Une mauvaise suprise ce matin avec mes controlleurs Win2003 SP1 sur lesquels
le Firewall était montée.
J'ai configuré un certain nombre d'exceptions et réalisé des modifications.
Tout était très bien.
Hier, je passe les hotfixs de février sur le premier controlleur, ... rien à
redire. Le serveur redémarre et là quelques heures plus tard, je m'aperçois
que nombre de paquets IP sont rejetés.
Je regarde la config du Firewall et je vois que toutes mes modifications ont
disparu !
En creusant un peu, je viens de m'apercevoir que mes modifications de base
ont été rattachés au profil standard du Firewall et non du domaine. Je
précise que je fais ma configuration du Firewall manuellement et non par GPO
pour les serveurs.
et je viens de lire cette note :
Note: After promotion to being a Domain Controller the computer will
restart; after this first restart, the computer will use the Windows
Firewall's Domain Profile. After the first replication completes
successfully and the computer is restarted, the Domain Controller will use
the Windows Firewall's Standard Profile. So, to avoid problems, make the
Domain and Standard profiles for Domain Controllers identical.
J'avoue que j ai du mal à saisir de STANDARD / DOMAINE. Si quelqu'un pouvait
m'éclairer. Et existe t il un moyen de forcer l utilisation d'un profile
pour un serveur et rester sur celui ci ?.
Peut t on dupliquer un profil sur l'autre ?
Je pensais qu'un profil domaine n'était utiliser que si on l'activait via
une GPO ... ce qui n est pas le cas.
Cette action est irreversible, confirmez la suppression du commentaire ?
Signaler le commentaire
Veuillez sélectionner un problème
Nudité
Violence
Harcèlement
Fraude
Vente illégale
Discours haineux
Terrorisme
Autre
msnews.microsoft.com
Bonjour Fabrice
J'ai trouve une explication detaillee a la situation qui est la votre . Elles est decrite en anglais mais reste tout a fait comprehensible
QUESTION ======= You need to configure a Windows Firewall policy to allow "File and Print Sharing" for instance . So you want to know the different between Domain Profile and Standard Profile in this policy setting
ANSWER =========== Windows system uses the "Network Location Awareness (NLA)" service to determine if the Connection Specific DNS Suffix and the Primary DNS Suffix match. If they do then the Domain . Profile is loaded. If they do not match then the Standard Profile is loaded. Windows
Ci dessous le detail
When using the new Windows Firewall Group Policy settings, you can configure two different profiles at Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall:
Domain profile ----------------------- The domain profile is the set of Windows Firewall settings that are needed when the computer is connected to the managed network. For example, the domain profile might contain settings for excepted traffic for the applications and services needed by a managed computer in an enterprise network.
Standard profile -------------------------- The standard profile is the set of Windows Firewall settings that are needed when the computer is connected to another network. A good example is when an organization laptop computer is taken on the road and connects to the Internet using a public broadband or wireless Internet service provider. Because the organization laptop computer is directly connected to the Internet, the standard profile should contain more restrictive settings than the domain profile.
Windows system uses the "Network Location Awareness (NLA)" service to determine if the Connection Specific DNS Suffix and the Primary DNS Suffix match. If they do then the Domain Profile is loaded. If they do not match then the Standard Profile is loaded. Windows uses this network determination process during start up and when it is informed by the Network Location Awareness service that network settings on the computer have changed.
The connection-specific DNS suffix of the connection over which the last set of Group Policy updates were received is determined from its TCP/IP configuration, which is typically configured using Dynamic Host Configuration Protocol (DHCP) and the DNS Domain Name DHCP option (DHCP option number 15). You can also manually configure connection-specific DNS suffixes from the DNS tab in the advanced properties of the Internet Protocol (TCP/IP) component, available from the properties of the connection in the Network Connections folder.
To apply this behavior to Windows Firewall settings:
? If the connection-specific DNS suffix of a currently connected connection on the computer that is not PPP or SLIP-based (such as an Ethernet or 802.11 wireless network adapter) matches the value of the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionGroup PolicyHistoryNetworkName registry entry, Windows Firewall uses the domain profile.
? If the connection-specific DNS suffix of a currently connected connection on the computer that is not PPP or SLIP-based does not match the value of the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionGroup PolicyHistoryNetworkName registry entry, Windows Firewall uses the standard profile.
You can determine the connection-specific DNS suffixes of the currently connected connections on the computer from the display of the ipconfig command issued from a command prompt.
Une mauvaise suprise ce matin avec mes controlleurs Win2003 SP1 sur lesquels le Firewall était montée. J'ai configuré un certain nombre d'exceptions et réalisé des modifications. Tout était très bien.
Hier, je passe les hotfixs de février sur le premier controlleur, ... rien à redire. Le serveur redémarre et là quelques heures plus tard, je m'aperçois que nombre de paquets IP sont rejetés. Je regarde la config du Firewall et je vois que toutes mes modifications ont disparu !
En creusant un peu, je viens de m'apercevoir que mes modifications de base ont été rattachés au profil standard du Firewall et non du domaine. Je précise que je fais ma configuration du Firewall manuellement et non par GPO pour les serveurs.
et je viens de lire cette note : Note: After promotion to being a Domain Controller the computer will restart; after this first restart, the computer will use the Windows Firewall's Domain Profile. After the first replication completes successfully and the computer is restarted, the Domain Controller will use the Windows Firewall's Standard Profile. So, to avoid problems, make the Domain and Standard profiles for Domain Controllers identical.
J'avoue que j ai du mal à saisir de STANDARD / DOMAINE. Si quelqu'un pouvait m'éclairer. Et existe t il un moyen de forcer l utilisation d'un profile pour un serveur et rester sur celui ci ?. Peut t on dupliquer un profil sur l'autre ? Je pensais qu'un profil domaine n'était utiliser que si on l'activait via une GPO ... ce qui n est pas le cas.
Merci de votre aide fabrice
Bonjour Fabrice
J'ai trouve une explication detaillee a la situation qui est la votre .
Elles est decrite en anglais mais reste tout a fait comprehensible
QUESTION
======= You need to configure a Windows Firewall policy to allow "File and Print
Sharing" for instance .
So you want to know the different between Domain Profile and Standard
Profile in
this policy setting
ANSWER
=========== Windows system uses the "Network Location Awareness (NLA)" service to
determine if
the Connection Specific DNS Suffix and the Primary DNS Suffix match. If they
do
then the Domain . Profile is loaded. If they do not match then the Standard
Profile is loaded.
Windows
Ci dessous le detail
When using the new Windows Firewall Group Policy settings, you can configure
two
different profiles at Computer ConfigurationAdministrative
TemplatesNetworkNetwork ConnectionsWindows Firewall:
Domain profile
-----------------------
The domain profile is the set of Windows Firewall settings that are needed
when the
computer is connected to the managed network. For example, the domain
profile might
contain settings for excepted traffic for the applications and services
needed by a
managed computer in an enterprise network.
Standard profile
--------------------------
The standard profile is the set of Windows Firewall settings that are needed
when
the computer is connected to another network. A good example is when an
organization laptop computer is taken on the road and connects to the
Internet
using a public broadband or wireless Internet service provider. Because the
organization laptop computer is directly connected to the Internet, the
standard
profile should contain more restrictive settings than the domain profile.
Windows system uses the "Network Location Awareness (NLA)" service to
determine if
the Connection Specific DNS Suffix and the Primary DNS Suffix match. If they
do
then the Domain
Profile is loaded. If they do not match then the Standard Profile is loaded.
Windows uses this network determination process during start up and when it
is
informed by the Network Location Awareness service that network settings on
the
computer have changed.
The connection-specific DNS suffix of the connection over which the last set
of
Group Policy updates were received is determined from its TCP/IP
configuration,
which is typically configured using Dynamic Host Configuration Protocol
(DHCP) and
the DNS Domain Name DHCP option (DHCP option number 15). You can also
manually
configure connection-specific DNS suffixes from the DNS tab in the advanced
properties of the Internet Protocol (TCP/IP) component, available from the
properties of the connection in the Network Connections folder.
To apply this behavior to Windows Firewall settings:
? If the connection-specific DNS suffix of a currently connected connection
on the
computer that is not PPP or SLIP-based (such as an Ethernet or 802.11
wireless
network adapter) matches the value of the
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionGroup
PolicyHistoryNetworkName registry entry, Windows Firewall uses the domain
profile.
? If the connection-specific DNS suffix of a currently connected connection
on the
computer that is not PPP or SLIP-based does not match the value of the
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionGroup
PolicyHistoryNetworkName registry entry, Windows Firewall uses the
standard
profile.
You can determine the connection-specific DNS suffixes of the currently
connected
connections on the computer from the display of the ipconfig command issued
from a
command prompt.
"fabrice" <emouchet@test.com> wrote in message
news:%23$NrU2OUHHA.1016@TK2MSFTNGP04.phx.gbl...
Bonjour à tous,
Une mauvaise suprise ce matin avec mes controlleurs Win2003 SP1 sur
lesquels
le Firewall était montée.
J'ai configuré un certain nombre d'exceptions et réalisé des
modifications.
Tout était très bien.
Hier, je passe les hotfixs de février sur le premier controlleur, ... rien
à
redire. Le serveur redémarre et là quelques heures plus tard, je
m'aperçois
que nombre de paquets IP sont rejetés.
Je regarde la config du Firewall et je vois que toutes mes modifications
ont
disparu !
En creusant un peu, je viens de m'apercevoir que mes modifications de base
ont été rattachés au profil standard du Firewall et non du domaine. Je
précise que je fais ma configuration du Firewall manuellement et non par
GPO
pour les serveurs.
et je viens de lire cette note :
Note: After promotion to being a Domain Controller the computer will
restart; after this first restart, the computer will use the Windows
Firewall's Domain Profile. After the first replication completes
successfully and the computer is restarted, the Domain Controller will use
the Windows Firewall's Standard Profile. So, to avoid problems, make the
Domain and Standard profiles for Domain Controllers identical.
J'avoue que j ai du mal à saisir de STANDARD / DOMAINE. Si quelqu'un
pouvait
m'éclairer. Et existe t il un moyen de forcer l utilisation d'un profile
pour un serveur et rester sur celui ci ?.
Peut t on dupliquer un profil sur l'autre ?
Je pensais qu'un profil domaine n'était utiliser que si on l'activait via
une GPO ... ce qui n est pas le cas.
J'ai trouve une explication detaillee a la situation qui est la votre . Elles est decrite en anglais mais reste tout a fait comprehensible
QUESTION ======= You need to configure a Windows Firewall policy to allow "File and Print Sharing" for instance . So you want to know the different between Domain Profile and Standard Profile in this policy setting
ANSWER =========== Windows system uses the "Network Location Awareness (NLA)" service to determine if the Connection Specific DNS Suffix and the Primary DNS Suffix match. If they do then the Domain . Profile is loaded. If they do not match then the Standard Profile is loaded. Windows
Ci dessous le detail
When using the new Windows Firewall Group Policy settings, you can configure two different profiles at Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall:
Domain profile ----------------------- The domain profile is the set of Windows Firewall settings that are needed when the computer is connected to the managed network. For example, the domain profile might contain settings for excepted traffic for the applications and services needed by a managed computer in an enterprise network.
Standard profile -------------------------- The standard profile is the set of Windows Firewall settings that are needed when the computer is connected to another network. A good example is when an organization laptop computer is taken on the road and connects to the Internet using a public broadband or wireless Internet service provider. Because the organization laptop computer is directly connected to the Internet, the standard profile should contain more restrictive settings than the domain profile.
Windows system uses the "Network Location Awareness (NLA)" service to determine if the Connection Specific DNS Suffix and the Primary DNS Suffix match. If they do then the Domain Profile is loaded. If they do not match then the Standard Profile is loaded. Windows uses this network determination process during start up and when it is informed by the Network Location Awareness service that network settings on the computer have changed.
The connection-specific DNS suffix of the connection over which the last set of Group Policy updates were received is determined from its TCP/IP configuration, which is typically configured using Dynamic Host Configuration Protocol (DHCP) and the DNS Domain Name DHCP option (DHCP option number 15). You can also manually configure connection-specific DNS suffixes from the DNS tab in the advanced properties of the Internet Protocol (TCP/IP) component, available from the properties of the connection in the Network Connections folder.
To apply this behavior to Windows Firewall settings:
? If the connection-specific DNS suffix of a currently connected connection on the computer that is not PPP or SLIP-based (such as an Ethernet or 802.11 wireless network adapter) matches the value of the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionGroup PolicyHistoryNetworkName registry entry, Windows Firewall uses the domain profile.
? If the connection-specific DNS suffix of a currently connected connection on the computer that is not PPP or SLIP-based does not match the value of the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionGroup PolicyHistoryNetworkName registry entry, Windows Firewall uses the standard profile.
You can determine the connection-specific DNS suffixes of the currently connected connections on the computer from the display of the ipconfig command issued from a command prompt.
Une mauvaise suprise ce matin avec mes controlleurs Win2003 SP1 sur lesquels le Firewall était montée. J'ai configuré un certain nombre d'exceptions et réalisé des modifications. Tout était très bien.
Hier, je passe les hotfixs de février sur le premier controlleur, ... rien à redire. Le serveur redémarre et là quelques heures plus tard, je m'aperçois que nombre de paquets IP sont rejetés. Je regarde la config du Firewall et je vois que toutes mes modifications ont disparu !
En creusant un peu, je viens de m'apercevoir que mes modifications de base ont été rattachés au profil standard du Firewall et non du domaine. Je précise que je fais ma configuration du Firewall manuellement et non par GPO pour les serveurs.
et je viens de lire cette note : Note: After promotion to being a Domain Controller the computer will restart; after this first restart, the computer will use the Windows Firewall's Domain Profile. After the first replication completes successfully and the computer is restarted, the Domain Controller will use the Windows Firewall's Standard Profile. So, to avoid problems, make the Domain and Standard profiles for Domain Controllers identical.
J'avoue que j ai du mal à saisir de STANDARD / DOMAINE. Si quelqu'un pouvait m'éclairer. Et existe t il un moyen de forcer l utilisation d'un profile pour un serveur et rester sur celui ci ?. Peut t on dupliquer un profil sur l'autre ? Je pensais qu'un profil domaine n'était utiliser que si on l'activait via une GPO ... ce qui n est pas le cas.
