Successful DB2 NETLOGON in LAB (Sniffer on LAB HUB)

Transcription

1 Troubleshooting Analysis for Windows 2000 Active Directory Authentication Problem Overview Servers DB1 & DB2 are configured with clustering (DB1 is active and DB2 is backup). The PDC (server NT9) is connected to a different subnet, which is separated by two firewalls. The DB server clustering services depend on Active Directory Authentication. When the servers cannot authenticate, the clustering service cannot start. To initially start the clustering services on the DB servers, the work-around is to connect to the DB server via terminal services and to manually map a network drive from the DB server to the PDC server using a domain USERID. Once the drive is mapped, the clustering service can be successfully started and then the network drive map can be disconnected. Once the cluster service is up and running it continues to work fine even if the Active Directory authentication fails (until the clustering service has to be restarted again). Connectivity for the Production Environment DB1 backend ----> client-fw1 ----> utilfw2 ----> NT9 Connectivity for the LAB Environment DB2 backend ----> NT9 Source Trace Files Trace file "Filter for NT09 IP (Mar31pm-apr01am).cap" was obtained with port monitor configured for the DB1 server and shows all traffic between the production servers DB1 & NT9 from :01 to :13. Trace file " lab capture 02 DB2 communicating with NT9 ok.cap " shows all traffic on the LAB segment hub, including traffic between replica servers DB2 & NT9. Observations?? Switches and firewalls are not logging any drops between NT9 and the DB servers.?? Both DB servers are logging NETLOGON system authentication errors because they do not receive the responses to their RPC NETLOGON request packets submitted to TCP port 1026 on NT9 (NETLOGON UUID = abcd-ef cffb).?? The NETLOGON request packets seen in the LAB appear identical to those sent on the production network.?? DB1 can successfully communicate with the Directory Replication Interface via the same port 1026 on NT9 (NTDS UUID = e b06-11d1-ab04-00c04fc2dcd2).?? The NETLOGON response packets are being intercepted and RESET by utilfw2.?? utilfw2 runs Firewall-1 software on a Nokia platform. Revised on 14/05/2003 by Daniel Cayer Page 1 of 9

2 No. Time Successful DB2 NETLOGON in LAB (Sniffer on LAB HUB) NOTE: DB server and PDC are on the same local subnet. The traffic in the production network is identical to that in the LAB until the NETLOGON request, which is successfully acknowledged and answered in the LAB. This trace files contains all traffic from both servers since they were powered on. 1 Search for Domain Controller 1.1 DNS query for DC SRC DST Pro Info :27:51 DB2 NT9 DNS Standard query SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.cwh- OTTAWA.COM 1.2 DNS response: DC found :27:51 NT9 DB2 DNS Standard query response SRV cwh-ott-nt-009.cwh-ottawa.com 2 Determine if DC is closest one available 2.1 LDAP search request for matching host name, domain name, SID & GUID :27:51 DB2 NT9 LDAP MsgId=1 MsgType=Search Request 2.2 Successful LDAP response :27:51 NT9 DB2 LDAP MsgId=1 MsgType=Search Entry 3 Establishment of secured channel between DB2 & DC (NT09) 3.1 PORTMAPPER (EPM) request via RPC for Active Directory Logon :27:51 DB2 NT9 TCP 1103 > 135 [SYN] Seq= Ack=0 Win=16384 Len= :27:51 NT9 DB2 TCP 135 > 1103 [SYN, ACK] Seq= Ack= Win=17520 Len= :27:51 DB2 NT9 TCP 1103 > 135 [ACK] Seq= Ack= Win=17520 Len= :27:51 DB2 NT9 DCERPC Bind: call_id: 1 UUID: EPM :27:51 NT9 DB2 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: :27:51 DB2 NT9 EPM Map request 3.2 PORTMAPPER response (port = 1026) :27:51 NT9 DB2 EPM Map reply :27:51 DB2 NT9 TCP 1103 > 135 [FIN, ACK] Seq= Ack= Win=17132 Len=0 3.3 NETLOGON request :27:51 DB2 NT9 TCP 1104 > 1026 [SYN] Seq= Ack=0 Win=16384 Len= :27:51 NT9 DB2 TCP 1026 > 1104 [SYN, ACK] Seq= Ack= Win=17520 Len= :27:51 NT9 DB2 TCP 135 > 1103 [ACK] Seq= Ack= Win=17292 Len= :27:51 NT9 DB2 TCP 135 > 1103 [FIN, ACK] Seq= Ack= Win=17292 Len= :27:51 DB2 NT9 TCP 1104 > 1026 [ACK] Seq= Ack= Win=17520 Len= :27:51 DB2 NT9 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON :27:51 DB2 NT9 TCP 1103 > 135 [ACK] Seq= Ack= Win=17132 Len=0 3.4 NETLOGON request acknowledgement :27:51 NT9 DB2 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: NETLOGON server challenge request :27:51 DB2 NT9 RPC_NETLOGON ServerReqChallenge request, REBIZX-DB2 3.6 NETLOGON server challenge response :27:51 NT9 DB2 RPC_NETLOGON ServerReqChallenge reply 3.7 NETLOGON server authentication request :27:51 DB2 NT9 RPC_NETLOGON ServerAuthenticate3 request 3.8 NETLOGON server authentication response :27:51 NT9 DB2 RPC_NETLOGON ServerAuthenticate3 reply 3.9 New NETLOGON connection for Domain Info lookup :27:51 DB2 NT9 TCP 1105 > 1026 [SYN] Seq= Ack=0 Win=16384 Len= :27:51 NT9 DB2 TCP 1026 > 1105 [SYN, ACK] Seq= Ack= Win=17520 Len= :27:51 DB2 NT9 TCP 1105 > 1026 [ACK] Seq= Ack= Win=17520 Len= :27:51 DB2 NT9 DCERPC Bind: call_id: 3 UUID: RPC_NETLOGON :27:51 NT9 DB2 DCERPC Bind_ack: call_id: 3 accept max_xmit: 5840 max_recv: :27:51 DB2 NT9 RPC_NETLOGON NetrLogonGetDomainInfo request Revised on 14/05/2003 by Daniel Cayer Page 2 of 9

3 3.10 Domain Info response (encrypted payload) :27:51 NT9 DB2 RPC_NETLOGON NetrLogonGetDomainInfo reply 3.11 Establish SMB connection, authenticate with Kerberos, etc :27:51 DB2 NT9 ICMP Echo (ping) request :27:51 NT9 DB2 ICMP Echo (ping) reply :27:51 DB2 NT9 TCP 1106 > 445 [SYN] Seq= Ack=0 Win=16384 Len= :27:51 NT9 DB2 TCP 445 > 1106 [SYN, ACK] Seq= Ack= Win=17520 Len= :27:51 DB2 NT9 TCP 1106 > 445 [ACK] Seq= Ack= Win=17520 Len= :27:51 DB2 NT9 ICMP Echo (ping) request :27:51 NT9 DB2 ICMP Echo (ping) reply :27:51 DB2 NT9 SMB Negotiate Protocol Request :27:51 NT9 DB2 SMB Negotiate Protocol Response :27:51 DB2 NT9 KRB5 AS-REQ :27:51 NT9 DB2 KRB5 KRB-ERROR :27:51 DB2 NT9 KRB5 AS-REQ :27:51 NT9 DB2 KRB5 AS-REP :27:51 DB2 NT9 KRB5 TGS-REQ :27:51 NT9 DB2 KRB5 TGS-REP :27:51 DB2 NT9 KRB5 TGS-REQ :27:51 NT9 DB2 KRB5 TGS-REP :27:51 DB2 NT9 SMB Session Setup AndX Request[Unreassembled Packet] :27:51 DB2 NT9 NBSS NBSS Continuation Message :27:51 NT9 DB2 TCP 445 > 1106 [ACK] Seq= Ack= Win=17520 Len= :27:51 NT9 DB2 SMB Session Setup AndX Response, Error: STATUS_MORE_PROCESSING_REQUIRED :27:51 DB2 NT9 SMB Session Setup AndX Request[Unreassembled Packet] :27:51 DB2 NT9 NBSS NBSS Continuation Message :27:51 NT9 DB2 TCP 445 > 1106 [ACK] Seq= Ack= Win=17520 Len= :27:51 NT9 DB2 SMB Session Setup AndX Response :27:51 DB2 NT9 SMB Tree Connect AndX Request,Path: \\CWH-OTT-NT-009.CWH-OTTAWA.COM\IPC$ :27:51 NT9 DB2 SMB Tree Connect AndX Response :27:51 DB2 NT9 SMB NT Create AndX Request, Path: \lsarpc :27:51 NT9 DB2 SMB NT Create AndX Response, FID: 0x :27:51 DB2 NT9 DCERPC Bind: call_id: 1 UUID: LSA :27:51 NT9 DB2 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: :27:51 DB2 NT9 LSA OpenPolicy2 request, \\cwh-ott-nt-009.cwh-ottawa.com :27:51 NT9 DB2 SMB Write AndX Response, FID: 0x4000, 140 bytes :27:51 DB2 NT9 SMB Read AndX Request, FID: 0x4000, 1024 bytes at offset :27:51 NT9 DB2 LSA OpenPolicy2 reply :27:51 DB2 NT9 SMB NT Create AndX Request, Path: \lsarpc :27:51 NT9 DB2 SMB NT Create AndX Response, FID: 0x :27:51 DB2 NT9 DCERPC Bind: call_id: 2 UUID: LSA :27:51 NT9 DB2 DCERPC Bind_ack: call_id: 2 accept max_xmit: 4280 max_recv: :27:51 DB2 NT9 LSA QueryInfoPolicy request, Primary Domain Information :27:51 NT9 DB2 SMB Write AndX Response, FID: 0x4001, 96 bytes :27:51 DB2 NT9 SMB Read AndX Request, FID: 0x4001, 1024 bytes at offset :27:51 NT9 DB2 LSA QueryInfoPolicy reply :27:51 DB2 NT9 LSA QueryInfoPolicy request, Account Domain Information :27:51 NT9 DB2 SMB Write AndX Response, FID: 0x4001, 96 bytes :27:51 DB2 NT9 SMB Read AndX Request, FID: 0x4001, 1024 bytes at offset :27:51 NT9 DB2 LSA QueryInfoPolicy reply :27:51 DB2 NT9 LSA LookupSIDs2 request :27:51 NT9 DB2 SMB Write AndX Response, FID: 0x4001, 240 bytes :27:51 DB2 NT9 SMB Read AndX Request, FID: 0x4001, 1024 bytes at offset :27:51 NT9 DB2 LSA LookupSIDs2 reply :27:51 DB2 NT9 LSA Close request :27:51 NT9 DB2 SMB Write AndX Response, FID: 0x4001, 96 bytes :27:51 DB2 NT9 SMB Read AndX Request, FID: 0x4001, 1024 bytes at offset :27:51 NT9 DB2 LSA Close reply :27:51 DB2 NT9 SMB Close Request, FID: 0x :27:51 NT9 DB2 SMB Close Response :27:51 DB2 NT9 SMB Close Request, FID: 0x :27:51 NT9 DB2 SMB Close Response :27:51 DB2 NT9 TCP 1105 > 1026 [ACK] Seq= Ack= Win=16752 Len= :27:51 DB2 NT9 TCP 1104 > 1026 [ACK] Seq= Ack= Win=17380 Len= :27:51 DB2 NT9 TCP 1106 > 445 [ACK] Seq= Ack= Win=16066 Len=0 Revised on 14/05/2003 by Daniel Cayer Page 3 of 9

4 No. Time Failed DB1 NETLOGON on Production LAN (Sniffer next to DB1) 1 Search for Domain Controller SRC DST Proto Info :14:24 DB1 NT09 DNS Standard query SRV _ldap._tcp.pdc._msdcs.rebizx-db :14:24 NT09 DB1 DNS Standard query response, No such name :14:26 DB1 NT09 DNS Standard query SRV _ldap._tcp.default-first-site- Name._sites.dc._msdcs.rebizx-db :14:26 NT09 DB1 DNS Standard query response, No such name :14:26 DB1 NT09 DNS Standard query SRV _ldap._tcp.dc._msdcs.rebizx-db :14:26 NT09 DB1 DNS Standard query response, No such name :17:22 DB1 NT09 DNS Standard query SRV _ldap._tcp.default-first-site- Name._sites.dc._msdcs.CWH-OTTAWA.COM :17:22 NT09 DB1 DNS Standard query response SRV cwh-ott-nt-009.cwh-ottawa.com 2 Determine if DC is closest one available :17:22 DB1 NT09 LDAP MsgId=3743 MsgType=Search Request :17:22 NT09 DB1 LDAP MsgId=3743 MsgType=Search Entry 3 Establishment of secured channel between DB1 & DC (NT09) 3.1 PORTMAPPER (EPM) request via RPC for Active Directory Logon :17:22 DB1 NT09 TCP 1673 > epmap [SYN] Seq= Ack=0 Win=16384 Len= :17:22 NT09 DB1 TCP epmap > 1673 [SYN, ACK] Seq= Ack= Win=17520 Len= :17:22 DB1 NT09 TCP 1673 > epmap [ACK] Seq= Ack= Win=17520 Len= :17:22 DB1 NT09 DCERPC Bind: call_id: 1 UUID: EPM :17:22 NT09 DB1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: :17:22 DB1 NT09 EPM Map request 3.2 PORTMAPPER response (port = 1026) :17:22 NT09 DB1 EPM Map reply :17:22 DB1 NT09 TCP 1673 > epmap [FIN, ACK] Seq= Ack= Win=17308 Len= :17:22 DB1 NT09 TCP 1674 > 1026 [SYN] Seq= Ack=0 Win=16384 Len= :17:22 NT09 DB1 TCP epmap > 1673 [ACK] Seq= Ack= Win=17292 Len= :17:22 NT09 DB1 TCP epmap > 1673 [FIN, ACK] Seq= Ack= Win=17292 Len= :17:22 DB1 NT09 TCP 1673 > epmap [ACK] Seq= Ack= Win=17308 Len=0 3.3 NETLOGON request :17:22 NT09 DB1 TCP 1026 > 1674 [SYN, ACK] Seq= Ack= Win=17520 Len= :17:22 DB1 NT09 TCP 1674 > 1026 [ACK] Seq= Ack= Win=17520 Len= :17:22 DB1 NT09 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON Retransmission of NETLOGON request (3-second timeoute) :17:26 DB1 NT09 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON NETLOGON error (NT09 reset of the TCP connection) :17:26 NT09 DB1 TCP 1026 > 1674 [RST] Seq= Ack= Win=0 Len= RETRY NETLOGON (2nd attempt, from a different source port) :17:26 DB1 NT09 TCP 1675 > 1026 [SYN] Seq= Ack=0 Win=16384 Len= :17:26 NT09 DB1 TCP 1026 > 1675 [SYN, ACK] Seq= Ack= Win=17520 Len= :17:26 DB1 NT09 TCP 1675 > 1026 [ACK] Seq= Ack= Win=17520 Len= :17:26 DB1 NT09 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON Retransmission of NETLOGON request (3-second timeoute) :17:29 DB1 NT09 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON NETLOGON error (NT09 reset of the TCP connection) :17:29 NT09 DB1 TCP 1026 > 1675 [RST] Seq= Ack= Win=0 Len=0 Revised on 14/05/2003 by Daniel Cayer Page 4 of 9

5 NOTE: Other successful TCP connections are seen on NT09 port 1026 for another UUID: No. Time SRC DST Proto Info :25:57 DB1 NT09 TCP 3927 > 1026 [SYN] Seq= Ack=0 Win=16384 Len= :25:57 NT09 DB1 TCP 1026 > 3927 [SYN, ACK] Seq= Ack= Win=17520 Len= :25:57 DB1 NT09 TCP 3927 > 1026 [ACK] Seq= Ack= Win=17520 Len= :25:57 DB1 NT09 DCERPC Bind: call_id: 1 UUID: e b06-11d1-ab04-00c04fc2dcd2 ver :25:57 DB1 NT09 TCP 3927 > 1026 [PSH,ACK] Seq= Ack= Win=17520 Len= :25:57 NT09 DB1 TCP 1026 > 3927 [ACK] Seq= Ack= Win=17520 Len= :25:57 NT09 DB1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: :25:57 DB1 NT09 DCERPC Alter_context: call_id: 1 UUID: e b06-11d1-ab04-00c04fc2dcd2 ver :25:57 NT09 DB1 DCERPC Alter_context_resp: call_id: 1 accept max_xmit: 5840 max_recv: :25:57 DB1 NT09 DCERPC Request: call_id: 1 opnum: 0 ctx_id: :25:57 NT09 DB1 DCERPC Response: call_id: 1 ctx_id: :25:57 DB1 NT09 DCERPC Request: call_id: 2 opnum: 12 ctx_id: :25:57 NT09 DB1 DCERPC Response: call_id: 2 ctx_id: :25:57 DB1 NT09 DCERPC Request: call_id: 3 opnum: 12 ctx_id: :25:57 NT09 DB1 DCERPC Response: call_id: 3 ctx_id: :25:57 DB1 NT09 DCERPC Request: call_id: 4 opnum: 1 ctx_id: :25:57 NT09 DB1 DCERPC Response: call_id: 4 ctx_id: :25:57 DB1 NT09 TCP 3927 > 1026 [FIN, ACK] Seq= Ack= Win=16337 Len= :25:57 NT09 DB1 TCP 1026 > 3927 [ACK] Seq= Ack= Win=16683 Len= :25:57 NT09 DB1 TCP 1026 > 3927 [FIN, ACK] Seq= Ack= Win=16683 Len= :25:57 DB1 NT09 TCP 3927 > 1026 [ACK] Seq= Ack= Win=16337 Len=0 Kerberos Errors From DB1 to NT9 (Sniffer next to DB1) Trace file " DB1 kereberos failed to NT9.cap " shows that DB1 is using the wrong name to authenticate with Kerberos. In fact DB1 uses LDAP1's IP address instead of its own FQDN!!! These Kerberos errors are occurring at a regular 40-minute interval. NOTE: Sniffer does not decode Kerberos Use Ethereal instead! Frame 5 (1373 bytes on wire, 1373 bytes captured) Arrival Time: Mar 28, :02: Ethernet II, Src: 00:02:a5:6b:8d:96, Dst: 00:00:5e:00:01:04 Internet Protocol, Src Addr: ( ), Dst Addr: ( ) User Datagram Protocol, Src Port: 2729 (2729), Dst Port: 88 (88) Kerberos Version: 5 MSG Type: TGS-REQ Pre-Authentication Type: PA-TGS-REQ Value: 6E A A Request Options: Realm: CWH-OTTAWA.COM Server Name: HOST Type: Service and Instance Name: HOST Name: End Time: :48:05 (Z) Random Number: Encryption Types Type: rc4-hmac This should be a qualified domain such as "cwh-ott- nt-009.cwh- OTTAWA.COM"!!! Revised on 14/05/2003 by Daniel Cayer Page 5 of 9

6 Type: Unknown encryption type 0xff7b Type: Unknown encryption type 0x80 Type: des-cbc-md5 Type: des-cbc-crc Type: rc4-hmac-exp Type: Unknown encryption type 0xff79 Frame 6 (150 bytes on wire, 150 bytes captured) Arrival Time: Mar 28, :02: Ethernet II, Src: 00:a0:8e:32:ba:53, Dst: 00:02:a5:6b:8d:96 Internet Protocol, Src Addr: ( ), Dst Addr: ( ) User Datagram Protocol, Src Port: 88 (88), Dst Port: 2729 (2729) Kerberos Version: 5 MSG Type: KRB-ERROR stime: :01:20 (Z) susec: Error Code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN realm: CWH-OTTAWA.COM sname: krbtgt Type: Service and Instance Name: krbtgt Name: CWH-OTTAWA.COM Failed NETLOGON on Production LAN (Sniffer next to NT9) NOTE: Span a port on switch connected to NT9 for the Sniffer. Trace file shows NETLOGON request from DB1 is reaching NT9 and NT9 is acknowledging!!! No. Time SRC DST Pro Info :17:54 DB1 NT9 TCP 1280 > 1026 [SYN] Seq= Ack=0 Win=16384 Len= :17:54 NT9 DB1 TCP 1026 > 1280 [SYN, ACK] Seq= Ack= Win=17520 Len= :17:54 DB1 NT9 TCP 1280 > 1026 [ACK] Seq= Ack= Win=17520 Len= :17:54 DB1 NT9 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON :17:54 NT9 DB1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: :17:54 DB1 NT9 TCP 1280 > 1026 [RST] Seq= Ack=0 Win=0 Len= :17:58 DB1 NT9 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON :17:58 NT9 DB1 TCP 1026 > 1280 [RST] Seq= Ack= Win=0 Len=0 Where are these packets dropped and who is sending the RST on behalf of the DB servers??? obtain trace file from segment between 2 firewalls Failed NETLOGON on Production LAN (Trace from utilfw2 interface facing the other firewall) Packet 7906 above (NETLOGON response) is intercepted by utilfw2 and packet 7907 is originated from this same utilfw2 because both packets do not show up on the other side of this firewall: No. Time SRC DST Pro Info :45:00 DB1 NT9 TCP 4447 > 1026 [SYN] Seq= Ack=0 Win=16384 Len= :45:00 NT9 DB1 TCP 1026 > 4447 [SYN, ACK] Seq= Ack= Win=17520 Len=0 Revised on 14/05/2003 by Daniel Cayer Page 6 of 9

7 :45:00 DB1 NT9 TCP 4447 > 1026 [ACK] Seq= Ack= Win=17520 Len= :45:00 DB1 NT9 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON :45:03 DB1 NT9 DCERPC Bind: call_id: 1 UUID: RPC_NETLOGON :45:03 NT9 DB1 TCP 1026 > 4447 [RST] Seq= Ack= Win=0 Len=0 Revised on 14/05/2003 by Daniel Cayer Page 7 of 9

8 Questions 1. Is there any way to determine the correctness of the NETLOGON requests from DB1 (i.e.: is DB1 attempting to logon to NT09 correctly)? ANSWER: YES! The packets in the LAB are identical! 2. Is there any way to determine why NT09 does not even acknowledge these NETLOGON requests at the TCP layer? ANSWER: YES! NT09 DOES acknowledge the packets. The firewall is intercepting and dropping the response, which includes the TCP ACK!!! 3. Is NT09 supposed to be listening on port 1026 for both NETLOGON and NTDS UUIDs (e b06-11d1-ab04-00c04fc2dcd2 & abcd-ef cffb)? ANSWER: YES! This is a normal behavior for Win2K. 4. Are the Kerberos errors the cause of the NETLOGON failures? ANSWER: NO! NETLOGON fails because of the firewall. 5. What is the root cause of the Kerberos errors? 6. What are the dependencies between Kerberos and Active Directory Authentication? Suggestions 1. Fix Firewall 2. Fix Kerberos problem (Windows patch???) Microsoft Knowledge Base Articles: Troubleshooting Common Active Directory Setup Issues in Windows How to Enable Diagnostic Event Logging for Active Directory Services Using Uppercase Letters for Kerberos Realm Names HOW TO: Enable Kerberos Event Logging Kerberos Support on Windows 2000-Based Server Clusters XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls A Missing Service Principal Name May Prevent Domain Controllers from Replicating Revised on 14/05/2003 by Daniel Cayer Page 8 of 9

9 Conclusion Once we were able to identify the failed NETLOGON requests in the trace files (corresponding to the NETLOGON errors on the DB servers), we then moved the Sniffer next to the PDC server and confirmed that the NETLOGON requests were indeed being answered. Additional traces from the firewalls allowed us to determine that the NETLOGON responses from the PDC were being blocked by the utilfw2 firewall. Upon reception of the NETLOGON response packet from NT9, utilfw2 would immediately send back a TCP RST to NT9. A support call was made to the firewall vendor (Check-Point) who confirmed that they did not support Microsoft Active Directory on this version of the firewall-1 software (version 4.x). Their recommendation was to upgrade the firewall software to a more recent version. Lessons Learned?? How Windows 2000 Active Directory Authentication works?? What Windows 2000 Active Directory Authentication looks like "on-the-wire". Revised on 14/05/2003 by Daniel Cayer Page 9 of 9