Results 1 to 2 of 2

Thread: Did this get resolved?

  1. #1
    Chad Ingram
    Guest

    Did this get resolved?

    So did this ever get resolved? We have the same issue in a mobile lab.



    Le wrote:

    It is indeed the fact that the wireless does not connect until you have a
    03-Oct-07

    It is indeed the fact that the wireless does not connect until you have a
    desktop. I have this same problem.

    Some of the wireless NIC's have a check box that says something like Log
    into Wireless network before domain login. I have see this on Dell's, with I
    think the Intel or Broadcom Wireless NIC.

    This WILL fix the problem, it worked for me. Although I only had 10
    computers, all dell and I got lucky they all had a nic with this option.

    If the laptop does not, Look for a PCMCIA card that will you can add in that
    will have it and install those in all your laptops. Sorry can't see another
    option for you, its a windows/NIC flaw or feature, not sure really.

    "k3v1nr055" wrote:

    Previous Posts In This Thread:

    On Thursday, August 30, 2007 10:10 AM
    k3v1nr05 wrote:

    Laptops and Tablets Cannot Logon to Domain
    We are suddenly not able to logon to our domain(s) via wireless. This was not
    a problem until recently. This is a school where 1000 students share use of
    about 500 laptops and tablet PCs so it is most common for a particular user
    to grab a different laptops from different carts in a given day and use
    several different laptops from the same cart throughout a school year. I
    point this out so that you know that the common answer to our problem, which
    is to logon via the ethernet line and cache the profile before trying to
    connect via wireless is not acceptable nor practical. Additionally, we had
    no problem with this last school year. Now, three months later we are
    basically "dead in the water" with regard to technology for students and
    wireless access for staff. The actual message that we get is:" The system
    cannot log you on because the domain OURDOMAIN is not available." The same
    user account will quickly authenticate via ethernet.

    More info: This is occurring with both a new Cisco server-managed wireless
    network in one building and the old store bought access points in our other
    buildings. This is also occurring with newly re-imaged laptops that were used
    successfully last year, with newly re-imaged laptops that were purchased this
    summer and never used by anyone (except the tech who loaded the computer) and
    new out of box laptops that have not been customized for our environment. I
    point this out because we were concerned that something in the imaging
    process (RIS and WDS) might have caused this issue but since brand new Dell
    and Gateway computers also exhibit the behavior it does not appear that the
    imaging process caused this issue and therfore my job is safe since I am in
    charge of images.

    I should also point out that the only major change to our computers was the
    "upgrade" to IE7 (ouch...actually a downgrade if you ask me) and we also were
    hammered with between 150 and 200 windows updates over the summer. I suspect
    that one or both of these events is at least partially related to our
    problem.

    We really need help here. Any advice?

    On Thursday, August 30, 2007 10:39 PM
    Robert L [MVP - Networking] wrote:

    This is a multi-part message in MIME format.------=_NextPart_000_000D_01C7EB4E.
    This is a multi-part message in MIME format.

    ------=_NextPart_000_000D_01C7EB4E.32EB3400
    Content-Type: text/plain;
    charset="Utf-8"
    Content-Transfer-Encoding: quoted-printable

    If all wireless computers have this issue, I don't think it is IE 7 =
    issue. Do they receive IP addresses from DHCP? If you use WPA =
    Enterprise, also check the IAS server. Or this link may help.

    Cisco: Wireless client can't ...Situation: The client tries to setup =
    Cisco wireless 1310 bridge. The client can receive the signal but can't =
    logon the domain. Ipconfig shows the client ...
    =
    http://www.chicagotech.net/netforums...42117ac381f01=
    a447d707b0e6327bf =20


    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on =
    http://www.ChicagoTech.net=20
    How to Setup Windows, Network, VPN & Remote Access on =
    http://www.HowToNetworking.com=20
    "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message =
    news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com...
    We are suddenly not able to logon to our domain(s) via wireless. This =
    was not=20
    a problem until recently. This is a school where 1000 students share =
    use of=20
    about 500 laptops and tablet PCs so it is most common for a particular =
    user=20
    to grab a different laptops from different carts in a given day and =
    use=20
    several different laptops from the same cart throughout a school year. =
    I=20
    point this out so that you know that the common answer to our problem, =
    which=20
    is to logon via the ethernet line and cache the profile before trying =
    to=20
    connect via wireless is not acceptable nor practical. Additionally, =
    we had=20
    no problem with this last school year. Now, three months later we are=20
    basically "dead in the water" with regard to technology for students =
    and=20
    wireless access for staff. The actual message that we get is:" The =
    system=20
    cannot log you on because the domain OURDOMAIN is not available." The =
    same=20
    user account will quickly authenticate via ethernet.
    =20
    More info: This is occurring with both a new Cisco server-managed =
    wireless=20
    network in one building and the old store bought access points in our =
    other=20
    buildings. This is also occurring with newly re-imaged laptops that =
    were used=20
    successfully last year, with newly re-imaged laptops that were =
    purchased this=20
    summer and never used by anyone (except the tech who loaded the =
    computer) and=20
    new out of box laptops that have not been customized for our =
    environment. I=20
    point this out because we were concerned that something in the imaging =

    process (RIS and WDS) might have caused this issue but since brand new =
    Dell=20
    and Gateway computers also exhibit the behavior it does not appear =
    that the=20
    imaging process caused this issue and therfore my job is safe since I =
    am in=20
    charge of images.=20

    I should also point out that the only major change to our computers =
    was the=20
    "upgrade" to IE7 (ouch...actually a downgrade if you ask me) and we =
    also were=20
    hammered with between 150 and 200 windows updates over the summer. I =
    suspect=20
    that one or both of these events is at least partially related to our=20
    problem.=20

    We really need help here. Any advice?

    ------=_NextPart_000_000D_01C7EB4E.32EB3400
    Content-Type: text/html;
    charset="Utf-8"
    Content-Transfer-Encoding: quoted-printable

    =EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8">
    <META content=3D"MSHTML 6.00.6000.16525" name=3DGENERATOR>
    <STYLE></STYLE>
    </HEAD>
    <BODY bgColor=3D#ffffff>
    <DIV>If all wireless computers have this issue, I don't think it is IE 7 =
    issue.=20
    Do they receive IP addresses from DHCP? If you use WPA Enterprise, also =
    check=20
    the IAS server. Or this link may help.</DIV>
    <DIV>&nbsp;</DIV>
    <DIV><U><FONT color=3D#663399><STRONG>Cisco</STRONG>: <B>Wireless</B> =
    client can't=20
    <B>...</B></FONT></U>
    <TABLE cellSpacing=3D0 cellPadding=3D0 border=3D0>
    <TBODY>
    <TR>
    <TD class=3Dj><FONT size=3D-1>Situation: The client tries to setup =
    <B>Cisco=20
    wireless</B> 1310 bridge. The client can receive the signal but =
    can't=20
    logon the domain. Ipconfig shows the client <B>...</B><BR><SPAN=20
    class=3Da><FONT color=3D#008000><A=20
    =
    href=3D"http://www.chicagotech.net/netforums/viewtopic.php?t=3D655&amp;si=
    d=3Ddd42117ac381f01a447d707b0e6327bf">www.chicagotech.net/netforums/viewt=
    opic.<WBR>php?t=3D655&amp;sid=3Ddd42117ac381f01a447d707b0e6327bf</A>=20
    </FONT></SPAN></FONT></TD></TR></TBODY></TABLE></DIV>
    <DIV><BR>Bob Lin, MS-MVP, MCSE &amp; CNE<BR>Networking, Internet, =
    Routing, VPN=20
    Troubleshooting on <A=20
    href=3D"http://www.ChicagoTech.net">http://www.ChicagoTech.net</A> =
    <BR>How to=20
    Setup Windows, Network, VPN &amp; Remote Access on <A=20
    href=3D"http://www.HowToNetworking.com">http://www.HowToNetworking.com</A=
    <BLOCKQUOTE=20
    style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
    BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
    <DIV>"k3v1nr055" &lt;<A=20
    =
    href=3D"mailto:k3v1nr055@discussions.microsoft.com">k3v1nr055@discussions=
    ..microsoft.com</A>&gt;=20
    wrote in message <A=20
    =
    href=3D"news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com">news:29B=
    68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com</A>...</DIV>We=20
    are suddenly not able to logon to our domain(s) via wireless. This was =
    not=20
    <BR>a problem until recently.&nbsp; This is a school where 1000 =
    students share=20
    use of <BR>about 500 laptops and tablet PCs so it is most common for a =

    particular user <BR>to grab a different laptops from different carts =
    in a=20
    given day and use <BR>several different laptops from the same cart =
    throughout=20
    a school year. I <BR>point this out so that you know that the common =
    answer to=20
    our problem, which <BR>is to logon via the ethernet line and cache the =
    profile=20
    before trying to <BR>connect via wireless is not acceptable nor=20
    practical.&nbsp; Additionally, we had <BR>no problem with this last =
    school=20
    year. Now, three months later we are <BR>basically "dead in the water" =
    with=20
    regard to technology for students and <BR>wireless access for staff. =
    The=20
    actual message that we get is:" The system <BR>cannot log you on =
    because the=20
    domain OURDOMAIN is not available." The same <BR>user account will =
    quickly=20
    authenticate via ethernet.<BR>&nbsp; <BR>More info: This is occurring =
    with=20
    both a new Cisco server-managed wireless <BR>network in one building =
    and the=20
    old store bought access points in our other <BR>buildings. This is =
    also=20
    occurring with newly re-imaged laptops that were used <BR>successfully =
    last=20
    year, with newly re-imaged laptops that were purchased this <BR>summer =
    and=20
    never used by anyone (except the tech who loaded the computer) and =
    <BR>new out=20
    of box laptops that have not been customized for our =
    environment.&nbsp; I=20
    <BR>point this out because we were concerned that something in the =
    imaging=20
    <BR>process (RIS and WDS) might have caused this issue but since brand =
    new=20
    Dell <BR>and Gateway computers also exhibit the behavior it does not =
    appear=20
    that the <BR>imaging process caused this issue and therfore my job is =
    safe=20
    since I am in <BR>charge of images. <BR><BR>I should also point out =
    that the=20
    only major change to our computers was the <BR>"upgrade" to IE7=20
    (ouch...actually a downgrade if you ask me) and we also were =
    <BR>hammered with=20
    between 150 and 200 windows updates over the summer. I suspect =
    <BR>that one or=20
    both of these events is at least partially related to our <BR>problem. =

    <BR><BR>We really need help here. Any =
    advice?<BR></BLOCKQUOTE></BODY></HTML>

    ------=_NextPart_000_000D_01C7EB4E.32EB3400--

    On Friday, August 31, 2007 8:16 AM
    k3v1nr05 wrote:

    Robert, It appears that the Windows Firewall is part of the problem.
    Robert,

    It appears that the Windows Firewall is part of the problem. In the past
    this did not seem to affect the initial logon. Now it appears that the
    wireless signal is being processed after the cached credentials. It also
    appears that the GPO that enables the Window Firewall is a factor. We had a
    domain GPO that disables the firewall when a computer is logged into our
    domain and when it powers up off the domain the firewall enables (domain
    profile and standard profile). We think that the firewall is preventing the
    initial connection with wireless and without a cached profile from a domain
    user the laptop will not come to the place where Windows boots up.
    Consequently, the users cannot ever get on. remember that these are newly
    imaged computers that were created and joined to the domain by WDS and they
    have the old policy.
    We found a very time consuming work around. First we disabled the standard
    profile which turns off the firewall for computers that are not on the
    domain. Of course, this now means that laptops which go home have no firewall
    turned on when they are away. This is not an acceptable situation either.
    Then we have to log into each and every laptop as the local admin. Then we
    must manually connect to the wireless network. Next, we have to log out (not
    restart because a restart and at this time we are able to log into the domain
    and the user is able to authenticate successfully. Additionally, the new
    unprotected gpo is pulled to the machine and therefore firewall is off no
    matter what. After we do this any user is able to connect to the domain and
    authenticate. We tried every conceivable combination of login, reboot, etc.
    and nothing worked consistently until the firewall was disabled for all
    scenarios. Now we have 450 laptops that we must sneaker net to, set up,
    boot, log in as Admin, log off, log in as user. restart, and test as
    different new user. This really sucks!!! If you can tell me how to enable
    the firewall and open it enough to allow the Zero Wireless Configuration
    service to start before authentication I would greatly appreciate it. I am
    really tired of systems breaking because MS send patches and "upgrades" that
    wreak more havoc on our world. In this case, something had to happen because
    this problem did not occur in June and the only difference is that we updated
    all the laptops to IE7 and applied all the approved updates that WSUS
    received.

    "Robert L [MVP - Networking]" wrote:

    On Friday, August 31, 2007 8:44 AM
    k3v1nr05 wrote:

    Re: Laptops and Tablets Cannot Logon to Domain
    A few more points: This is clearly not a Cisco issue. We have been in touch
    with Cisco (who has checked all the wireless infrastructure and we all agree
    that this is a Microsoft issue. This occurs with any access point that we
    test on. Also, the clients cannot get an IP addresss because all the
    adapters are disconnected since the wireless service does not connect to any
    network APs. The only way that works is to get on the domain by the lengthy
    process I described previously so that the computers can pull down the new
    policy with the firewall off. After this the wireless connectivity works
    properly and subsequent users can authenticate. If we knew that the Windows
    Firewall was such an issue we might have purchase a better solution for when
    users take laptops off campus (hence the term "mobile" computing). The cost
    would have been small compared to the loss of service and the time it will
    take to get our students up and running. We are like a lot of networks, I
    suspect, in that we have way too much to do even when things work correctly.
    and when issues like this occur, and this is more and more often, it really
    puts a hurt on us.

    "k3v1nr055" wrote:

    On Friday, August 31, 2007 8:54 AM
    pavel_ wrote:

    If you could watch the logon process with a wireless sniffer,it would be clear
    If you could watch the logon process with a wireless sniffer,
    it would be clear right away, which packets go to air when, and whether
    the firewall blocks something.

    --PA


    "k3v1nr055" wrote:

    On Friday, August 31, 2007 11:42 AM
    k3v1nr05 wrote:

    I have not used a wireless sniffer but if I used something like airsnort would
    I have not used a wireless sniffer but if I used something like airsnort
    would I be able to watch what occurs on one of the problematic machines from
    a computer that is already up and running? If that's possible could you point
    me to some info on doing that?

    "Pavel A." wrote:

    On Tuesday, September 04, 2007 10:18 AM
    k3v1nr05 wrote:

    am certain that the Windows Firewall is most responsible for this issue.
    am certain that the Windows Firewall is most responsible for this issue. In
    order to get our 400 laptops to be able to see a domain controller we had to
    turn off the standard profile firewall GPO (which exposes all laptops when
    they are outside of our perimeter....bad news). Then we had to start and log
    into each computer as the local admin and manually connect to the wireless
    signal. Next without we logged off the computer (we did not restart) and were
    able to log on with a domain account. This also pulled down the policy change
    which disabled the firewall. Then and only then were we able to connect to
    the wireless signal after a restart. This did not work until the firewall
    was turned off in Group Policy. Again I must state that this behavior was
    not exhibited last spring so something changed or was force to change for
    some unknown reason. I still believe that IE7 (urgh!!!) and it's so called
    "improvements" are the reason. If I could have my way I would uninstall this
    monster and put Firefox on every PC on our campus.

    "k3v1nr055" wrote:

    On Tuesday, September 04, 2007 8:46 PM
    Greg Lindsay [MSFT] wrote:

    Hi,The fact that this happened on hundreds of laptops at about the same time
    Hi,

    The fact that this happened on hundreds of laptops at about the same time
    makes me suspect a PKI issue, possibly related to certificate expiration.
    What wireless authentication method are you using?

    --
    Greg Lindsay [MSFT]

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.

    "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    news:2736CCAE-AC4B-40B9-951C-CA8336A8C50A@microsoft.com...

    On Wednesday, September 05, 2007 8:04 AM
    k3v1nr05 wrote:

    Right now the wireless is wide open and has been for some time.
    Right now the wireless is wide open and has been for some time. Later this
    week we are having a managed Cisco system installed and we will push down
    keys and then turn on one or more security implementations. However, it
    still seems strange that computers that have an existing domain profile for
    the user that is logging on would eventually connect to the network via
    wireless but if the user was logging on for the first time and the GPO that
    disabled the firewall had not replicated to the box then that user could not
    "find a domain controller". What also puzzles me is why this began to occur
    since last June when school ended. We made no changes to our setup. The only
    things that changed were the result of MS updates that we push out via WSUS.
    We don't have time to hunt down every anomaly that occurs and these kinds of
    things seem to occur more and more often. It's very frustrating.
    "Greg Lindsay [MSFT]" wrote:

    On Thursday, September 06, 2007 6:04 PM
    Greg Lindsay [MSFT] wrote:

    I am sorry for all the frustration, it does sound like an extremely bad
    I am sorry for all the frustration, it does sound like an extremely bad
    situation. I hope that I can help, either directly or by getting some other
    experts involved.

    I'd just like to double-check that you aren't using 802.1X at all. If you
    view the properties of your wireless network, and check the authentication
    tab, is the Enable IEEE 802.1x..." check box selected? If so, what is in the
    dropdown next to EAP type?

    I'm still thinking about why the firewall affects this. It might help to set
    the firewall to start as automatic(delayed) or make it dependent on the zero
    wireless configuration service, but that is not getting to the root cause of
    the problem.

    --
    Greg Lindsay [MSFT]

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.

    "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    news:4FC857F0-3CB5-4AFE-82A4-F22F9D4B557A@microsoft.com...

    On Friday, September 07, 2007 10:10 AM
    k3v1nr05 wrote:

    Greg,No, that box is NOT selected (since there is no encryption established at
    Greg,
    No, that box is NOT selected (since there is no encryption established at
    this time). The bottom line is that the only way any user can attach to the
    wireless network is after they have a profile. So either they must log on via
    the wire (not practical in a school where each user may use a different
    laptop in each class and on each day) or I must log on as local admin,
    establish a connection with wireless manually, log off, log on as a domain
    admin and verify the wireless connectivity. Then I have to test again with a
    student account. Really, this is the only way we are getting by. Having said
    this, we want to find out the root cause since we will acquire new computers
    later and/or re-image existing computers and I don't want to go through this
    again.
    Thanks,

    "Greg Lindsay [MSFT]" wrote:

    On Friday, September 07, 2007 11:29 AM
    Phillip Windell wrote:

    Re: Laptops and Tablets Cannot Logon to Domain
    "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    news:A48D6828-F853-49DB-B9DC-392C0C622F93@microsoft.com...

    I do not think there is a solution. The wireless nic drivers and the
    connection management are not active until you get "logged on to the
    desktop". Therefore you have no connection until you are already logged on,
    thereforethere is no way for someone without a previously cached profile to
    log on with out first doing it over a wired connection.

    I would love for the nic manufactures to come up with a way for their
    products to work without the user first logging in (like the wired nics do),
    however keep in mind that a wireless nic can connect to anything that is
    within range while a wired nic will only connect to what it is physically
    connected to,...and I believe that is the crux of the wireless
    problem,...there is no way to control what the wireless nic does until you
    have already logged in.

    IMO wireless in a school or business should never be the primary means of
    connection. The primary means should always be wired. Every desk should
    have a wired jack available. The Wireless will be perfectly fine when they
    move from their normal desk and "roam" about the building or travel,...but
    it should always be the secondary means of connection.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------

    On Friday, September 07, 2007 4:34 PM
    k3v1nr05 wrote:

    As I stated earlier, this was not a problem when the last school year ended in
    As I stated earlier, this was not a problem when the last school year ended
    in June. It is a new problem that must be solved. Also, it is obvious that
    you do not work in or around schools. That seems to be part of the problem in
    all the posted solutions on Technet. In a typical business setting one does
    not find the same scenario and the problem does not impact the use as much.
    This would not be a big deal if each user used only one computer all day,
    every day. In a school it is not practical to connect via wire. We have 1300
    students who share about 650 computers. About 500 of these are laptops which
    are assigned to approximately 25 carts and the rest are desktops in labs. In
    order for this to be practical in an educational environment wireless is the
    only option. We cannot mount a 24 port switch and run 24 CAT 5 cables to each
    desk. In many schools each student gets his or her own dedicated laptop and
    there are even fewer desktops. You see, it is possible for a high school
    student to use a math laptop, a science laptop, a language arts laptop, and a
    foreign language laptop in consecutive classes since that is the way we have
    assigned and configured those laptop carts. In the 5th -8th grades carts are
    assigned to the grade so that each subject area shares the same cart. In this
    situation each period of the day could have a different combination of
    students so again it's a problem that is not easily overcome.
    Really though, I would just like to know what happened that has made the
    relationship of wireless NIC, to laptop, to Domain Controller change when the
    only differences on our network are that we moved to IE7 and allowed WSUS to
    push down several hundred updates over the past three months. (Of course WSUS
    was in place a long time before this issue arose.) I really don't believe
    that we can blame NIC manufacturers when the same equipment worked perfectly
    on the first logon last spring. That's my opinion.

    "Phillip Windell" wrote:

    On Friday, September 07, 2007 5:35 PM
    Phillip Windell wrote:

    Re: Laptops and Tablets Cannot Logon to Domain
    "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    news:9CFA765F-C788-47A1-9113-54A22B0C20E8@microsoft.com...


    No,...I work in a much much more complex, stressfull, and more technical
    environment,...while supporting the schools with my tax dollars whether I
    want to or not, while listening to them complain about not having enough
    money as they spend millions on building projects.


    ....and it is free. You want something for nothing,..you got something for
    nothing. More than that it was on "my dime", on my time, at work, while
    taking care of the much much more complex, stressfull, and more technical
    environment at the same time.

    Call MS Support Services for help. Pay the $245 like the rest of us.
    Here's the number,...it is even toll free.
    1-800-936-4900

    --
    Phillip Windell
    www.wandtv.com

    On Monday, September 10, 2007 8:40 AM
    k3v1nr05 wrote:

    Lighten up.
    Lighten up. I thought the reason that these news groups were created for the
    purpose of giving support. If you don't want to help maybe don't spend your
    precious time replying. You did not offer anything that was helpful. You
    simply posted your opinion. We pay Microsoft a lot of money to use their
    products and I think that it's not too much to ask that they don't make
    changes to the way things work without telling us how it's going to affect
    our world. Why should I have to pay for support for something that I already
    paid for. It's a joke. Anyway, there have been instances when we went the pay
    for help route and I found that the people we paid (at MS and elsewhere) were
    seldom of any help. If spending $245 to get support for something that we
    already pay for would solve this problem I am sure my boss would spend it. He
    has been ripped off too many times. I work in a private school and we don't
    have the luxury of getting your tax dollars. We also are not able to charge
    exorbitant prices for commercial time and we cannot pass extra expenses on to
    the client as you can in the broadcast industry. For the record, I pay taxes
    and I pay tuition for my kids. I also pay extra for everything I buy because
    the cost of advertising on your TV station is added to everything I need. So
    get over it. I can appreciate that your environment is more technical. It
    should be, it's a TV station. However, all of us know about the stress that
    occurs when systems fail. and I can tell you that when 1000 users go to log
    into laptops and those laptops cannot find a domain controller, my overworked
    and understaffed co-workers and myself feel as much stress and frustration as
    anyone else in this industry. Still, no one, including yourself, has been
    able to tell my why this problem has happened when it did not happen a few
    months ago. You are right about something however: I paid you nothing and
    you were of no help.

    "Phillip Windell" wrote:

    On Monday, September 10, 2007 12:15 PM
    Phillip Windell wrote:

    Re: Laptops and Tablets Cannot Logon to Domain
    "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    news:18230540-71C6-4538-84F6-45FC0009345B@microsoft.com...

    Sorry, I shouldn't have got so excited. But the "...it is obvious that you
    do not work in or around schools..." didn't sit well with me.

    If you have Intel Wireless Nics in the laptops, I saw this morning when
    loading up one of our Dells they have a component for the Driver that they
    refered to as "Pre Logon Connection (PLC)". I tried to add it with my
    driver on one this morning and it said that the component wasn't found,..so
    I guess my variation of the driver didn't come with it. But maybe it is
    something that can be downloaded from Intel. I know it is not a direct and
    specific solution to your problem, but it may be worth looking into. Since
    it doesn't seem anyone else has given a specific solution I don't feel I
    have failed any worse than the rest,...and you still haven't had to pay me
    anything.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------

    On Monday, September 10, 2007 1:20 PM
    k3v1nr05 wrote:

    I have tested my theory on more than 50 laptops this morning and in every case
    I have tested my theory on more than 50 laptops this morning and in every
    case where the Windows Firewall is on a new user cannot connect to the DC to
    authenticate. In cases where the GPO that turns off the firewall (logon via
    ethernet or from a previously loaded profile) has been applied a new user CAN
    connect to the domain controller. By the end of the day we will have touched
    each and every laptop in order to get the firewall turned off. What we need
    to know going forward is why this just began to occur and how to prevent it
    next year or whenever we reload a laptop.
    Thanks,

    "k3v1nr055" wrote:

    On Monday, September 10, 2007 1:26 PM
    k3v1nr05 wrote:

    I have verified that the only time there is a problem is when the firewall is
    I have verified that the only time there is a problem is when the firewall is
    on at startup. In each case where we have done the work to get the new GPO
    applied (no firewall) new users can contact the DC and the wireless
    connection works fine. It's definitely an issue with the firewall that did
    not occur until recently. We need to know how to avoid this problem in the
    future and what changed to make this behavior occur just recently.
    "k3v1nr055" wrote:

    On Monday, September 10, 2007 4:19 PM
    Phillip Windell wrote:

    The GPO for the Windows Firewall is unique,...
    The GPO for the Windows Firewall is unique,...it has double settings and is
    seen in two section and it is the only one I know of that is like this (not
    saying here isn't some I don't know about):

    1. Standard
    2. Domain

    If the DC is "seen" at startup it uses the Domain Policy.
    If the DC is not "seen" at startup it uses the Standard Policy

    The common use of that is to configure Laptops so that when they are on the
    LAN and on the Domain the Firewall is off so that it doesn't get in the way
    of normal LAN activity (like what is happening to you),...but when they are
    started up off of the LAN away from the Domain the Firewall comes on to
    protect the machine while it is "travelling".

    This all works perfectly over wired connections,...but with wireless
    connections the connection is not activated until the User is fully logged
    in (via cached profile) and at the point the Laptop has already "chosen" the
    Standard GPO setting because the DC was not already "seen" by that point
    (its using the cached profile instead). So the Firewall is on.

    The same situation can be created with VPN Clients using Desktop machines on
    Wired connections if the User doesn't remember to check the box that says
    "log on using dialup connections" at the Crtl-Alt-Del Prompt.

    If you go to the Firewall Settings Dialog and look under the General Tab and
    look all the way down at the bottom it will tell if it is using the Domain
    Settings or the non-Doman Settings.

    I had so much greif over this that I stopped using this technique
    all-together. I keep the Firewall turned off in both the Standard and the
    Domain section now.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------

    "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    news:C24F39CC-9365-4BEC-B33A-2B54ADA9AD2F@microsoft.com...

    On Monday, September 10, 2007 4:36 PM
    k3v1nr05 wrote:

    Well, now our firewall settings are off for standard and for domain also.
    Well, now our firewall settings are off for standard and for domain also.
    That is the only combination that works. What I had to do was get those
    settings to each laptop. Eventually, I might set up OUs for laptops that
    leave campus (faculty) and those that do not (student) then I could apply the
    standard profile to add a little protection while those users are out of our
    perimeter. Still, that's extra work and I still don't know why this just
    started happening when it did not occur last June.

    "k3v1nr055" wrote:

    On Monday, September 10, 2007 4:48 PM
    k3v1nr05 wrote:

    That's OK.
    That's OK. I did want to point out that schools such as ours work under a
    completely different paradigm than businesses do. That greatly adds to our
    work load and our STRESS. For instance, in the name of academic enrichment
    and freedom, we have to create different images for each grade, department,
    subject area, etc. We have more than 40 different images to maintain. This
    current problem means that all the base images will possibly need to be
    re-created because the originals have the old, firewall on, GPO. I will have
    to test to know for sure. Users also get away with more misuse than they
    would in a business. We work in a very "forgiving" environment, and that's
    good, but things that would get you fired in a bank, or similar corporation
    are not considered a big deal here (up to a certain point) and THAT means we
    have a lot of crap troubleshooting to deal with. I don't agree with this
    necessarily but I have to live with it. If it were up to me I would have
    planned for a whole lot of wired desktops in monitored labs instead of
    laptops on carts. However, the board of trustees felt differently and we have
    about 24 laptop carts and all the obvious issues that come with them. And so
    we cannot hook everyone up via ethernet and I am sneekernetting to each and
    every laptop in my building. It's killing my other projects.
    Later,

    "Phillip Windell" wrote:

    On Monday, September 10, 2007 5:23 PM
    Phillip Windell wrote:

    Re: Laptops and Tablets Cannot Logon to Domain
    "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    news:5AFCB0AA-3768-40BB-8353-122D6F405C08@microsoft.com...

    I'll try to find out more about the "Pre Logon Connection" thing that I saw
    for the Intel Nic drivers on the Laptop I was working with this moring. If
    it is something that can be downloaded and if other brands have something
    similar ten it may help with the "real" profile -vs- the cached profile
    situation. But at the moment I don't know much about it, this was the first
    time I have seen the name.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------

    On Tuesday, September 11, 2007 9:08 AM
    k3v1nr05 wrote:

    Could there was a Group Policy setting to allow the firewall to ignore the
    Could there was a Group Policy setting to allow the firewall to ignore the
    preferred wireless network? I haven't found anything like that, but if
    something of the sort or perhaps a range of ports, that we could configure
    that allow that initial contact between laptop and domain controller to
    succeed, could be determined then we might be able to avoid this issue down
    the road. For now I have worked around the problem by forcing gpupdate to
    run after logging in to my pre-cached account on each laptop.

    "k3v1nr055" wrote:

    On Tuesday, September 11, 2007 10:43 AM
    Phillip Windell wrote:

    Re: Laptops and Tablets Cannot Logon to Domain
    "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    news:7276BFD4-1C38-4C44-9D8B-3E895CC715C4@microsoft.com...

    That's not a bad idea. You can do that with a batch file that has a shortcut
    to the batch file in the "Startup" node of the Start Menu in the "All Users"
    Profile. Then it will run for everyone after they have logged in.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------

    On Tuesday, September 11, 2007 10:49 AM
    Phillip Windell wrote:

    Re: Laptops and Tablets Cannot Logon to Domain
    Here's an interesting link.

    http://forums.techguy.org/networking...pre-logon.html

    Maybe just letting the Windows Zero Configuration Tool is all that is
    needed.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------

    On Wednesday, October 03, 2007 1:13 PM
    Le wrote:

    It is indeed the fact that the wireless does not connect until you have a
    It is indeed the fact that the wireless does not connect until you have a
    desktop. I have this same problem.

    Some of the wireless NIC's have a check box that says something like Log
    into Wireless network before domain login. I have see this on Dell's, with I
    think the Intel or Broadcom Wireless NIC.

    This WILL fix the problem, it worked for me. Although I only had 10
    computers, all dell and I got lucky they all had a nic with this option.

    If the laptop does not, Look for a PCMCIA card that will you can add in that
    will have it and install those in all your laptops. Sorry can't see another
    option for you, its a windows/NIC flaw or feature, not sure really.

    "k3v1nr055" wrote:

    EggHeadCafe - Software Developer Portal of Choice
    The Guru's Guide To Transact-SQL
    http://www.eggheadcafe.com/tutorials...-to-trans.aspx

  2. #2
    Lanwench [MVP - Exchange]
    Guest

    Re: Did this get resolved?

    Chad Ingram wrote:
    > So did this ever get resolved? We have the same issue in a mobile lab.


    If you're reading this in Egghead Cafe or any of the numerous other web
    mirrors of these newsgroups, note that you aren't looking at the current
    data on the MS news servers.

    The interface you're using doesn't quote properly, and you're replying to a
    post which is
    no longer on the news server, so it's unlikely that anyone will know what
    you're talking about.

    Try using a news client, such as Forte Agent, Thunderbird, or even Outlook
    Express, instead. It's a lot easier to do nearly everything that way. You
    can mark messages to be watched, filter the views so you can see replies to
    your posts easily, and search.

    The Microsoft public news server is msnews.microsoft.com and you can
    subscribe to as many groups as you like; no authentication is required.

    The following is from a post by MVP Malke ...

    -------------------------------------------------------
    Here's information on Usenet and using a newsreader:

    http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief
    explanation of newsgroups
    http://michaelstevenstech.com/outlo...ssnewreader.htm
    http://rickrogers.org/setupoe.htm
    http://support.microsoft.com/defaul...wto/default.asp
    - Set Up Newsreader

    http://www.dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html
    http://aumha.org/nntp.htm - list of MS newsgroups
    microsoft.public.test.here - MS group to test if your newsreader is
    working properly
    http://www.mailmsg.com/SPAM_munging.htm - how to munge email address
    http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting vs.
    crossposting

    Some newsreaders for Windows
    http://www.forteinc.com/agent/index.php - for Forte
    http://www.mozilla.org (Thunderbird does newsgroups)
    http://gravity.tbates.org/

    -------------------------------------


    >
    >
    >
    > Le wrote:
    >
    > It is indeed the fact that the wireless does not connect until you
    > have a 03-Oct-07
    >
    > It is indeed the fact that the wireless does not connect until you
    > have a desktop. I have this same problem.
    >
    > Some of the wireless NIC's have a check box that says something like
    > Log
    > into Wireless network before domain login. I have see this on
    > Dell's, with I think the Intel or Broadcom Wireless NIC.
    >
    > This WILL fix the problem, it worked for me. Although I only had 10
    > computers, all dell and I got lucky they all had a nic with this
    > option.
    >
    > If the laptop does not, Look for a PCMCIA card that will you can add
    > in that will have it and install those in all your laptops. Sorry
    > can't see another option for you, its a windows/NIC flaw or feature,
    > not sure really.
    >
    > "k3v1nr055" wrote:
    >
    > Previous Posts In This Thread:
    >
    > On Thursday, August 30, 2007 10:10 AM
    > k3v1nr05 wrote:
    >
    > Laptops and Tablets Cannot Logon to Domain
    > We are suddenly not able to logon to our domain(s) via wireless. This
    > was not a problem until recently. This is a school where 1000
    > students share use of about 500 laptops and tablet PCs so it is most
    > common for a particular user
    > to grab a different laptops from different carts in a given day and
    > use several different laptops from the same cart throughout a school
    > year. I
    > point this out so that you know that the common answer to our
    > problem, which is to logon via the ethernet line and cache the
    > profile before trying to connect via wireless is not acceptable nor
    > practical. Additionally, we had
    > no problem with this last school year. Now, three months later we are
    > basically "dead in the water" with regard to technology for students
    > and wireless access for staff. The actual message that we get is:"
    > The system cannot log you on because the domain OURDOMAIN is not
    > available." The same user account will quickly authenticate via
    > ethernet.
    >
    > More info: This is occurring with both a new Cisco server-managed
    > wireless network in one building and the old store bought access
    > points in our other buildings. This is also occurring with newly
    > re-imaged laptops that were used successfully last year, with newly
    > re-imaged laptops that were purchased this summer and never used by
    > anyone (except the tech who loaded the computer) and new out of box
    > laptops that have not been customized for our environment. I point
    > this out because we were concerned that something in the imaging
    > process (RIS and WDS) might have caused this issue but since brand
    > new Dell and Gateway computers also exhibit the behavior it does not
    > appear that the imaging process caused this issue and therfore my job
    > is safe since I am in charge of images.
    >
    > I should also point out that the only major change to our computers
    > was the "upgrade" to IE7 (ouch...actually a downgrade if you ask me)
    > and we also were hammered with between 150 and 200 windows updates
    > over the summer. I suspect that one or both of these events is at
    > least partially related to our
    > problem.
    >
    > We really need help here. Any advice?
    >
    > On Thursday, August 30, 2007 10:39 PM
    > Robert L [MVP - Networking] wrote:
    >
    > This is a multi-part message in MIME
    > format.------=_NextPart_000_000D_01C7EB4E. This is a multi-part
    > message in MIME format.
    >
    > ------=_NextPart_000_000D_01C7EB4E.32EB3400
    > Content-Type: text/plain;
    > charset="Utf-8"
    > Content-Transfer-Encoding: quoted-printable
    >
    > If all wireless computers have this issue, I don't think it is IE 7 =
    > issue. Do they receive IP addresses from DHCP? If you use WPA =
    > Enterprise, also check the IAS server. Or this link may help.
    >
    > Cisco: Wireless client can't ...Situation: The client tries to setup =
    > Cisco wireless 1310 bridge. The client can receive the signal but
    > can't = logon the domain. Ipconfig shows the client ...
    > =
    > http://www.chicagotech.net/netforums...42117ac381f01=
    > a447d707b0e6327bf =20
    >
    >
    > Bob Lin, MS-MVP, MCSE & CNE
    > Networking, Internet, Routing, VPN Troubleshooting on =
    > http://www.ChicagoTech.net=20
    > How to Setup Windows, Network, VPN & Remote Access on =
    > http://www.HowToNetworking.com=20
    > "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message =
    > news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com...
    > We are suddenly not able to logon to our domain(s) via wireless.
    > This =
    > was not=20
    > a problem until recently. This is a school where 1000 students
    > share =
    > use of=20
    > about 500 laptops and tablet PCs so it is most common for a
    > particular = user=20
    > to grab a different laptops from different carts in a given day and =
    > use=20
    > several different laptops from the same cart throughout a school
    > year. =
    > I=20
    > point this out so that you know that the common answer to our
    > problem, = which=20
    > is to logon via the ethernet line and cache the profile before
    > trying =
    > to=20
    > connect via wireless is not acceptable nor practical. Additionally,
    > =
    > we had=20
    > no problem with this last school year. Now, three months later we
    > are=20 basically "dead in the water" with regard to technology for
    > students =
    > and=20
    > wireless access for staff. The actual message that we get is:" The =
    > system=20
    > cannot log you on because the domain OURDOMAIN is not available."
    > The = same=20
    > user account will quickly authenticate via ethernet.
    > =20
    > More info: This is occurring with both a new Cisco server-managed =
    > wireless=20
    > network in one building and the old store bought access points in
    > our = other=20
    > buildings. This is also occurring with newly re-imaged laptops that =
    > were used=20
    > successfully last year, with newly re-imaged laptops that were =
    > purchased this=20
    > summer and never used by anyone (except the tech who loaded the =
    > computer) and=20
    > new out of box laptops that have not been customized for our =
    > environment. I=20
    > point this out because we were concerned that something in the
    > imaging =
    >
    > process (RIS and WDS) might have caused this issue but since brand
    > new = Dell=20
    > and Gateway computers also exhibit the behavior it does not appear =
    > that the=20
    > imaging process caused this issue and therfore my job is safe since
    > I =
    > am in=20
    > charge of images.=20
    >
    > I should also point out that the only major change to our computers =
    > was the=20
    > "upgrade" to IE7 (ouch...actually a downgrade if you ask me) and we =
    > also were=20
    > hammered with between 150 and 200 windows updates over the summer. I
    > = suspect=20
    > that one or both of these events is at least partially related to
    > our=20 problem.=20
    >
    > We really need help here. Any advice?
    >
    > ------=_NextPart_000_000D_01C7EB4E.32EB3400
    > Content-Type: text/html;
    > charset="Utf-8"
    > Content-Transfer-Encoding: quoted-printable
    >
    > =EF=BB=BF<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
    > Transitional//EN"> <HTML><HEAD>
    > <META http-equiv=3DContent-Type content=3D"text/html;
    > charset=3Dutf-8"> <META content=3D"MSHTML 6.00.6000.16525"
    > name=3DGENERATOR> <STYLE></STYLE>
    > </HEAD>
    > <BODY bgColor=3D#ffffff>
    > <DIV>If all wireless computers have this issue, I don't think it is
    > IE 7 = issue.=20
    > Do they receive IP addresses from DHCP? If you use WPA Enterprise,
    > also = check=20
    > the IAS server. Or this link may help.</DIV>
    > <DIV>&nbsp;</DIV>
    > <DIV><U><FONT color=3D#663399><STRONG>Cisco</STRONG>: <B>Wireless</B>
    > =
    > client can't=20
    > <B>...</B></FONT></U>
    > <TABLE cellSpacing=3D0 cellPadding=3D0 border=3D0>
    > <TBODY>
    > <TR>
    > <TD class=3Dj><FONT size=3D-1>Situation: The client tries to setup
    > = <B>Cisco=20
    > wireless</B> 1310 bridge. The client can receive the signal but =
    > can't=20
    > logon the domain. Ipconfig shows the client
    > <B>...</B><BR><SPAN=20 class=3Da><FONT color=3D#008000><A=20
    > =
    > href=3D"http://www.chicagotech.net/netforums/viewtopic.php?t=3D655&amp;si=
    > d=3Ddd42117ac381f01a447d707b0e6327bf">www.chicagotech.net/netforums/viewt=
    > opic.<WBR>php?t=3D655&amp;sid=3Ddd42117ac381f01a447d707b0e6327bf</A>=20
    > </FONT></SPAN></FONT></TD></TR></TBODY></TABLE></DIV>
    > <DIV><BR>Bob Lin, MS-MVP, MCSE &amp; CNE<BR>Networking, Internet, =
    > Routing, VPN=20
    > Troubleshooting on <A=20
    > href=3D"http://www.ChicagoTech.net">http://www.ChicagoTech.net</A> =
    > <BR>How to=20
    > Setup Windows, Network, VPN &amp; Remote Access on <A=20
    > href=3D"http://www.HowToNetworking.com">http://www.HowToNetworking.com</A=
    > <BLOCKQUOTE=20
    > style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
    > BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
    > <DIV>"k3v1nr055" &lt;<A=20
    > =
    > href=3D"mailto:k3v1nr055@discussions.microsoft.com">k3v1nr055@discussions=
    > .microsoft.com</A>&gt;=20
    > wrote in message <A=20
    > =
    > href=3D"news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com">news:29B=
    > 68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com</A>...</DIV>We=20
    > are suddenly not able to logon to our domain(s) via wireless. This
    > was = not=20
    > <BR>a problem until recently.&nbsp; This is a school where 1000 =
    > students share=20
    > use of <BR>about 500 laptops and tablet PCs so it is most common for
    > a =
    >
    > particular user <BR>to grab a different laptops from different carts
    > =
    > in a=20
    > given day and use <BR>several different laptops from the same cart =
    > throughout=20
    > a school year. I <BR>point this out so that you know that the common
    > =
    > answer to=20
    > our problem, which <BR>is to logon via the ethernet line and cache
    > the = profile=20
    > before trying to <BR>connect via wireless is not acceptable nor=20
    > practical.&nbsp; Additionally, we had <BR>no problem with this last =
    > school=20
    > year. Now, three months later we are <BR>basically "dead in the
    > water" = with=20
    > regard to technology for students and <BR>wireless access for staff.
    > =
    > The=20
    > actual message that we get is:" The system <BR>cannot log you on =
    > because the=20
    > domain OURDOMAIN is not available." The same <BR>user account will =
    > quickly=20
    > authenticate via ethernet.<BR>&nbsp; <BR>More info: This is
    > occurring = with=20
    > both a new Cisco server-managed wireless <BR>network in one building
    > =
    > and the=20
    > old store bought access points in our other <BR>buildings. This is =
    > also=20
    > occurring with newly re-imaged laptops that were used
    > <BR>successfully = last=20
    > year, with newly re-imaged laptops that were purchased this
    > <BR>summer = and=20
    > never used by anyone (except the tech who loaded the computer) and =
    > <BR>new out=20
    > of box laptops that have not been customized for our =
    > environment.&nbsp; I=20
    > <BR>point this out because we were concerned that something in the =
    > imaging=20
    > <BR>process (RIS and WDS) might have caused this issue but since
    > brand = new=20
    > Dell <BR>and Gateway computers also exhibit the behavior it does not
    > = appear=20
    > that the <BR>imaging process caused this issue and therfore my job
    > is = safe=20
    > since I am in <BR>charge of images. <BR><BR>I should also point out =
    > that the=20
    > only major change to our computers was the <BR>"upgrade" to IE7=20
    > (ouch...actually a downgrade if you ask me) and we also were =
    > <BR>hammered with=20
    > between 150 and 200 windows updates over the summer. I suspect =
    > <BR>that one or=20
    > both of these events is at least partially related to our
    > <BR>problem. =
    >
    > <BR><BR>We really need help here. Any =
    > advice?<BR></BLOCKQUOTE></BODY></HTML>
    >
    > ------=_NextPart_000_000D_01C7EB4E.32EB3400--
    >
    > On Friday, August 31, 2007 8:16 AM
    > k3v1nr05 wrote:
    >
    > Robert, It appears that the Windows Firewall is part of the problem.
    > Robert,
    >
    > It appears that the Windows Firewall is part of the problem. In the
    > past
    > this did not seem to affect the initial logon. Now it appears that
    > the wireless signal is being processed after the cached credentials.
    > It also appears that the GPO that enables the Window Firewall is a
    > factor. We had a domain GPO that disables the firewall when a
    > computer is logged into our domain and when it powers up off the
    > domain the firewall enables (domain profile and standard profile). We
    > think that the firewall is preventing the initial connection with
    > wireless and without a cached profile from a domain user the laptop
    > will not come to the place where Windows boots up. Consequently, the
    > users cannot ever get on. remember that these are newly imaged
    > computers that were created and joined to the domain by WDS and they
    > have the old policy.
    > We found a very time consuming work around. First we disabled the
    > standard profile which turns off the firewall for computers that are
    > not on the
    > domain. Of course, this now means that laptops which go home have no
    > firewall turned on when they are away. This is not an acceptable
    > situation either.
    > Then we have to log into each and every laptop as the local admin.
    > Then we must manually connect to the wireless network. Next, we have
    > to log out (not restart because a restart and at this time we are
    > able to log into the domain and the user is able to authenticate
    > successfully. Additionally, the new unprotected gpo is pulled to the
    > machine and therefore firewall is off no matter what. After we do
    > this any user is able to connect to the domain and authenticate. We
    > tried every conceivable combination of login, reboot, etc. and
    > nothing worked consistently until the firewall was disabled for all
    > scenarios. Now we have 450 laptops that we must sneaker net to, set
    > up,
    > boot, log in as Admin, log off, log in as user. restart, and test as
    > different new user. This really sucks!!! If you can tell me how to
    > enable the firewall and open it enough to allow the Zero Wireless
    > Configuration service to start before authentication I would greatly
    > appreciate it. I am really tired of systems breaking because MS send
    > patches and "upgrades" that wreak more havoc on our world. In this
    > case, something had to happen because this problem did not occur in
    > June and the only difference is that we updated all the laptops to
    > IE7 and applied all the approved updates that WSUS received.
    >
    > "Robert L [MVP - Networking]" wrote:
    >
    > On Friday, August 31, 2007 8:44 AM
    > k3v1nr05 wrote:
    >
    > Re: Laptops and Tablets Cannot Logon to Domain
    > A few more points: This is clearly not a Cisco issue. We have been
    > in touch with Cisco (who has checked all the wireless infrastructure
    > and we all agree that this is a Microsoft issue. This occurs with any
    > access point that we
    > test on. Also, the clients cannot get an IP addresss because all the
    > adapters are disconnected since the wireless service does not connect
    > to any network APs. The only way that works is to get on the domain
    > by the lengthy process I described previously so that the computers
    > can pull down the new policy with the firewall off. After this the
    > wireless connectivity works properly and subsequent users can
    > authenticate. If we knew that the Windows Firewall was such an issue
    > we might have purchase a better solution for when users take laptops
    > off campus (hence the term "mobile" computing). The cost would have
    > been small compared to the loss of service and the time it will take
    > to get our students up and running. We are like a lot of networks, I
    > suspect, in that we have way too much to do even when things work
    > correctly. and when issues like this occur, and this is more and more
    > often, it really puts a hurt on us.
    >
    > "k3v1nr055" wrote:
    >
    > On Friday, August 31, 2007 8:54 AM
    > pavel_ wrote:
    >
    > If you could watch the logon process with a wireless sniffer,it would
    > be clear If you could watch the logon process with a wireless sniffer,
    > it would be clear right away, which packets go to air when, and
    > whether
    > the firewall blocks something.
    >
    > --PA
    >
    >
    > "k3v1nr055" wrote:
    >
    > On Friday, August 31, 2007 11:42 AM
    > k3v1nr05 wrote:
    >
    > I have not used a wireless sniffer but if I used something like
    > airsnort would I have not used a wireless sniffer but if I used
    > something like airsnort
    > would I be able to watch what occurs on one of the problematic
    > machines from
    > a computer that is already up and running? If that's possible could
    > you point me to some info on doing that?
    >
    > "Pavel A." wrote:
    >
    > On Tuesday, September 04, 2007 10:18 AM
    > k3v1nr05 wrote:
    >
    > am certain that the Windows Firewall is most responsible for this
    > issue.
    > am certain that the Windows Firewall is most responsible for this
    > issue. In order to get our 400 laptops to be able to see a domain
    > controller we had to turn off the standard profile firewall GPO
    > (which exposes all laptops when they are outside of our
    > perimeter....bad news). Then we had to start and log into each
    > computer as the local admin and manually connect to the wireless
    > signal. Next without we logged off the computer (we did not restart)
    > and were able to log on with a domain account. This also pulled down
    > the policy change which disabled the firewall. Then and only then
    > were we able to connect to
    > the wireless signal after a restart. This did not work until the
    > firewall was turned off in Group Policy. Again I must state that
    > this behavior was
    > not exhibited last spring so something changed or was force to change
    > for
    > some unknown reason. I still believe that IE7 (urgh!!!) and it's so
    > called "improvements" are the reason. If I could have my way I would
    > uninstall this monster and put Firefox on every PC on our campus.
    >
    > "k3v1nr055" wrote:
    >
    > On Tuesday, September 04, 2007 8:46 PM
    > Greg Lindsay [MSFT] wrote:
    >
    > Hi,The fact that this happened on hundreds of laptops at about the
    > same time Hi,
    >
    > The fact that this happened on hundreds of laptops at about the same
    > time makes me suspect a PKI issue, possibly related to certificate
    > expiration.
    > What wireless authentication method are you using?
    >
    > --
    > Greg Lindsay [MSFT]
    >
    > Disclaimer: This posting is provided "AS IS" with no warranties, and
    > confers no rights.
    >
    > "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    > news:2736CCAE-AC4B-40B9-951C-CA8336A8C50A@microsoft.com...
    >
    > On Wednesday, September 05, 2007 8:04 AM
    > k3v1nr05 wrote:
    >
    > Right now the wireless is wide open and has been for some time.
    > Right now the wireless is wide open and has been for some time.
    > Later this week we are having a managed Cisco system installed and we
    > will push down
    > keys and then turn on one or more security implementations. However,
    > it
    > still seems strange that computers that have an existing domain
    > profile for the user that is logging on would eventually connect to
    > the network via wireless but if the user was logging on for the first
    > time and the GPO that disabled the firewall had not replicated to the
    > box then that user could not "find a domain controller". What also
    > puzzles me is why this began to occur since last June when school
    > ended. We made no changes to our setup. The only things that changed
    > were the result of MS updates that we push out via WSUS. We don't
    > have time to hunt down every anomaly that occurs and these kinds of
    > things seem to occur more and more often. It's very frustrating.
    > "Greg Lindsay [MSFT]" wrote:
    >
    > On Thursday, September 06, 2007 6:04 PM
    > Greg Lindsay [MSFT] wrote:
    >
    > I am sorry for all the frustration, it does sound like an extremely
    > bad
    > I am sorry for all the frustration, it does sound like an extremely
    > bad situation. I hope that I can help, either directly or by getting
    > some other experts involved.
    >
    > I'd just like to double-check that you aren't using 802.1X at all. If
    > you
    > view the properties of your wireless network, and check the
    > authentication tab, is the Enable IEEE 802.1x..." check box selected?
    > If so, what is in the dropdown next to EAP type?
    >
    > I'm still thinking about why the firewall affects this. It might help
    > to set the firewall to start as automatic(delayed) or make it
    > dependent on the zero wireless configuration service, but that is not
    > getting to the root cause of the problem.
    >
    > --
    > Greg Lindsay [MSFT]
    >
    > Disclaimer: This posting is provided "AS IS" with no warranties, and
    > confers no rights.
    >
    > "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    > news:4FC857F0-3CB5-4AFE-82A4-F22F9D4B557A@microsoft.com...
    >
    > On Friday, September 07, 2007 10:10 AM
    > k3v1nr05 wrote:
    >
    > Greg,No, that box is NOT selected (since there is no encryption
    > established at Greg,
    > No, that box is NOT selected (since there is no encryption
    > established at
    > this time). The bottom line is that the only way any user can attach
    > to the wireless network is after they have a profile. So either they
    > must log on via the wire (not practical in a school where each user
    > may use a different
    > laptop in each class and on each day) or I must log on as local admin,
    > establish a connection with wireless manually, log off, log on as a
    > domain admin and verify the wireless connectivity. Then I have to
    > test again with a student account. Really, this is the only way we
    > are getting by. Having said this, we want to find out the root cause
    > since we will acquire new computers later and/or re-image existing
    > computers and I don't want to go through this again.
    > Thanks,
    >
    > "Greg Lindsay [MSFT]" wrote:
    >
    > On Friday, September 07, 2007 11:29 AM
    > Phillip Windell wrote:
    >
    > Re: Laptops and Tablets Cannot Logon to Domain
    > "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    > news:A48D6828-F853-49DB-B9DC-392C0C622F93@microsoft.com...
    >
    > I do not think there is a solution. The wireless nic drivers and the
    > connection management are not active until you get "logged on to the
    > desktop". Therefore you have no connection until you are already
    > logged on, thereforethere is no way for someone without a previously
    > cached profile to log on with out first doing it over a wired
    > connection.
    >
    > I would love for the nic manufactures to come up with a way for their
    > products to work without the user first logging in (like the wired
    > nics do), however keep in mind that a wireless nic can connect to
    > anything that is within range while a wired nic will only connect to
    > what it is physically connected to,...and I believe that is the crux
    > of the wireless problem,...there is no way to control what the
    > wireless nic does until you have already logged in.
    >
    > IMO wireless in a school or business should never be the primary
    > means of connection. The primary means should always be wired. Every
    > desk should
    > have a wired jack available. The Wireless will be perfectly fine
    > when they move from their normal desk and "roam" about the building
    > or travel,...but
    > it should always be the secondary means of connection.
    >
    > --
    > Phillip Windell
    > www.wandtv.com
    >
    > The views expressed, are my own and not those of my employer, or
    > Microsoft,
    > or anyone else associated with me, including my cats.
    > -----------------------------------------------------
    >
    > On Friday, September 07, 2007 4:34 PM
    > k3v1nr05 wrote:
    >
    > As I stated earlier, this was not a problem when the last school year
    > ended in As I stated earlier, this was not a problem when the last
    > school year ended
    > in June. It is a new problem that must be solved. Also, it is obvious
    > that
    > you do not work in or around schools. That seems to be part of the
    > problem in all the posted solutions on Technet. In a typical business
    > setting one does not find the same scenario and the problem does not
    > impact the use as much. This would not be a big deal if each user
    > used only one computer all day, every day. In a school it is not
    > practical to connect via wire. We have 1300 students who share about
    > 650 computers. About 500 of these are laptops which are assigned to
    > approximately 25 carts and the rest are desktops in labs. In order
    > for this to be practical in an educational environment wireless is
    > the only option. We cannot mount a 24 port switch and run 24 CAT 5
    > cables to each desk. In many schools each student gets his or her own
    > dedicated laptop and there are even fewer desktops. You see, it is
    > possible for a high school student to use a math laptop, a science
    > laptop, a language arts laptop, and a foreign language laptop in
    > consecutive classes since that is the way we have assigned and
    > configured those laptop carts. In the 5th -8th grades carts are
    > assigned to the grade so that each subject area shares the same cart.
    > In this situation each period of the day could have a different
    > combination of students so again it's a problem that is not easily
    > overcome.
    > Really though, I would just like to know what happened that has made
    > the relationship of wireless NIC, to laptop, to Domain Controller
    > change when the only differences on our network are that we moved to
    > IE7 and allowed WSUS to push down several hundred updates over the
    > past three months. (Of course WSUS was in place a long time before
    > this issue arose.) I really don't believe that we can blame NIC
    > manufacturers when the same equipment worked perfectly on the first
    > logon last spring. That's my opinion.
    >
    > "Phillip Windell" wrote:
    >
    > On Friday, September 07, 2007 5:35 PM
    > Phillip Windell wrote:
    >
    > Re: Laptops and Tablets Cannot Logon to Domain
    > "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    > news:9CFA765F-C788-47A1-9113-54A22B0C20E8@microsoft.com...
    >
    >
    > No,...I work in a much much more complex, stressfull, and more
    > technical environment,...while supporting the schools with my tax
    > dollars whether I
    > want to or not, while listening to them complain about not having
    > enough
    > money as they spend millions on building projects.
    >
    >
    > ...and it is free. You want something for nothing,..you got something
    > for nothing. More than that it was on "my dime", on my time, at
    > work, while taking care of the much much more complex, stressfull,
    > and more technical environment at the same time.
    >
    > Call MS Support Services for help. Pay the $245 like the rest of us.
    > Here's the number,...it is even toll free.
    > 1-800-936-4900
    >
    > --
    > Phillip Windell
    > www.wandtv.com
    >
    > On Monday, September 10, 2007 8:40 AM
    > k3v1nr05 wrote:
    >
    > Lighten up.
    > Lighten up. I thought the reason that these news groups were created
    > for the purpose of giving support. If you don't want to help maybe
    > don't spend your precious time replying. You did not offer anything
    > that was helpful. You simply posted your opinion. We pay Microsoft a
    > lot of money to use their products and I think that it's not too much
    > to ask that they don't make changes to the way things work without
    > telling us how it's going to affect
    > our world. Why should I have to pay for support for something that I
    > already paid for. It's a joke. Anyway, there have been instances when
    > we went the pay for help route and I found that the people we paid
    > (at MS and elsewhere) were seldom of any help. If spending $245 to
    > get support for something that we already pay for would solve this
    > problem I am sure my boss would spend it. He has been ripped off too
    > many times. I work in a private school and we don't have the luxury
    > of getting your tax dollars. We also are not able to charge
    > exorbitant prices for commercial time and we cannot pass extra
    > expenses on to the client as you can in the broadcast industry. For
    > the record, I pay taxes and I pay tuition for my kids. I also pay
    > extra for everything I buy because the cost of advertising on your TV
    > station is added to everything I need. So get over it. I can
    > appreciate that your environment is more technical. It should be,
    > it's a TV station. However, all of us know about the stress that
    > occurs when systems fail. and I can tell you that when 1000 users go
    > to log into laptops and those laptops cannot find a domain
    > controller, my overworked and understaffed co-workers and myself feel
    > as much stress and frustration as anyone else in this industry.
    > Still, no one, including yourself, has been able to tell my why this
    > problem has happened when it did not happen a few months ago. You
    > are right about something however: I paid you nothing and
    > you were of no help.
    >
    > "Phillip Windell" wrote:
    >
    > On Monday, September 10, 2007 12:15 PM
    > Phillip Windell wrote:
    >
    > Re: Laptops and Tablets Cannot Logon to Domain
    > "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    > news:18230540-71C6-4538-84F6-45FC0009345B@microsoft.com...
    >
    > Sorry, I shouldn't have got so excited. But the "...it is obvious
    > that you
    > do not work in or around schools..." didn't sit well with me.
    >
    > If you have Intel Wireless Nics in the laptops, I saw this morning
    > when loading up one of our Dells they have a component for the Driver
    > that they refered to as "Pre Logon Connection (PLC)". I tried to add
    > it with my
    > driver on one this morning and it said that the component wasn't
    > found,..so
    > I guess my variation of the driver didn't come with it. But maybe it
    > is something that can be downloaded from Intel. I know it is not a
    > direct and specific solution to your problem, but it may be worth
    > looking into. Since it doesn't seem anyone else has given a
    > specific solution I don't feel I
    > have failed any worse than the rest,...and you still haven't had to
    > pay me anything.
    >
    > --
    > Phillip Windell
    > www.wandtv.com
    >
    > The views expressed, are my own and not those of my employer, or
    > Microsoft,
    > or anyone else associated with me, including my cats.
    > -----------------------------------------------------
    >
    > On Monday, September 10, 2007 1:20 PM
    > k3v1nr05 wrote:
    >
    > I have tested my theory on more than 50 laptops this morning and in
    > every case I have tested my theory on more than 50 laptops this
    > morning and in every
    > case where the Windows Firewall is on a new user cannot connect to
    > the DC to authenticate. In cases where the GPO that turns off the
    > firewall (logon via ethernet or from a previously loaded profile) has
    > been applied a new user CAN connect to the domain controller. By the
    > end of the day we will have touched each and every laptop in order to
    > get the firewall turned off. What we need
    > to know going forward is why this just began to occur and how to
    > prevent it next year or whenever we reload a laptop.
    > Thanks,
    >
    > "k3v1nr055" wrote:
    >
    > On Monday, September 10, 2007 1:26 PM
    > k3v1nr05 wrote:
    >
    > I have verified that the only time there is a problem is when the
    > firewall is I have verified that the only time there is a problem is
    > when the firewall is on at startup. In each case where we have done
    > the work to get the new GPO applied (no firewall) new users can
    > contact the DC and the wireless
    > connection works fine. It's definitely an issue with the firewall
    > that did
    > not occur until recently. We need to know how to avoid this problem
    > in the future and what changed to make this behavior occur just
    > recently. "k3v1nr055" wrote:
    >
    > On Monday, September 10, 2007 4:19 PM
    > Phillip Windell wrote:
    >
    > The GPO for the Windows Firewall is unique,...
    > The GPO for the Windows Firewall is unique,...it has double settings
    > and is seen in two section and it is the only one I know of that is
    > like this (not saying here isn't some I don't know about):
    >
    > 1. Standard
    > 2. Domain
    >
    > If the DC is "seen" at startup it uses the Domain Policy.
    > If the DC is not "seen" at startup it uses the Standard Policy
    >
    > The common use of that is to configure Laptops so that when they are
    > on the LAN and on the Domain the Firewall is off so that it doesn't
    > get in the way
    > of normal LAN activity (like what is happening to you),...but when
    > they are started up off of the LAN away from the Domain the Firewall
    > comes on to protect the machine while it is "travelling".
    >
    > This all works perfectly over wired connections,...but with wireless
    > connections the connection is not activated until the User is fully
    > logged
    > in (via cached profile) and at the point the Laptop has already
    > "chosen" the Standard GPO setting because the DC was not already
    > "seen" by that point (its using the cached profile instead). So the
    > Firewall is on.
    >
    > The same situation can be created with VPN Clients using Desktop
    > machines on Wired connections if the User doesn't remember to check
    > the box that says "log on using dialup connections" at the
    > Crtl-Alt-Del Prompt.
    >
    > If you go to the Firewall Settings Dialog and look under the General
    > Tab and look all the way down at the bottom it will tell if it is
    > using the Domain Settings or the non-Doman Settings.
    >
    > I had so much greif over this that I stopped using this technique
    > all-together. I keep the Firewall turned off in both the Standard
    > and the Domain section now.
    >
    > --
    > Phillip Windell
    > www.wandtv.com
    >
    > The views expressed, are my own and not those of my employer, or
    > Microsoft,
    > or anyone else associated with me, including my cats.
    > -----------------------------------------------------
    >
    > "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    > news:C24F39CC-9365-4BEC-B33A-2B54ADA9AD2F@microsoft.com...
    >
    > On Monday, September 10, 2007 4:36 PM
    > k3v1nr05 wrote:
    >
    > Well, now our firewall settings are off for standard and for domain
    > also. Well, now our firewall settings are off for standard and for
    > domain also.
    > That is the only combination that works. What I had to do was get
    > those settings to each laptop. Eventually, I might set up OUs for
    > laptops that
    > leave campus (faculty) and those that do not (student) then I could
    > apply the standard profile to add a little protection while those
    > users are out of our perimeter. Still, that's extra work and I still
    > don't know why this just started happening when it did not occur last
    > June.
    >
    > "k3v1nr055" wrote:
    >
    > On Monday, September 10, 2007 4:48 PM
    > k3v1nr05 wrote:
    >
    > That's OK.
    > That's OK. I did want to point out that schools such as ours work
    > under a completely different paradigm than businesses do. That
    > greatly adds to our work load and our STRESS. For instance, in the
    > name of academic enrichment
    > and freedom, we have to create different images for each grade,
    > department, subject area, etc. We have more than 40 different images
    > to maintain. This current problem means that all the base images will
    > possibly need to be re-created because the originals have the old,
    > firewall on, GPO. I will have to test to know for sure. Users also
    > get away with more misuse than they would in a business. We work in
    > a very "forgiving" environment, and that's good, but things that
    > would get you fired in a bank, or similar corporation are not
    > considered a big deal here (up to a certain point) and THAT means we
    > have a lot of crap troubleshooting to deal with. I don't agree with
    > this necessarily but I have to live with it. If it were up to me I
    > would have planned for a whole lot of wired desktops in monitored
    > labs instead of
    > laptops on carts. However, the board of trustees felt differently and
    > we have about 24 laptop carts and all the obvious issues that come
    > with them. And so we cannot hook everyone up via ethernet and I am
    > sneekernetting to each and every laptop in my building. It's killing
    > my other projects.
    > Later,
    >
    > "Phillip Windell" wrote:
    >
    > On Monday, September 10, 2007 5:23 PM
    > Phillip Windell wrote:
    >
    > Re: Laptops and Tablets Cannot Logon to Domain
    > "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    > news:5AFCB0AA-3768-40BB-8353-122D6F405C08@microsoft.com...
    >
    > I'll try to find out more about the "Pre Logon Connection" thing that
    > I saw for the Intel Nic drivers on the Laptop I was working with this
    > moring. If
    > it is something that can be downloaded and if other brands have
    > something similar ten it may help with the "real" profile -vs- the
    > cached profile situation. But at the moment I don't know much about
    > it, this was the first time I have seen the name.
    >
    > --
    > Phillip Windell
    > www.wandtv.com
    >
    > The views expressed, are my own and not those of my employer, or
    > Microsoft,
    > or anyone else associated with me, including my cats.
    > -----------------------------------------------------
    >
    > On Tuesday, September 11, 2007 9:08 AM
    > k3v1nr05 wrote:
    >
    > Could there was a Group Policy setting to allow the firewall to
    > ignore the Could there was a Group Policy setting to allow the
    > firewall to ignore the preferred wireless network? I haven't found
    > anything like that, but if something of the sort or perhaps a range
    > of ports, that we could configure that allow that initial contact
    > between laptop and domain controller to succeed, could be determined
    > then we might be able to avoid this issue down the road. For now I
    > have worked around the problem by forcing gpupdate to
    > run after logging in to my pre-cached account on each laptop.
    >
    > "k3v1nr055" wrote:
    >
    > On Tuesday, September 11, 2007 10:43 AM
    > Phillip Windell wrote:
    >
    > Re: Laptops and Tablets Cannot Logon to Domain
    > "k3v1nr055" <k3v1nr055@discussions.microsoft.com> wrote in message
    > news:7276BFD4-1C38-4C44-9D8B-3E895CC715C4@microsoft.com...
    >
    > That's not a bad idea. You can do that with a batch file that has a
    > shortcut to the batch file in the "Startup" node of the Start Menu in
    > the "All Users" Profile. Then it will run for everyone after they
    > have logged in.
    >
    > --
    > Phillip Windell
    > www.wandtv.com
    >
    > The views expressed, are my own and not those of my employer, or
    > Microsoft,
    > or anyone else associated with me, including my cats.
    > -----------------------------------------------------
    >
    > On Tuesday, September 11, 2007 10:49 AM
    > Phillip Windell wrote:
    >
    > Re: Laptops and Tablets Cannot Logon to Domain
    > Here's an interesting link.
    >
    > http://forums.techguy.org/networking...pre-logon.html
    >
    > Maybe just letting the Windows Zero Configuration Tool is all that is
    > needed.





Similar Threads

  1. Replies: 0
    Last Post: 12-30-08, 06:48 PM
  2. RE: Problems connecting to internet through my wireless network
    By =?Utf-8?B?Wm9mdA==?= in forum ms.public.windows.networking.wireless
    Replies: 1
    Last Post: 06-02-08, 04:05 AM
  3. getting small frame drops
    By ihaterouters in forum Hardware & Overclocking
    Replies: 36
    Last Post: 12-26-07, 10:32 PM
  4. Cannot establish broadband IP connection on initial startup sometimes...
    By MadMax350 in forum General Broadband Forum
    Replies: 5
    Last Post: 10-24-07, 06:59 AM
  5. Replies: 7
    Last Post: 01-05-07, 07:30 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •