Tuesday, October 4, 2011

Cannot connect to any computer except DC

Problem: The only network traffic (ping etc.) that could pass in a Win7/Server 2008 R2 domain was from each client computer to the domain controller. No client computer could contact each other. Even the domain controller could not initiate contact towards a client computer.

Reason: In the Server 2008 R2 active directory domain organizational unit (OU), a Group Policy Object (GPO) had been created to disable the local client's firewall and allow any network traffic (which was ok from a security point of view, since the network was completely disconnected from anything outside). When applied, the firewall was indeed not started, but somehow the idea backfired by blocking all but those client computer connections made to the DC.

Solution: The Firewall service was reenabled in the GPO:
Policies-Windows Settings-Security Settings-System Services-Windows Firewall-Startup type=Automatic
Instead the Firewall setting was set to off for the domain profile (which is the active profile for computers within a domain):
Policies-Windows Settings-Security Settings-Windows Firewall with Advanced Security-Domain Profile Settings-Firewall state = off

It seems absolutely illogical to me that switching off the firewall service would block most network traffic. Maybe some special case in my domain caused it - nevertheless, there was no doubt that my changes were the solution to my problem - even proven by the fact that reversing them would lead to reintroducing the problem.