Announcement

Collapse
No announcement yet.

A Stupid Mistake

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • A Stupid Mistake

    I was running MBSA on the W2K3 domain controller in the secondary data center via Remote Desktop, and enabled the Windows Firewall to close off one of the risk items.

    Unfortunately, I did not enable the Remote Desktop passthrough, so about 5 seconds after I clicked OK, I lost the connection.

    Now, the primary DC NTDS log is full of 1865 and 1311 events, as it cannot communicate with the secondary DC.

    I've tried using PSEXE to run NETSH and changing the GPO to disable the firewall, but AD objects are not being replicated between the DC's, the firewall blocks those, as well as the Admin$ share.

    Since the secondary DC is >1000Km away, does anybody know a way to disable the firewall remotely, or without needing one of the remote data center engineers to login locally?

    Reboots are OK, but we can't disclose passwords.

  • #2
    Re: A Stupid Mistake

    Just to expand a little.

    I have enabled remote desktop in the global policy, and if I look at the Windows Firewall settings on the local domain controller, I see that the Remote Desktop is being set from the Global Policy.

    However, given the NTDS events, I have my doubts that the global policy is being replicated to the secondary domain controller, so it would never pick up the changes and enable remote desktop.

    I am also a little confused as to why Windows Firewall on a domain controller isn't configured for such things. It also fails to respond to DNS requests, which means it's blocking port 53 as well.

    The other servers at the remote site fail to authenticate with the secondary domain controller, but fortunately they use the primary domain controller as the secondary DNS server.

    Comment


    • #3
      Re: A Stupid Mistake

      You could try a couple of things:

      1. If you can access the services on the machine through the Computer Management MMC you could disable and stop the Windows Firewall service. This is going to be dependent on RPC and possibly WMI not being blocked. Since you can't access the Admin$ share I'm guessing that RPC communication is blocked though.

      2. You could have one of the remote engineers reboot the server into safe mode and disable the Windows Firewall service. This will probably require you to give them the password though.

      In the end you may not have a choice but to give the local enginners the password, fix the problem, and then change the password.

      Comment


      • #4
        Re: A Stupid Mistake

        You don't have ILO/DRAC or whatever in your servers which is located so far away?
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: A Stupid Mistake

          A GPO won't do it since its a DC. Normally that is outbound traffic and a client would refresh a GPO with the firewall on. But the DC looks at itself for new GPOs and since replication is not working it doesn't receive the changes.

          You can try to RDP to another computer on the same network as the DC and go from there. Small chance some ports are open for the local network only...

          iLO would do it, but the Advanced License isn't cheap.

          Got a DSRM account? Give that to the local admin, have them reboot, F8 into DSRM and disable the firewall service. Then just change the DSRM password afterwards.

          Comment


          • #6
            Re: A Stupid Mistake

            No, an advanced license isn't cheap but a plainticket neither
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: A Stupid Mistake

              Thanks for your inputs. Never heard of ILO, but we may have DRAC since they are Dell servers. Will check.

              All remote administration efforts have so far failed. There are some ports open (Backup Exec Remote Agent, McAfee Framework, and MSMQ), but I've not been able to gain access to processes on the secondary DC using those ports.

              We have installed LAN-controllable KVM switches in our local data center, but haven't got round to doing it at the remote one unfortuantely. I might be able to push that implementation forward.

              Giving the engineers the password isn't all that bad, since we change it on a monthly basis anyway, so if we can keep the primary up and running for the next 2 weeks, I'll have them disable the firewall at the end of this month.

              Comment

              Working...
              X