+ Post New Thread
Page 1 of 4 1234 LastLast
Results 1 to 15 of 60
Windows 7 Thread, Win 7 - DHCP/Netlogon/Firewall - Microsoft Confirm a Bug in Technical; Hi, To stop anyone else having the same 'fun' as me, I thought I would share my Windows 7 problem ...
  1. #1

    Join Date
    Dec 2007
    Posts
    45
    Thank Post
    0
    Thanked 26 Times in 5 Posts
    Rep Power
    24

    Win 7 - DHCP/Netlogon/Firewall - Microsoft Confirm a Bug

    Hi,

    To stop anyone else having the same 'fun' as me, I thought I would share my Windows 7 problem that has resulted in many hours spent testing different DHCP servers, routers, NICS and reviewing packet logs!

    This problem seems to occur if you have all of the following:
    • Using a DHCP reply to forward DHCP requests (e.g. using VLANs and an IP helper on the router to forward DHCP requests)
    • Windows 7 clients
    • Windows Firewall Public Profile turned on (default configuration - all profiles)
    • DhcpConnForceBroadcastFlag = 0 (Default for Windows 7)


    Symptoms
    • NETLOGON event ID 5719 in system event log
      This computer was not able to set up a secure session with a domain controller in domain <DOMAIN NAME> due to the following: There are currently no logon servers available to service the logon request.
    • Group policies inconsistently applying on start-up
    • Event ID 50024 logged in the Microsoft-Windows-DHCP Client Events/Operational event log (you need to enable this event log as its disabled by default)
      Ack Receive Timeout has happened in the Interface Id xx



    Background

    By default Windows 7 request for its DHCP reply's to be a uncast responses.

    If you are using a Windows DHCP server and your client is on the same broadcast domain (not accessing the DHCP server via a DHCP reply) the DHCP server receives the request but ignores the clients request for a uncast response, and reply's in a broadcast. In this situation everything works.

    The problem occurs when your client has to access the DHCP server via a DHCP relay, such as a router or switch and the DhcpConnForceBroadcastFlag registry key is still set to the default(0). In this situation, the client sends out a broadcasts requesting an IP address, the DHCP relay forwards the request to the DHCP server, the DHCP server sends the reply(ACK reply) to the relay and the DHCP relay sends a uncast reply to the client. If the Public profile is turned on in the Windows Firewall (on by default) then the ACK reply is dropped by the firewall and is never passed to the DHCPclient.dll



    Conclusion

    I passed my findings and research to Microsoft support and after more packet logs and deep Microsoft DHCP\Firewall traces, they have concluded it's a bug! they have now created an internal KB for this problem. This has now been passed to the developers and I am awaiting an acceptable workaround and Microsoft to release a patch.

    I will post the workaround and a link to the patch when I get more information from Microsoft.

    Hope this helps,
    Edd
    Last edited by teckedd; 19th July 2010 at 09:15 PM.

  2. 19 Thanks to teckedd:

    Abaddon (5th October 2010), AngryTechnician (12th March 2011), burgemaster (21st July 2010), ces973 (9th March 2011), Heggy (9th November 2011), koryo (21st July 2010), leco (19th July 2010), m25man (30th December 2010), mac_shinobi (19th July 2010), Oops_my_bad (22nd May 2011), rh91uk (18th October 2010), robk (19th July 2010), russdev (20th July 2011), saihaynes (20th July 2010), ShorehamGeek (18th May 2011), sonofsanta (26th September 2012), Soulfish (19th September 2010), StueyMonster (18th October 2010), teejay (19th July 2010)

  3. #2
    spy
    spy is offline

    Join Date
    Oct 2008
    Posts
    5
    Thank Post
    0
    Thanked 4 Times in 1 Post
    Rep Power
    0
    Hi Edd

    I am experiencing the issues you describe in your post “Win 7 - DHCP/Netlogon/Firewall - Microsoft Confirm a Bug” and have the exact environment you describe. I find that disabling the Windows Firewall or setting the DhcpConnForceBroadcastFlag to 1 works around the issue.

    Could you give me Microsoft internal KB number as this would be useful opening a support case with Microsoft? Also have they given you any indication of when a patch will be released?

    Many Thanks,

    Simon

  4. #3

    Join Date
    Dec 2007
    Posts
    45
    Thank Post
    0
    Thanked 26 Times in 5 Posts
    Rep Power
    24
    Hi Simon,

    This issue is currently with the debug team... progress is very slow and they have not given me an expected release date. The workaround is to disable the public profile (you donít need to disable the whole firewall) or change the DhcpConnForceBroadcastFlag to 1. Setting the global broadcast flag works, but you need to delete the DhcpConnForceBroadcastFlag on each NIC, as the local one will override the global one! This would involve a script as each NIC is listed in the registry by its GUID. I personally did not want to do this as I believe increasing broadcasts is rarely a good thing and Microsoft firewall should work!

    I have requested the internal KB number and will post it when I get it.

    I hope finding this post saved you a lot of time

    Thanks

    Edd

  5. #4

    Join Date
    Dec 2007
    Posts
    45
    Thank Post
    0
    Thanked 26 Times in 5 Posts
    Rep Power
    24
    Hi Simon,

    As this is with the debug team there is currently no number but if you say you are experiencing a similar problem to case number: 110070944106368 and I have been working with Kapil Thacker that should point them in the correct direction.

    Thanks
    Edd

  6. #5

    Join Date
    Dec 2007
    Posts
    45
    Thank Post
    0
    Thanked 26 Times in 5 Posts
    Rep Power
    24

    Your Help Required

    Hi,

    Microsoft have found the location of the bug, but now require a business case to fix it! If you are experiencing this problem please send me a private message with your contact details on so I can try and get Microsoft to produce a hotfix.

    Thanks for your help,
    Edd

  7. #6
    stewie's Avatar
    Join Date
    Oct 2010
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Edd,

    I have this exact same problem on my entire campus. 2 seperate domains, several Windows 7 images, deployed to students, staff and faculty. All of the machines show the same NETLOGON error in the event log. I have worked with the Networking group here to get resolution and the only other solution we have come up with aside from what you wrote above is to use a static IP instead of using DHCP. I was thinking about call Microsoft myself to report your findigns and mine but I just haven't had the time yet.

    Let me know what more you may need to support the business case to get Microsoft to create a hotfix.

    Thanks

  8. #7

    Join Date
    Dec 2007
    Posts
    45
    Thank Post
    0
    Thanked 26 Times in 5 Posts
    Rep Power
    24
    Hi Stewie,

    Thanks for you post. What problem is this causing you? I know that sounds like a stupid question but this is the information MS are asking me for. The main problem I have seen is inconsistent application of GPOs.

    Thanks
    Edd

  9. #8
    stewie's Avatar
    Join Date
    Oct 2010
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Edd,

    So what we are currently seeing are Time-Service events and NETLOGON events flooding the events logs. I also have machines losing their domain memebership due to the fact that the machine passwords after sometime get out of sync because they can't talk to the DC's. I've also experienced GPO's issues, the machines most effected are the public labs and classrooms where I apply quite a bit of Group Policies. Also I personally don't like having any events logged in the events database as it makes troubleshooting other anomolies difficult to resolve.

    Thanks

  10. #9

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    My question is why are you using the public profile inside the domain network, do you have some kind of special requirements?

  11. #10
    stewie's Avatar
    Join Date
    Oct 2010
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Synack,

    I'm not using the Public firewall, the machines are using a Domain firewall. The problem exists with the Domain connected firewall also.
    Last edited by stewie; 2nd October 2010 at 04:48 AM. Reason: misunderstood question

  12. #11

    Join Date
    Dec 2007
    Posts
    45
    Thank Post
    0
    Thanked 26 Times in 5 Posts
    Rep Power
    24
    Hi Synack,

    We are using the domain profile but the firewall starts in the public profile until the domain controller can be contacted, it then switches to the domain profile. Hence the DHCP problem occurs in the public profile.

    Thanks
    Edd
    Last edited by teckedd; 4th October 2010 at 08:37 AM.

  13. #12

    Join Date
    Dec 2007
    Posts
    45
    Thank Post
    0
    Thanked 26 Times in 5 Posts
    Rep Power
    24
    Hi Stewie,

    It sounds like you are experiencing even more severe problems than we have seen. It would be very helpful if you created a support case with Microsoft and inform them you are experiencing a similar problem to case number: 110070944106368. I have been working with Kapil Thacker.

    If they are happy you have the same problem I would hope this would be enough of a business case.


    Thanks
    Edd

  14. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Quote Originally Posted by teckedd View Post
    Hi Synack,

    We are using the domain profile but the firewall starts in the public profile until the domain controller can be contacted, it then switches to the domain profile. Hence the DHCP problem occurs in the public profile.
    Ah that makes sense, thanks for the clarification. I think that I may have actually seen this behaviour on a couple of our latest machines with the newest intel chipsets. They would not pick up DHCP after a reboot but it was fixed by using the latest intel drivers. As the drivers fixed it I assumed it was their fault given the 'quality' of some intel drivers for Windows 7 so never tried disabling the firewall. Given the presentation though it may well have been related to the same issue.

  15. #14
    spy
    spy is offline

    Join Date
    Oct 2008
    Posts
    5
    Thank Post
    0
    Thanked 4 Times in 1 Post
    Rep Power
    0
    Hi Edd

    Yes, the post did save me a lot of time especially as it‘s very detailed!

    My colleague has logged a case with Microsoft and linked it to yours, our engineer at Microsoft will be contacting Kapil soon.

    Simon

  16. #15

    Join Date
    Sep 2010
    Posts
    6
    Thank Post
    0
    Thanked 2 Times in 2 Posts
    Rep Power
    0
    Hi Edd,

    I am also experiencing a very similair problem with Windows 7 clients. I have two 2003 SP2 DC's and one 2008 R2 DC.

    Here's the events i get on startup.....

    Netlogon 5719 - This computer was unable to set up a secure session with a domain controller in domain [Domain] due to the following: There are currently no logon servers available to service the logon request.

    GroupPolicy 1055 - The processing of Group Policy failed. Windows could not resolve the computer name.

    Time-Service 129 - NtpClient was unable to set a domain peer to use as a time source because of discovery error.


    As you have mentioned above, disabling the Windows Firewall 'Public Profile' resloves the errors i am getting on startup. I haven't tried the DhcpConnForceBroadcastFlag workaround yet.

    I haven't logged a job with Microsoft yet but i plan to so it will hopefully speed up the hotfix.

    I've got one question for you. Are you experiencing these problems on wired and wireless networks?
    When i am on a wired network setting a static IP resolves the problem, but on my wireless network setting a static IP does not resolve it. I am going to look into the wireless network here to see what is causing it.

    Thanks alot for your post, as it has saved me alot of time troubleshooting even further !!


    keatho

SHARE:
+ Post New Thread
Page 1 of 4 1234 LastLast

Similar Threads

  1. Replies: 4
    Last Post: 9th July 2010, 04:35 PM
  2. Replies: 5
    Last Post: 6th February 2010, 11:51 AM
  3. Replies: 63
    Last Post: 2nd December 2009, 04:50 PM
  4. Just to confirm that Jeff Goldblum is NOT dead
    By mattx in forum General Chat
    Replies: 1
    Last Post: 26th June 2009, 02:44 PM
  5. First Windows 7 bug discovered
    By FN-GM in forum Windows 7
    Replies: 1
    Last Post: 9th May 2009, 05:28 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •