Your client and Yuor DC is blocked by DENY_ANY rule, then add this to rule "Join To Domain". Very smart Sergey, but where i can find the log file?eternals81

yeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaassssssss i finaly made it i finaly added the PC to the domain thank you my brother!!!!!!!!!!!!!!!!!!!!! true love!eternals81

now all i have left is to let PC from LAN get to the internet i mean WAN. And to let user from LAN send email to the internet. is it hard to do???eternals81

now all i have left is to let PC from LAN get to the internet i mean WAN. And to let user from LAN send email to the internet. is it hard to do? Best practice is intsall and set up some HTTP-proxy for clients inet access and some MTA (SMTP-server) for send e-mail. Then You can audit users activity (track getting inet resource, control e-mail, und so waiter). Using NAT/PAT (or other kind of addresses translation) is not recommended by security reasons.

SMTP server i should put in my DMZ? http-proxy i should put in my LAN?eternals81

SMTP server i should put in my DMZ? http-proxy i should put in my LAN? SMTP server and HTTP-proxy should be placed in DMZ area. Direct access from any LAN hosts to any inet hosts should be forbidden (in best practice).

Can i place my Edge server and Exchange server to DMZ and use it as Email-Relay? But where the HTTP-proxy service is placed or installed? Who will be used as DHCP server that distribute IP to its LAN stations??? 10x.eternals81