"Windows cannot obtain the domain controller name..."

[mollyking]

We are running an AD domain with 2 windows 2003 servers as domain controllers/DNS servers. I'm trying to put an ip filter in place so that I don't have to allow all ports on the workstations through to the DC's. I've allowed 135 tcp & udp, 53 tcp & udp, 88 tcp & udp, 389 tcp & udp, 445 tcp & udp, 123 tcp & udp, 464 tcp, 3268 tcp, 137 tcp & udp, 138 udp, 42 tcp and 139 tcp. The problem is the workstations are getting error ID 1054, Source: Userenv "Windows cannot obtain the domain controller name for your computer network." What other access do the workstations need to sucessfully log into the domain controller? By the way - everything works without the filter.

Thanks!!!!

 

[ReddLefty]

Here is a KB with all the W2K ports. It might not be W2K3, but this list should be a start to check with:

http://support.microsoft.com/default.aspx?scid=kb;en-us;179442&Product=win2000

"In space, nobody can hear you click..."

 

[mollyking]

Thanks for the thought. Though I didn't list them all in the original question, I have allowed all these ports.

 

[mollyking]

This is what I did to fix it. My original ip filter rules were set up as follows: From source <the test subnet> to Destination <My ip address> 'permit' protocol <TCP> From Any Port To this port <53>. I did this for all the ports I listed in the original question. Everything started working fine when I added rules as followed: From source <My ip address> to Destination <the test subnet> 'permit' protocol <TCP> From Any port To this port <53>. I did this for ports 53 tcp and udp, 389 tcp, 139 tcp and 445 tcp. Since all the original rules (and the new ones) are 'mirrored,' I guess I don't understand what Mirrored means.

 

[diciccone]

concerning the event 1054 see Q326152