"Robert L [MVP - Networking]" wrote:

> If all wireless computers have this issue, I don't think it is IE 7 issue. Do they receive IP addresses from DHCP? If you use WPA Enterprise, also check the IAS server. Or this link may help.
>
> Cisco: Wireless client can't ...Situation: The client tries to setup Cisco wireless 1310 bridge. The client can receive the signal but can't logon the domain. Ipconfig shows the client ...
>       www.chicagotech.net/netforums/viewtopic.php?t=655&sid=dd42117ac381f01a447d707b0e6327bf 
>
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
>   "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com...
>   We are suddenly not able to logon to our domain(s) via wireless. This was not
>   a problem until recently.  This is a school where 1000 students share use of
>   about 500 laptops and tablet PCs so it is most common for a particular user
>   to grab a different laptops from different carts in a given day and use
>   several different laptops from the same cart throughout a school year. I
>   point this out so that you know that the common answer to our problem, which
>   is to logon via the ethernet line and cache the profile before trying to
>   connect via wireless is not acceptable nor practical.  Additionally, we had
>   no problem with this last school year. Now, three months later we are
>   basically "dead in the water" with regard to technology for students and
>   wireless access for staff. The actual message that we get is:" The system
>   cannot log you on because the domain OURDOMAIN is not available." The same
>   user account will quickly authenticate via ethernet.
>    
>   More info: This is occurring with both a new Cisco server-managed wireless
>   network in one building and the old store bought access points in our other
>   buildings. This is also occurring with newly re-imaged laptops that were used
>   successfully last year, with newly re-imaged laptops that were purchased this
>   summer and never used by anyone (except the tech who loaded the computer) and
>   new out of box laptops that have not been customized for our environment.  I
>   point this out because we were concerned that something in the imaging
>   process (RIS and WDS) might have caused this issue but since brand new Dell
>   and Gateway computers also exhibit the behavior it does not appear that the
>   imaging process caused this issue and therfore my job is safe since I am in
>   charge of images.
>
>   I should also point out that the only major change to our computers was the
>   "upgrade" to IE7 (ouch...actually a downgrade if you ask me) and we also were
>   hammered with between 150 and 200 windows updates over the summer. I suspect
>   that one or both of these events is at least partially related to our
>   problem.
>
>   We really need help here. Any advice?
>

"k3v1nr055" wrote:
> Robert,
> 
> It appears that the Windows Firewall is part of the problem. In the past
> this did not seem to affect the initial logon.  Now it appears that the
> wireless signal is being processed after the cached credentials.  It also
> appears that the GPO that enables the Window Firewall is a factor. We had a
> domain GPO that disables the firewall when a computer is logged into our
> domain and when it powers up off the domain the firewall enables (domain
> profile and standard profile). We think that the firewall is preventing the
> initial connection with wireless and without a cached profile from a domain
> user the laptop will not come to the place where Windows boots up.
> Consequently, the users cannot ever get on. remember that these are newly
> imaged computers that were created and joined to the domain by WDS and they
> have the old policy. 
> We found a very time consuming work around. First we disabled the standard
> profile which turns off the firewall for computers that are not on the
> domain. Of course, this now means that laptops which go home have no firewall
> turned on when they are away. This is not an acceptable situation either. 
> Then we have to log into each and every laptop as the local admin. Then we
> must manually connect to the wireless network.  Next, we have to log out (not
> restart because a restart and at this time we are able to log into the domain
> and the user is able to authenticate successfully.  Additionally, the new
> unprotected gpo is pulled to the machine and therefore firewall is off no
> matter what. After we do this any user is able to connect to the domain and
> authenticate.  We tried every conceivable combination of login, reboot, etc.
> and nothing worked consistently until the firewall was disabled for all
> scenarios.  Now we have 450 laptops that we must sneaker net to, set up,
> boot, log in as Admin, log off, log in as user. restart, and test as
> different new user.  This really sucks!!!  If you can tell me how to enable
> the firewall and open it enough to allow the Zero Wireless Configuration
> service to start before authentication I would greatly appreciate it.  I am
> really tired of systems breaking because MS send patches and "upgrades" that
> wreak more havoc on our world.  In this case, something had to happen because
> this problem did not occur in June and the only difference is that we updated
> all the laptops to IE7 and applied all the approved updates that WSUS
> received.
>
> "Robert L [MVP - Networking]" wrote:
>
> > If all wireless computers have this issue, I don't think it is IE 7 issue. Do they receive IP addresses from DHCP? If you use WPA Enterprise, also check the IAS server. Or this link may help.
> >
> > Cisco: Wireless client can't ...Situation: The client tries to setup Cisco wireless 1310 bridge. The client can receive the signal but can't logon the domain. Ipconfig shows the client ...
> >       www.chicagotech.net/netforums/viewtopic.php?t=655&sid=dd42117ac381f01a447d707b0e6327bf 
> >
> >
> > Bob Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> > How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> >   "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com...
> >   We are suddenly not able to logon to our domain(s) via wireless. This was not
> >   a problem until recently.  This is a school where 1000 students share use of
> >   about 500 laptops and tablet PCs so it is most common for a particular user
> >   to grab a different laptops from different carts in a given day and use
> >   several different laptops from the same cart throughout a school year. I
> >   point this out so that you know that the common answer to our problem, which
> >   is to logon via the ethernet line and cache the profile before trying to
> >   connect via wireless is not acceptable nor practical.  Additionally, we had
> >   no problem with this last school year. Now, three months later we are
> >   basically "dead in the water" with regard to technology for students and
> >   wireless access for staff. The actual message that we get is:" The system
> >   cannot log you on because the domain OURDOMAIN is not available." The same
> >   user account will quickly authenticate via ethernet.
> >    
> >   More info: This is occurring with both a new Cisco server-managed wireless
> >   network in one building and the old store bought access points in our other
> >   buildings. This is also occurring with newly re-imaged laptops that were used
> >   successfully last year, with newly re-imaged laptops that were purchased this
> >   summer and never used by anyone (except the tech who loaded the computer) and
> >   new out of box laptops that have not been customized for our environment.  I
> >   point this out because we were concerned that something in the imaging
> >   process (RIS and WDS) might have caused this issue but since brand new Dell
> >   and Gateway computers also exhibit the behavior it does not appear that the
> >   imaging process caused this issue and therfore my job is safe since I am in
> >   charge of images.
> >
> >   I should also point out that the only major change to our computers was the
> >   "upgrade" to IE7 (ouch...actually a downgrade if you ask me) and we also were
> >   hammered with between 150 and 200 windows updates over the summer. I suspect
> >   that one or both of these events is at least partially related to our
> >   problem.
> >
> >   We really need help here. Any advice?
> >

"Pavel A." wrote:

> If you could watch the logon process with a wireless sniffer,
> it would be clear right away, which packets go to air when, and whether
> the firewall blocks something.
>
> --PA
>
>
> "k3v1nr055" wrote:
> > Robert,
> > 
> > It appears that the Windows Firewall is part of the problem. In the past
> > this did not seem to affect the initial logon.  Now it appears that the
> > wireless signal is being processed after the cached credentials.  It also
> > appears that the GPO that enables the Window Firewall is a factor. We had a
> > domain GPO that disables the firewall when a computer is logged into our
> > domain and when it powers up off the domain the firewall enables (domain
> > profile and standard profile). We think that the firewall is preventing the
> > initial connection with wireless and without a cached profile from a domain
> > user the laptop will not come to the place where Windows boots up.
> > Consequently, the users cannot ever get on. remember that these are newly
> > imaged computers that were created and joined to the domain by WDS and they
> > have the old policy. 
> > We found a very time consuming work around. First we disabled the standard
> > profile which turns off the firewall for computers that are not on the
> > domain. Of course, this now means that laptops which go home have no firewall
> > turned on when they are away. This is not an acceptable situation either. 
> > Then we have to log into each and every laptop as the local admin. Then we
> > must manually connect to the wireless network.  Next, we have to log out (not
> > restart because a restart and at this time we are able to log into the domain
> > and the user is able to authenticate successfully.  Additionally, the new
> > unprotected gpo is pulled to the machine and therefore firewall is off no
> > matter what. After we do this any user is able to connect to the domain and
> > authenticate.  We tried every conceivable combination of login, reboot, etc.
> > and nothing worked consistently until the firewall was disabled for all
> > scenarios.  Now we have 450 laptops that we must sneaker net to, set up,
> > boot, log in as Admin, log off, log in as user. restart, and test as
> > different new user.  This really sucks!!!  If you can tell me how to enable
> > the firewall and open it enough to allow the Zero Wireless Configuration
> > service to start before authentication I would greatly appreciate it.  I am
> > really tired of systems breaking because MS send patches and "upgrades" that
> > wreak more havoc on our world.  In this case, something had to happen because
> > this problem did not occur in June and the only difference is that we updated
> > all the laptops to IE7 and applied all the approved updates that WSUS
> > received.
> >
> > "Robert L [MVP - Networking]" wrote:
> >
> > > If all wireless computers have this issue, I don't think it is IE 7 issue. Do they receive IP addresses from DHCP? If you use WPA Enterprise, also check the IAS server. Or this link may help.
> > >
> > > Cisco: Wireless client can't ...Situation: The client tries to setup Cisco wireless 1310 bridge. The client can receive the signal but can't logon the domain. Ipconfig shows the client ...
> > >       www.chicagotech.net/netforums/viewtopic.php?t=655&sid=dd42117ac381f01a447d707b0e6327bf 
> > >
> > >
> > > Bob Lin, MS-MVP, MCSE & CNE
> > > Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> > > How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> > >   "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com...
> > >   We are suddenly not able to logon to our domain(s) via wireless. This was not
> > >   a problem until recently.  This is a school where 1000 students share use of
> > >   about 500 laptops and tablet PCs so it is most common for a particular user
> > >   to grab a different laptops from different carts in a given day and use
> > >   several different laptops from the same cart throughout a school year. I
> > >   point this out so that you know that the common answer to our problem, which
> > >   is to logon via the ethernet line and cache the profile before trying to
> > >   connect via wireless is not acceptable nor practical.  Additionally, we had
> > >   no problem with this last school year. Now, three months later we are
> > >   basically "dead in the water" with regard to technology for students and
> > >   wireless access for staff. The actual message that we get is:" The system
> > >   cannot log you on because the domain OURDOMAIN is not available." The same
> > >   user account will quickly authenticate via ethernet.
> > >    
> > >   More info: This is occurring with both a new Cisco server-managed wireless
> > >   network in one building and the old store bought access points in our other
> > >   buildings. This is also occurring with newly re-imaged laptops that were used
> > >   successfully last year, with newly re-imaged laptops that were purchased this
> > >   summer and never used by anyone (except the tech who loaded the computer) and
> > >   new out of box laptops that have not been customized for our environment.  I
> > >   point this out because we were concerned that something in the imaging
> > >   process (RIS and WDS) might have caused this issue but since brand new Dell
> > >   and Gateway computers also exhibit the behavior it does not appear that the
> > >   imaging process caused this issue and therfore my job is safe since I am in
> > >   charge of images.
> > >
> > >   I should also point out that the only major change to our computers was the
> > >   "upgrade" to IE7 (ouch...actually a downgrade if you ask me) and we also were
> > >   hammered with between 150 and 200 windows updates over the summer. I suspect
> > >   that one or both of these events is at least partially related to our
> > >   problem.
> > >
> > >   We really need help here. Any advice?
> > >

"k3v1nr055" wrote:

> I have not used a wireless sniffer but if I used something like airsnort
> would I be able to watch what occurs on one of the problematic machines from
> a computer that is already up and running? If that's possible could you point
> me to some info on doing that?
>
> "Pavel A." wrote:
>
> > If you could watch the logon process with a wireless sniffer,
> > it would be clear right away, which packets go to air when, and whether
> > the firewall blocks something.
> >
> > --PA
> >
> >
> > "k3v1nr055" wrote:
> > > Robert,
> > > 
> > > It appears that the Windows Firewall is part of the problem. In the past
> > > this did not seem to affect the initial logon.  Now it appears that the
> > > wireless signal is being processed after the cached credentials.  It also
> > > appears that the GPO that enables the Window Firewall is a factor. We had a
> > > domain GPO that disables the firewall when a computer is logged into our
> > > domain and when it powers up off the domain the firewall enables (domain
> > > profile and standard profile). We think that the firewall is preventing the
> > > initial connection with wireless and without a cached profile from a domain
> > > user the laptop will not come to the place where Windows boots up.
> > > Consequently, the users cannot ever get on. remember that these are newly
> > > imaged computers that were created and joined to the domain by WDS and they
> > > have the old policy. 
> > > We found a very time consuming work around. First we disabled the standard
> > > profile which turns off the firewall for computers that are not on the
> > > domain. Of course, this now means that laptops which go home have no firewall
> > > turned on when they are away. This is not an acceptable situation either. 
> > > Then we have to log into each and every laptop as the local admin. Then we
> > > must manually connect to the wireless network.  Next, we have to log out (not
> > > restart because a restart and at this time we are able to log into the domain
> > > and the user is able to authenticate successfully.  Additionally, the new
> > > unprotected gpo is pulled to the machine and therefore firewall is off no
> > > matter what. After we do this any user is able to connect to the domain and
> > > authenticate.  We tried every conceivable combination of login, reboot, etc.
> > > and nothing worked consistently until the firewall was disabled for all
> > > scenarios.  Now we have 450 laptops that we must sneaker net to, set up,
> > > boot, log in as Admin, log off, log in as user. restart, and test as
> > > different new user.  This really sucks!!!  If you can tell me how to enable
> > > the firewall and open it enough to allow the Zero Wireless Configuration
> > > service to start before authentication I would greatly appreciate it.  I am
> > > really tired of systems breaking because MS send patches and "upgrades" that
> > > wreak more havoc on our world.  In this case, something had to happen because
> > > this problem did not occur in June and the only difference is that we updated
> > > all the laptops to IE7 and applied all the approved updates that WSUS
> > > received.
> > >
> > > "Robert L [MVP - Networking]" wrote:
> > >
> > > > If all wireless computers have this issue, I don't think it is IE 7 issue. Do they receive IP addresses from DHCP? If you use WPA Enterprise, also check the IAS server. Or this link may help.
> > > >
> > > > Cisco: Wireless client can't ...Situation: The client tries to setup Cisco wireless 1310 bridge. The client can receive the signal but can't logon the domain. Ipconfig shows the client ...
> > > >       www.chicagotech.net/netforums/viewtopic.php?t=655&sid=dd42117ac381f01a447d707b0e6327bf 
> > > >
> > > >
> > > > Bob Lin, MS-MVP, MCSE & CNE
> > > > Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> > > > How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> > > >   "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com...
> > > >   We are suddenly not able to logon to our domain(s) via wireless. This was not
> > > >   a problem until recently.  This is a school where 1000 students share use of
> > > >   about 500 laptops and tablet PCs so it is most common for a particular user
> > > >   to grab a different laptops from different carts in a given day and use
> > > >   several different laptops from the same cart throughout a school year. I
> > > >   point this out so that you know that the common answer to our problem, which
> > > >   is to logon via the ethernet line and cache the profile before trying to
> > > >   connect via wireless is not acceptable nor practical.  Additionally, we had
> > > >   no problem with this last school year. Now, three months later we are
> > > >   basically "dead in the water" with regard to technology for students and
> > > >   wireless access for staff. The actual message that we get is:" The system
> > > >   cannot log you on because the domain OURDOMAIN is not available." The same
> > > >   user account will quickly authenticate via ethernet.
> > > >    
> > > >   More info: This is occurring with both a new Cisco server-managed wireless
> > > >   network in one building and the old store bought access points in our other
> > > >   buildings. This is also occurring with newly re-imaged laptops that were used
> > > >   successfully last year, with newly re-imaged laptops that were purchased this
> > > >   summer and never used by anyone (except the tech who loaded the computer) and
> > > >   new out of box laptops that have not been customized for our environment.  I
> > > >   point this out because we were concerned that something in the imaging
> > > >   process (RIS and WDS) might have caused this issue but since brand new Dell
> > > >   and Gateway computers also exhibit the behavior it does not appear that the
> > > >   imaging process caused this issue and therfore my job is safe since I am in
> > > >   charge of images.
> > > >
> > > >   I should also point out that the only major change to our computers was the
> > > >   "upgrade" to IE7 (ouch...actually a downgrade if you ask me) and we also were
> > > >   hammered with between 150 and 200 windows updates over the summer. I suspect
> > > >   that one or both of these events is at least partially related to our
> > > >   problem.
> > > >
> > > >   We really need help here. Any advice?
> > > >

"k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message
news:2736CCAE-AC4B-40B9-951C-CA8336A8C50A@microsoft.com...
> am certain that the Windows Firewall is most responsible for this issue.
> In
> order to get our 400 laptops to be able to see a domain controller we had
> to
> turn off the standard profile firewall GPO (which exposes all laptops when
> they are outside of our perimeter....bad news). Then we had to start and
> log
> into each computer as the local admin and manually connect to the wireless
> signal. Next without we logged off the computer (we did not restart) and
> were
> able to log on with a domain account. This also pulled down the policy
> change
> which disabled the firewall. Then and only then were we able to connect to
> the wireless signal after a restart.   This did not work until the
> firewall
> was turned off in Group Policy.  Again I must state that this behavior was
> not exhibited last spring so something changed or was force to change for
> some unknown reason.  I still believe that IE7 (urgh!!!) and it's so
> called
> "improvements" are the reason. If I could have  my way I would uninstall
> this
> monster and put Firefox on every PC on our campus.
>
> "k3v1nr055" wrote:
>
>> I have not used a wireless sniffer but if I used something like airsnort
>> would I be able to watch what occurs on one of the problematic machines
>> from
>> a computer that is already up and running? If that's possible could you
>> point
>> me to some info on doing that?
>>
>> "Pavel A." wrote:
>>
>> > If you could watch the logon process with a wireless sniffer,
>> > it would be clear right away, which packets go to air when, and whether
>> > the firewall blocks something.
>> >
>> > --PA
>> >
>> >
>> > "k3v1nr055" wrote:
>> > > Robert,
>> > >
>> > > It appears that the Windows Firewall is part of the problem. In the
>> > > past
>> > > this did not seem to affect the initial logon.  Now it appears that
>> > > the
>> > > wireless signal is being processed after the cached credentials.  It
>> > > also
>> > > appears that the GPO that enables the Window Firewall is a factor. We
>> > > had a
>> > > domain GPO that disables the firewall when a computer is logged into
>> > > our
>> > > domain and when it powers up off the domain the firewall enables
>> > > (domain
>> > > profile and standard profile). We think that the firewall is
>> > > preventing the
>> > > initial connection with wireless and without a cached profile from a
>> > > domain
>> > > user the laptop will not come to the place where Windows boots up.
>> > > Consequently, the users cannot ever get on. remember that these are
>> > > newly
>> > > imaged computers that were created and joined to the domain by WDS
>> > > and they
>> > > have the old policy.
>> > > We found a very time consuming work around. First we disabled the
>> > > standard
>> > > profile which turns off the firewall for computers that are not on
>> > > the
>> > > domain. Of course, this now means that laptops which go home have no
>> > > firewall
>> > > turned on when they are away. This is not an acceptable situation
>> > > either.
>> > > Then we have to log into each and every laptop as the local admin.
>> > > Then we
>> > > must manually connect to the wireless network.  Next, we have to log
>> > > out (not
>> > > restart because a restart and at this time we are able to log into
>> > > the domain
>> > > and the user is able to authenticate successfully.  Additionally, the
>> > > new
>> > > unprotected gpo is pulled to the machine and therefore firewall is
>> > > off no
>> > > matter what. After we do this any user is able to connect to the
>> > > domain and
>> > > authenticate.  We tried every conceivable combination of login,
>> > > reboot, etc.
>> > > and nothing worked consistently until the firewall was disabled for
>> > > all
>> > > scenarios.  Now we have 450 laptops that we must sneaker net to, set
>> > > up,
>> > > boot, log in as Admin, log off, log in as user. restart, and test as
>> > > different new user.  This really sucks!!!  If you can tell me how to
>> > > enable
>> > > the firewall and open it enough to allow the Zero Wireless
>> > > Configuration
>> > > service to start before authentication I would greatly appreciate it.
>> > > I am
>> > > really tired of systems breaking because MS send patches and
>> > > "upgrades" that
>> > > wreak more havoc on our world.  In this case, something had to happen
>> > > because
>> > > this problem did not occur in June and the only difference is that we
>> > > updated
>> > > all the laptops to IE7 and applied all the approved updates that WSUS
>> > > received.
>> > >
>> > > "Robert L [MVP - Networking]" wrote:
>> > >
>> > > > If all wireless computers have this issue, I don't think it is IE 7
>> > > > issue. Do they receive IP addresses from DHCP? If you use WPA
>> > > > Enterprise, also check the IAS server. Or this link may help.
>> > > >
>> > > > Cisco: Wireless client can't ...Situation: The client tries to
>> > > > setup Cisco wireless 1310 bridge. The client can receive the signal
>> > > > but can't logon the domain. Ipconfig shows the client ...
>> > > >
>> > > > www.chicagotech.net/netforums/viewtopic.php?t=655&sid=dd42117ac381f01a447d707b0e6327bf
>> > > >
>> > > >
>> > > > Bob Lin, MS-MVP, MCSE & CNE
>> > > > Networking, Internet, Routing, VPN Troubleshooting on
>> > > > http://www.ChicagoTech.net
>> > > > How to Setup Windows, Network, VPN & Remote Access on
>> > > > http://www.HowToNetworking.com
>> > > >   "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in
>> > > > message news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com...
>> > > >   We are suddenly not able to logon to our domain(s) via wireless.
>> > > > This was not
>> > > >   a problem until recently.  This is a school where 1000 students
>> > > > share use of
>> > > >   about 500 laptops and tablet PCs so it is most common for a
>> > > > particular user
>> > > >   to grab a different laptops from different carts in a given day
>> > > > and use
>> > > >   several different laptops from the same cart throughout a school
>> > > > year. I
>> > > >   point this out so that you know that the common answer to our
>> > > > problem, which
>> > > >   is to logon via the ethernet line and cache the profile before
>> > > > trying to
>> > > >   connect via wireless is not acceptable nor practical.
>> > > > Additionally, we had
>> > > >   no problem with this last school year. Now, three months later we
>> > > > are
>> > > >   basically "dead in the water" with regard to technology for
>> > > > students and
>> > > >   wireless access for staff. The actual message that we get is:"
>> > > > The system
>> > > >   cannot log you on because the domain OURDOMAIN is not available."
>> > > > The same
>> > > >   user account will quickly authenticate via ethernet.
>> > > >
>> > > >   More info: This is occurring with both a new Cisco server-managed
>> > > > wireless
>> > > >   network in one building and the old store bought access points in
>> > > > our other
>> > > >   buildings. This is also occurring with newly re-imaged laptops
>> > > > that were used
>> > > >   successfully last year, with newly re-imaged laptops that were
>> > > > purchased this
>> > > >   summer and never used by anyone (except the tech who loaded the
>> > > > computer) and
>> > > >   new out of box laptops that have not been customized for our
>> > > > environment.  I
>> > > >   point this out because we were concerned that something in the
>> > > > imaging
>> > > >   process (RIS and WDS) might have caused this issue but since
>> > > > brand new Dell
>> > > >   and Gateway computers also exhibit the behavior it does not
>> > > > appear that the
>> > > >   imaging process caused this issue and therfore my job is safe
>> > > > since I am in
>> > > >   charge of images.
>> > > >
>> > > >   I should also point out that the only major change to our
>> > > > computers was the
>> > > >   "upgrade" to IE7 (ouch...actually a downgrade if you ask me) and
>> > > > we also were
>> > > >   hammered with between 150 and 200 windows updates over the
>> > > > summer. I suspect
>> > > >   that one or both of these events is at least partially related to
>> > > > our
>> > > >   problem.
>> > > >
>> > > >   We really need help here. Any advice?
>> > > >

"Greg Lindsay [MSFT]" wrote:

> Hi,
>
> The fact that this happened on hundreds of laptops at about the same time
> makes me suspect a PKI issue, possibly related to certificate expiration.
> What wireless authentication method are you using?
>
> --
> Greg Lindsay [MSFT]
>
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
>
> "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message
> news:2736CCAE-AC4B-40B9-951C-CA8336A8C50A@microsoft.com...
> > am certain that the Windows Firewall is most responsible for this issue.
> > In
> > order to get our 400 laptops to be able to see a domain controller we had
> > to
> > turn off the standard profile firewall GPO (which exposes all laptops when
> > they are outside of our perimeter....bad news). Then we had to start and
> > log
> > into each computer as the local admin and manually connect to the wireless
> > signal. Next without we logged off the computer (we did not restart) and
> > were
> > able to log on with a domain account. This also pulled down the policy
> > change
> > which disabled the firewall. Then and only then were we able to connect to
> > the wireless signal after a restart.   This did not work until the
> > firewall
> > was turned off in Group Policy.  Again I must state that this behavior was
> > not exhibited last spring so something changed or was force to change for
> > some unknown reason.  I still believe that IE7 (urgh!!!) and it's so
> > called
> > "improvements" are the reason. If I could have  my way I would uninstall
> > this
> > monster and put Firefox on every PC on our campus.
> >
> > "k3v1nr055" wrote:
> >
> >> I have not used a wireless sniffer but if I used something like airsnort
> >> would I be able to watch what occurs on one of the problematic machines
> >> from
> >> a computer that is already up and running? If that's possible could you
> >> point
> >> me to some info on doing that?
> >>
> >> "Pavel A." wrote:
> >>
> >> > If you could watch the logon process with a wireless sniffer,
> >> > it would be clear right away, which packets go to air when, and whether
> >> > the firewall blocks something.
> >> >
> >> > --PA
> >> >
> >> >
> >> > "k3v1nr055" wrote:
> >> > > Robert,
> >> > >
> >> > > It appears that the Windows Firewall is part of the problem. In the
> >> > > past
> >> > > this did not seem to affect the initial logon.  Now it appears that
> >> > > the
> >> > > wireless signal is being processed after the cached credentials.  It
> >> > > also
> >> > > appears that the GPO that enables the Window Firewall is a factor. We
> >> > > had a
> >> > > domain GPO that disables the firewall when a computer is logged into
> >> > > our
> >> > > domain and when it powers up off the domain the firewall enables
> >> > > (domain
> >> > > profile and standard profile). We think that the firewall is
> >> > > preventing the
> >> > > initial connection with wireless and without a cached profile from a
> >> > > domain
> >> > > user the laptop will not come to the place where Windows boots up.
> >> > > Consequently, the users cannot ever get on. remember that these are
> >> > > newly
> >> > > imaged computers that were created and joined to the domain by WDS
> >> > > and they
> >> > > have the old policy.
> >> > > We found a very time consuming work around. First we disabled the
> >> > > standard
> >> > > profile which turns off the firewall for computers that are not on
> >> > > the
> >> > > domain. Of course, this now means that laptops which go home have no
> >> > > firewall
> >> > > turned on when they are away. This is not an acceptable situation
> >> > > either.
> >> > > Then we have to log into each and every laptop as the local admin.
> >> > > Then we
> >> > > must manually connect to the wireless network.  Next, we have to log
> >> > > out (not
> >> > > restart because a restart and at this time we are able to log into
> >> > > the domain
> >> > > and the user is able to authenticate successfully.  Additionally, the
> >> > > new
> >> > > unprotected gpo is pulled to the machine and therefore firewall is
> >> > > off no
> >> > > matter what. After we do this any user is able to connect to the
> >> > > domain and
> >> > > authenticate.  We tried every conceivable combination of login,
> >> > > reboot, etc.
> >> > > and nothing worked consistently until the firewall was disabled for
> >> > > all
> >> > > scenarios.  Now we have 450 laptops that we must sneaker net to, set
> >> > > up,
> >> > > boot, log in as Admin, log off, log in as user. restart, and test as
> >> > > different new user.  This really sucks!!!  If you can tell me how to
> >> > > enable
> >> > > the firewall and open it enough to allow the Zero Wireless
> >> > > Configuration
> >> > > service to start before authentication I would greatly appreciate it.
> >> > > I am
> >> > > really tired of systems breaking because MS send patches and
> >> > > "upgrades" that
> >> > > wreak more havoc on our world.  In this case, something had to happen
> >> > > because
> >> > > this problem did not occur in June and the only difference is that we
> >> > > updated
> >> > > all the laptops to IE7 and applied all the approved updates that WSUS
> >> > > received.
> >> > >
> >> > > "Robert L [MVP - Networking]" wrote:
> >> > >
> >> > > > If all wireless computers have this issue, I don't think it is IE 7
> >> > > > issue. Do they receive IP addresses from DHCP? If you use WPA
> >> > > > Enterprise, also check the IAS server. Or this link may help.
> >> > > >
> >> > > > Cisco: Wireless client can't ...Situation: The client tries to
> >> > > > setup Cisco wireless 1310 bridge. The client can receive the signal
> >> > > > but can't logon the domain. Ipconfig shows the client ...
> >> > > >
> >> > > > www.chicagotech.net/netforums/viewtopic.php?t=655&sid=dd42117ac381f01a447d707b0e6327bf
> >> > > >
> >> > > >
> >> > > > Bob Lin, MS-MVP, MCSE & CNE
> >> > > > Networking, Internet, Routing, VPN Troubleshooting on
> >> > > > http://www.ChicagoTech.net
> >> > > > How to Setup Windows, Network, VPN & Remote Access on
> >> > > > http://www.HowToNetworking.com
> >> > > >   "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in
> >> > > > message news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com...
> >> > > >   We are suddenly not able to logon to our domain(s) via wireless.
> >> > > > This was not
> >> > > >   a problem until recently.  This is a school where 1000 students
> >> > > > share use of
> >> > > >   about 500 laptops and tablet PCs so it is most common for a
> >> > > > particular user
> >> > > >   to grab a different laptops from different carts in a given day
> >> > > > and use
> >> > > >   several different laptops from the same cart throughout a school
> >> > > > year. I
> >> > > >   point this out so that you know that the common answer to our
> >> > > > problem, which
> >> > > >   is to logon via the ethernet line and cache the profile before
> >> > > > trying to
> >> > > >   connect via wireless is not acceptable nor practical.
> >> > > > Additionally, we had
> >> > > >   no problem with this last school year. Now, three months later we
> >> > > > are
> >> > > >   basically "dead in the water" with regard to technology for
> >> > > > students and
> >> > > >   wireless access for staff. The actual message that we get is:"
> >> > > > The system
> >> > > >   cannot log you on because the domain OURDOMAIN is not available."
> >> > > > The same
> >> > > >   user account will quickly authenticate via ethernet.
> >> > > >
> >> > > >   More info: This is occurring with both a new Cisco server-managed
> >> > > > wireless
> >> > > >   network in one building and the old store bought access points in
> >> > > > our other
> >> > > >   buildings. This is also occurring with newly re-imaged laptops
> >> > > > that were used
> >> > > >   successfully last year, with newly re-imaged laptops that were
> >> > > > purchased this
> >> > > >   summer and never used by anyone (except the tech who loaded the
> >> > > > computer) and
> >> > > >   new out of box laptops that have not been customized for our
> >> > > > environment.  I
> >> > > >   point this out because we were concerned that something in the
> >> > > > imaging
> >> > > >   process (RIS and WDS) might have caused this issue but since
> >> > > > brand new Dell
> >> > > >   and Gateway computers also exhibit the behavior it does not
> >> > > > appear that the
> >> > > >   imaging process caused this issue and therfore my job is safe
> >> > > > since I am in
> >> > > >   charge of images.
> >> > > >
> >> > > >   I should also point out that the only major change to our
> >> > > > computers was the
> >> > > >   "upgrade" to IE7 (ouch...actually a downgrade if you ask me) and
> >> > > > we also were
> >> > > >   hammered with between 150 and 200 windows updates over the
> >> > > > summer. I suspect
> >> > > >   that one or both of these events is at least partially related to
> >> > > > our
> >> > > >   problem.
> >> > > >
> >> > > >   We really need help here. Any advice?
> >> > > >
>
>
>

"k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message
news:4FC857F0-3CB5-4AFE-82A4-F22F9D4B557A@microsoft.com...
> Right now the wireless is wide open and has been for some time.  Later
> this
> week we are having a managed Cisco system installed and we will push down
> keys and then turn on one or more security implementations.  However, it
> still seems strange that computers that have an existing domain profile
> for
> the user that is logging on would eventually connect to the network via
> wireless but if the user was logging on for the first time and the GPO
> that
> disabled the firewall had not replicated to the box then that user could
> not
> "find a domain controller".  What also puzzles me is why this began to
> occur
> since last June when school ended.  We made no changes to our setup. The
> only
> things that changed were the result of  MS updates that we push out via
> WSUS.
> We don't have time to hunt down every anomaly that occurs and these kinds
> of
> things seem to occur more and more often.  It's very frustrating.
> "Greg Lindsay [MSFT]" wrote:
>
>> Hi,
>>
>> The fact that this happened on hundreds of laptops at about the same time
>> makes me suspect a PKI issue, possibly related to certificate expiration.
>> What wireless authentication method are you using?
>>
>> --
>> Greg Lindsay [MSFT]
>>
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>>
>> "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message
>> news:2736CCAE-AC4B-40B9-951C-CA8336A8C50A@microsoft.com...
>> > am certain that the Windows Firewall is most responsible for this
>> > issue.
>> > In
>> > order to get our 400 laptops to be able to see a domain controller we
>> > had
>> > to
>> > turn off the standard profile firewall GPO (which exposes all laptops
>> > when
>> > they are outside of our perimeter....bad news). Then we had to start
>> > and
>> > log
>> > into each computer as the local admin and manually connect to the
>> > wireless
>> > signal. Next without we logged off the computer (we did not restart)
>> > and
>> > were
>> > able to log on with a domain account. This also pulled down the policy
>> > change
>> > which disabled the firewall. Then and only then were we able to connect
>> > to
>> > the wireless signal after a restart.   This did not work until the
>> > firewall
>> > was turned off in Group Policy.  Again I must state that this behavior
>> > was
>> > not exhibited last spring so something changed or was force to change
>> > for
>> > some unknown reason.  I still believe that IE7 (urgh!!!) and it's so
>> > called
>> > "improvements" are the reason. If I could have  my way I would
>> > uninstall
>> > this
>> > monster and put Firefox on every PC on our campus.
>> >
>> > "k3v1nr055" wrote:
>> >
>> >> I have not used a wireless sniffer but if I used something like
>> >> airsnort
>> >> would I be able to watch what occurs on one of the problematic
>> >> machines
>> >> from
>> >> a computer that is already up and running? If that's possible could
>> >> you
>> >> point
>> >> me to some info on doing that?
>> >>
>> >> "Pavel A." wrote:
>> >>
>> >> > If you could watch the logon process with a wireless sniffer,
>> >> > it would be clear right away, which packets go to air when, and
>> >> > whether
>> >> > the firewall blocks something.
>> >> >
>> >> > --PA
>> >> >
>> >> >
>> >> > "k3v1nr055" wrote:
>> >> > > Robert,
>> >> > >
>> >> > > It appears that the Windows Firewall is part of the problem. In
>> >> > > the
>> >> > > past
>> >> > > this did not seem to affect the initial logon.  Now it appears
>> >> > > that
>> >> > > the
>> >> > > wireless signal is being processed after the cached credentials.
>> >> > > It
>> >> > > also
>> >> > > appears that the GPO that enables the Window Firewall is a factor.
>> >> > > We
>> >> > > had a
>> >> > > domain GPO that disables the firewall when a computer is logged
>> >> > > into
>> >> > > our
>> >> > > domain and when it powers up off the domain the firewall enables
>> >> > > (domain
>> >> > > profile and standard profile). We think that the firewall is
>> >> > > preventing the
>> >> > > initial connection with wireless and without a cached profile from
>> >> > > a
>> >> > > domain
>> >> > > user the laptop will not come to the place where Windows boots up.
>> >> > > Consequently, the users cannot ever get on. remember that these
>> >> > > are
>> >> > > newly
>> >> > > imaged computers that were created and joined to the domain by WDS
>> >> > > and they
>> >> > > have the old policy.
>> >> > > We found a very time consuming work around. First we disabled the
>> >> > > standard
>> >> > > profile which turns off the firewall for computers that are not on
>> >> > > the
>> >> > > domain. Of course, this now means that laptops which go home have
>> >> > > no
>> >> > > firewall
>> >> > > turned on when they are away. This is not an acceptable situation
>> >> > > either.
>> >> > > Then we have to log into each and every laptop as the local admin.
>> >> > > Then we
>> >> > > must manually connect to the wireless network.  Next, we have to
>> >> > > log
>> >> > > out (not
>> >> > > restart because a restart and at this time we are able to log into
>> >> > > the domain
>> >> > > and the user is able to authenticate successfully.  Additionally,
>> >> > > the
>> >> > > new
>> >> > > unprotected gpo is pulled to the machine and therefore firewall is
>> >> > > off no
>> >> > > matter what. After we do this any user is able to connect to the
>> >> > > domain and
>> >> > > authenticate.  We tried every conceivable combination of login,
>> >> > > reboot, etc.
>> >> > > and nothing worked consistently until the firewall was disabled
>> >> > > for
>> >> > > all
>> >> > > scenarios.  Now we have 450 laptops that we must sneaker net to,
>> >> > > set
>> >> > > up,
>> >> > > boot, log in as Admin, log off, log in as user. restart, and test
>> >> > > as
>> >> > > different new user.  This really sucks!!!  If you can tell me how
>> >> > > to
>> >> > > enable
>> >> > > the firewall and open it enough to allow the Zero Wireless
>> >> > > Configuration
>> >> > > service to start before authentication I would greatly appreciate
>> >> > > it.
>> >> > > I am
>> >> > > really tired of systems breaking because MS send patches and
>> >> > > "upgrades" that
>> >> > > wreak more havoc on our world.  In this case, something had to
>> >> > > happen
>> >> > > because
>> >> > > this problem did not occur in June and the only difference is that
>> >> > > we
>> >> > > updated
>> >> > > all the laptops to IE7 and applied all the approved updates that
>> >> > > WSUS
>> >> > > received.
>> >> > >
>> >> > > "Robert L [MVP - Networking]" wrote:
>> >> > >
>> >> > > > If all wireless computers have this issue, I don't think it is
>> >> > > > IE 7
>> >> > > > issue. Do they receive IP addresses from DHCP? If you use WPA
>> >> > > > Enterprise, also check the IAS server. Or this link may help.
>> >> > > >
>> >> > > > Cisco: Wireless client can't ...Situation: The client tries to
>> >> > > > setup Cisco wireless 1310 bridge. The client can receive the
>> >> > > > signal
>> >> > > > but can't logon the domain. Ipconfig shows the client ...
>> >> > > >
>> >> > > > www.chicagotech.net/netforums/viewtopic.php?t=655&sid=dd42117ac381f01a447d707b0e6327bf
>> >> > > >
>> >> > > >
>> >> > > > Bob Lin, MS-MVP, MCSE & CNE
>> >> > > > Networking, Internet, Routing, VPN Troubleshooting on
>> >> > > > http://www.ChicagoTech.net
>> >> > > > How to Setup Windows, Network, VPN & Remote Access on
>> >> > > > http://www.HowToNetworking.com
>> >> > > >   "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in
>> >> > > > message
>> >> > > > news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com...
>> >> > > >   We are suddenly not able to logon to our domain(s) via
>> >> > > > wireless.
>> >> > > > This was not
>> >> > > >   a problem until recently.  This is a school where 1000
>> >> > > > students
>> >> > > > share use of
>> >> > > >   about 500 laptops and tablet PCs so it is most common for a
>> >> > > > particular user
>> >> > > >   to grab a different laptops from different carts in a given
>> >> > > > day
>> >> > > > and use
>> >> > > >   several different laptops from the same cart throughout a
>> >> > > > school
>> >> > > > year. I
>> >> > > >   point this out so that you know that the common answer to our
>> >> > > > problem, which
>> >> > > >   is to logon via the ethernet line and cache the profile before
>> >> > > > trying to
>> >> > > >   connect via wireless is not acceptable nor practical.
>> >> > > > Additionally, we had
>> >> > > >   no problem with this last school year. Now, three months later
>> >> > > > we
>> >> > > > are
>> >> > > >   basically "dead in the water" with regard to technology for
>> >> > > > students and
>> >> > > >   wireless access for staff. The actual message that we get is:"
>> >> > > > The system
>> >> > > >   cannot log you on because the domain OURDOMAIN is not
>> >> > > > available."
>> >> > > > The same
>> >> > > >   user account will quickly authenticate via ethernet.
>> >> > > >
>> >> > > >   More info: This is occurring with both a new Cisco
>> >> > > > server-managed
>> >> > > > wireless
>> >> > > >   network in one building and the old store bought access points
>> >> > > > in
>> >> > > > our other
>> >> > > >   buildings. This is also occurring with newly re-imaged laptops
>> >> > > > that were used
>> >> > > >   successfully last year, with newly re-imaged laptops that were
>> >> > > > purchased this
>> >> > > >   summer and never used by anyone (except the tech who loaded
>> >> > > > the
>> >> > > > computer) and
>> >> > > >   new out of box laptops that have not been customized for our
>> >> > > > environment.  I
>> >> > > >   point this out because we were concerned that something in the
>> >> > > > imaging
>> >> > > >   process (RIS and WDS) might have caused this issue but since
>> >> > > > brand new Dell
>> >> > > >   and Gateway computers also exhibit the behavior it does not
>> >> > > > appear that the
>> >> > > >   imaging process caused this issue and therfore my job is safe
>> >> > > > since I am in
>> >> > > >   charge of images.
>> >> > > >
>> >> > > >   I should also point out that the only major change to our
>> >> > > > computers was the
>> >> > > >   "upgrade" to IE7 (ouch...actually a downgrade if you ask me)
>> >> > > > and
>> >> > > > we also were
>> >> > > >   hammered with between 150 and 200 windows updates over the
>> >> > > > summer. I suspect
>> >> > > >   that one or both of these events is at least partially related
>> >> > > > to
>> >> > > > our
>> >> > > >   problem.
>> >> > > >
>> >> > > >   We really need help here. Any advice?
>> >> > > >
>>
>>
>>

"Greg Lindsay [MSFT]" wrote:

> I am sorry for all the frustration, it does sound like an extremely bad
> situation. I hope that I can help, either directly or by getting some other
> experts involved.
>
> I'd just like to double-check that you aren't using 802.1X at all. If you
> view the properties of your wireless network, and check the authentication
> tab, is the Enable IEEE 802.1x..." check box selected? If so, what is in the
> dropdown next to EAP type?
>
> I'm still thinking about why the firewall affects this. It might help to set
> the firewall to start as automatic(delayed) or make it dependent on the zero
> wireless configuration service, but that is not getting to the root cause of
> the problem.
>
> --
> Greg Lindsay [MSFT]
>
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
>
> "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message
> news:4FC857F0-3CB5-4AFE-82A4-F22F9D4B557A@microsoft.com...
> > Right now the wireless is wide open and has been for some time.  Later
> > this
> > week we are having a managed Cisco system installed and we will push down
> > keys and then turn on one or more security implementations.  However, it
> > still seems strange that computers that have an existing domain profile
> > for
> > the user that is logging on would eventually connect to the network via
> > wireless but if the user was logging on for the first time and the GPO
> > that
> > disabled the firewall had not replicated to the box then that user could
> > not
> > "find a domain controller".  What also puzzles me is why this began to
> > occur
> > since last June when school ended.  We made no changes to our setup. The
> > only
> > things that changed were the result of  MS updates that we push out via
> > WSUS.
> > We don't have time to hunt down every anomaly that occurs and these kinds
> > of
> > things seem to occur more and more often.  It's very frustrating.
> > "Greg Lindsay [MSFT]" wrote:
> >
> >> Hi,
> >>
> >> The fact that this happened on hundreds of laptops at about the same time
> >> makes me suspect a PKI issue, possibly related to certificate expiration.
> >> What wireless authentication method are you using?
> >>
> >> --
> >> Greg Lindsay [MSFT]
> >>
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >>
> >> "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message
> >> news:2736CCAE-AC4B-40B9-951C-CA8336A8C50A@microsoft.com...
> >> > am certain that the Windows Firewall is most responsible for this
> >> > issue.
> >> > In
> >> > order to get our 400 laptops to be able to see a domain controller we
> >> > had
> >> > to
> >> > turn off the standard profile firewall GPO (which exposes all laptops
> >> > when
> >> > they are outside of our perimeter....bad news). Then we had to start
> >> > and
> >> > log
> >> > into each computer as the local admin and manually connect to the
> >> > wireless
> >> > signal. Next without we logged off the computer (we did not restart)
> >> > and
> >> > were
> >> > able to log on with a domain account. This also pulled down the policy
> >> > change
> >> > which disabled the firewall. Then and only then were we able to connect
> >> > to
> >> > the wireless signal after a restart.   This did not work until the
> >> > firewall
> >> > was turned off in Group Policy.  Again I must state that this behavior
> >> > was
> >> > not exhibited last spring so something changed or was force to change
> >> > for
> >> > some unknown reason.  I still believe that IE7 (urgh!!!) and it's so
> >> > called
> >> > "improvements" are the reason. If I could have  my way I would
> >> > uninstall
> >> > this
> >> > monster and put Firefox on every PC on our campus.
> >> >
> >> > "k3v1nr055" wrote:
> >> >
> >> >> I have not used a wireless sniffer but if I used something like
> >> >> airsnort
> >> >> would I be able to watch what occurs on one of the problematic
> >> >> machines
> >> >> from
> >> >> a computer that is already up and running? If that's possible could
> >> >> you
> >> >> point
> >> >> me to some info on doing that?
> >> >>
> >> >> "Pavel A." wrote:
> >> >>
> >> >> > If you could watch the logon process with a wireless sniffer,
> >> >> > it would be clear right away, which packets go to air when, and
> >> >> > whether
> >> >> > the firewall blocks something.
> >> >> >
> >> >> > --PA
> >> >> >
> >> >> >
> >> >> > "k3v1nr055" wrote:
> >> >> > > Robert,
> >> >> > >
> >> >> > > It appears that the Windows Firewall is part of the problem. In
> >> >> > > the
> >> >> > > past
> >> >> > > this did not seem to affect the initial logon.  Now it appears
> >> >> > > that
> >> >> > > the
> >> >> > > wireless signal is being processed after the cached credentials.
> >> >> > > It
> >> >> > > also
> >> >> > > appears that the GPO that enables the Window Firewall is a factor.
> >> >> > > We
> >> >> > > had a
> >> >> > > domain GPO that disables the firewall when a computer is logged
> >> >> > > into
> >> >> > > our
> >> >> > > domain and when it powers up off the domain the firewall enables
> >> >> > > (domain
> >> >> > > profile and standard profile). We think that the firewall is
> >> >> > > preventing the
> >> >> > > initial connection with wireless and without a cached profile from
> >> >> > > a
> >> >> > > domain
> >> >> > > user the laptop will not come to the place where Windows boots up.
> >> >> > > Consequently, the users cannot ever get on. remember that these
> >> >> > > are
> >> >> > > newly
> >> >> > > imaged computers that were created and joined to the domain by WDS
> >> >> > > and they
> >> >> > > have the old policy.
> >> >> > > We found a very time consuming work around. First we disabled the
> >> >> > > standard
> >> >> > > profile which turns off the firewall for computers that are not on
> >> >> > > the
> >> >> > > domain. Of course, this now means that laptops which go home have
> >> >> > > no
> >> >> > > firewall
> >> >> > > turned on when they are away. This is not an acceptable situation
> >> >> > > either.
> >> >> > > Then we have to log into each and every laptop as the local admin.
> >> >> > > Then we
> >> >> > > must manually connect to the wireless network.  Next, we have to
> >> >> > > log
> >> >> > > out (not
> >> >> > > restart because a restart and at this time we are able to log into
> >> >> > > the domain
> >> >> > > and the user is able to authenticate successfully.  Additionally,
> >> >> > > the
> >> >> > > new
> >> >> > > unprotected gpo is pulled to the machine and therefore firewall is
> >> >> > > off no
> >> >> > > matter what. After we do this any user is able to connect to the
> >> >> > > domain and
> >> >> > > authenticate.  We tried every conceivable combination of login,
> >> >> > > reboot, etc.
> >> >> > > and nothing worked consistently until the firewall was disabled
> >> >> > > for
> >> >> > > all
> >> >> > > scenarios.  Now we have 450 laptops that we must sneaker net to,
> >> >> > > set
> >> >> > > up,
> >> >> > > boot, log in as Admin, log off, log in as user. restart, and test
> >> >> > > as
> >> >> > > different new user.  This really sucks!!!  If you can tell me how
> >> >> > > to
> >> >> > > enable
> >> >> > > the firewall and open it enough to allow the Zero Wireless
> >> >> > > Configuration
> >> >> > > service to start before authentication I would greatly appreciate
> >> >> > > it.
> >> >> > > I am
> >> >> > > really tired of systems breaking because MS send patches and
> >> >> > > "upgrades" that
> >> >> > > wreak more havoc on our world.  In this case, something had to
> >> >> > > happen
> >> >> > > because
> >> >> > > this problem did not occur in June and the only difference is that
> >> >> > > we
> >> >> > > updated
> >> >> > > all the laptops to IE7 and applied all the approved updates that
> >> >> > > WSUS
> >> >> > > received.
> >> >> > >
> >> >> > > "Robert L [MVP - Networking]" wrote:
> >> >> > >
> >> >> > > > If all wireless computers have this issue, I don't think it is
> >> >> > > > IE 7
> >> >> > > > issue. Do they receive IP addresses from DHCP? If you use WPA
> >> >> > > > Enterprise, also check the IAS server. Or this link may help.
> >> >> > > >
> >> >> > > > Cisco: Wireless client can't ...Situation: The client tries to
> >> >> > > > setup Cisco wireless 1310 bridge. The client can receive the
> >> >> > > > signal
> >> >> > > > but can't logon the domain. Ipconfig shows the client ...
> >> >> > > >
> >> >> > > > www.chicagotech.net/netforums/viewtopic.php?t=655&sid=dd42117ac381f01a447d707b0e6327bf
> >> >> > > >
> >> >> > > >
> >> >> > > > Bob Lin, MS-MVP, MCSE & CNE
> >> >> > > > Networking, Internet, Routing, VPN Troubleshooting on
> >> >> > > > http://www.ChicagoTech.net
> >> >> > > > How to Setup Windows, Network, VPN & Remote Access on
> >> >> > > > http://www.HowToNetworking.com
> >> >> > > >   "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in
> >> >> > > > message
> >> >> > > > news:29B68C0F-8DF6-41A4-A620-99D879EE94A4@microsoft.com...
> >> >> > > >   We are suddenly not able to logon to our domain(s) via
> >> >> > > > wireless.
> >> >> > > > This was not
> >> >> > > >   a problem until recently.  This is a school where 1000
> >> >> > > > students
> >> >> > > > share use of
> >> >> > > >   about 500 laptops and tablet PCs so it is most common for a
> >> >> > > > particular user
> >> >> > > >   to grab a different laptops from different carts in a given
> >> >> > > > day
> >> >> > > > and use
> >> >> > > >   several different laptops from the same cart throughout a
> >> >> > > > school
> >> >> > > > year. I
> >> >> > > >   point this out so that you know that the common answer to our
> >> >> > > > problem, which
> >> >> > > >   is to logon via the ethernet line and cache the profile before
> >> >> > > > trying to
> >> >> > > >   connect via wireless is not acceptable nor practical.
> >> >> > > > Additionally, we had
> >> >> > > >   no problem with this last school year. Now, three months later
> >> >> > > > we
> >> >> > > > are
> >> >> > > >   basically "dead in the water" with regard to technology for
> >> >> > > > students and
> >> >> > > >   wireless access for staff. The actual message that we get is:"
> >> >> > > > The system
> >> >> > > >   cannot log you on because the domain OURDOMAIN is not
> >> >> > > > available."
> >> >> > > > The same
> >> >> > > >   user account will quickly authenticate via ethernet.
> >> >> > > >
> >> >> > > >   More info: This is occurring with both a new Cisco
> >> >> > > > server-managed
> >> >> > > > wireless
> >> >> > > >   network in one building and the old store bought access points
> >> >> > > > in
> >> >> > > > our other
> >> >> > > >   buildings. This is also occurring with newly re-imaged laptops
> >> >> > > > that were used
> >> >> > > >   successfully last year, with newly re-imaged laptops that were
> >> >> > > > purchased this
> >> >> > > >   summer and never used by anyone (except the tech who loaded
> >> >> > > > the
> >> >> > > > computer) and
> >> >> > > >   new out of box laptops that have not been customized for our
> >> >> > > > environment.  I
> >> >> > > >   point this out because we were concerned that something in the
> >> >> > > > imaging
> >> >> > > >   process (RIS and WDS) might have caused this issue but since
> >> >> > > > brand new Dell
> >> >> > > >   and Gateway computers also exhibit the behavior it does not
> >> >> > > > appear that the
> >> >> > > >   imaging process caused this issue and therfore my job is safe
> >> >> > > > since I am in
> >> >> > > >   charge of images.
> >> >> > > >
> >> >> > > >   I should also point out that the only major change to our
> >> >> > > > computers was the
> >> >> > > >   "upgrade" to IE7 (ouch...actually a downgrade if you ask me)
> >> >> > > > and
> >> >> > > > we also were
> >> >> > > >   hammered with between 150 and 200 windows updates over the
> >> >> > > > summer. I suspect
> >> >> > > >   that one or both of these events is at least partially related
> >> >> > > > to
> >> >> > > > our
> >> >> > > >   problem.
> >> >> > > >
> >> >> > > >   We really need help here. Any advice?
> >> >> > > >
> >>
> >>
> >>
>
>
>

"Phillip Windell" wrote:

> "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message
> news:A48D6828-F853-49DB-B9DC-392C0C622F93@microsoft.com...
> > Greg,
> > No, that box is NOT selected (since there is no encryption established at
> > this time).  The bottom line is that the only way any user can attach to
> > the
> > wireless network is after they have a profile.
>
> I do not think there is a solution.  The wireless nic drivers and the
> connection management are not active until you get "logged on to the
> desktop".  Therefore you have no connection until you are already logged on,
> thereforethere is no way for someone without a previously cached profile to
> log on with out first doing it over a wired connection.
>
> I would love for the nic manufactures to come up with a way for their
> products to work without the user first logging in (like the wired nics do),
> however keep in mind that a wireless nic can connect to anything that is
> within range while a wired nic will only connect to what it is physically
> connected to,...and I believe that is the crux of the wireless
> problem,...there is no way to control what the wireless nic does until you
> have already logged in.
>
> IMO wireless in a school or business should never be the primary means of
> connection.  The primary means should always be wired. Every desk should
> have a wired jack available.  The Wireless will be perfectly fine when they
> move from their normal desk and "roam" about the building or travel,...but
> it should always be the secondary means of connection.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

"Phillip Windell" wrote:

>
> "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message
> news:9CFA765F-C788-47A1-9113-54A22B0C20E8@microsoft.com...
>
> >  Also, it is obvious that  you do not work in or around schools.
>
> No,...I work in a much much more complex, stressfull, and more technical
> environment,...while supporting the schools with my tax dollars whether I
> want to or not, while listening to them complain about not having enough
> money as they spend millions on building projects.
>
> > That seems to be part of the problem in
> > all the posted solutions on Technet.
>
> ....and it is free. You want something for nothing,..you got something for
> nothing.  More than that it was on "my dime", on my time, at work, while
> taking care of the much much more complex, stressfull, and more technical
> environment at the same time.
>
> Call MS Support Services for help.  Pay the $245 like the rest of us.
> Here's the number,...it is even toll free.
> 1-800-936-4900
>
> --
> Phillip Windell
> www.wandtv.com
>
>
>

"k3v1nr055" wrote:

> Lighten up.  I thought the reason that these news groups were created for the
> purpose of giving support.  If you don't want to help maybe don't spend your
> precious time replying. You did not offer anything that was helpful. You
> simply posted your opinion.  We pay Microsoft a lot of money to use their
> products and I think that it's not too much to ask that they don't make
> changes to the way things work without telling us how it's going to affect
> our world. Why should I have to pay for support for something that I already
> paid for. It's a joke. Anyway, there have been instances when we went the pay
> for help route and I found that the people we paid (at MS and elsewhere) were
> seldom of any help.  If spending $245 to get support for something that we
> already pay for would solve this problem I am sure my boss would spend it. He
> has been ripped off too many times. I work in a private school and we don't
> have the luxury of getting your tax dollars. We also are not able to charge
> exorbitant prices for commercial time and we cannot pass extra expenses on to
> the client as you can in the broadcast industry. For the record, I pay taxes
> and I pay tuition for my kids. I also pay extra for everything I buy because
> the cost of advertising on your TV station is added to everything I need. So
> get over it. I can appreciate that your environment is more technical. It
> should be, it's a TV station. However, all of us know about the stress that
> occurs when systems fail. and I can tell you that when 1000 users go to log
> into laptops and those laptops cannot find a domain controller, my overworked
> and understaffed co-workers and myself feel as much stress and frustration as
> anyone else in this industry.  Still, no one, including yourself, has been
> able to tell my why this problem has happened when it did not happen a few
> months ago.  You are right about something however: I paid you nothing and
> you were of no help.
>
> "Phillip Windell" wrote:
>
> >
> > "k3v1nr055" <k3v1nr***@discussions.microsoft.com> wrote in message
> > news:9CFA765F-C788-47A1-9113-54A22B0C20E8@microsoft.com...
> >
> > >  Also, it is obvious that  you do not work in or around schools.
> >
> > No,...I work in a much much more complex, stressfull, and more technical
> > environment,...while supporting the schools with my tax dollars whether I
> > want to or not, while listening to them complain about not having enough
> > money as they spend millions on building projects.
> >
> > > That seems to be part of the problem in
> > > all the posted solutions on Technet.
> >
> > ....and it is free. You want something for nothing,..you got something for
> > nothing.  More than that it was on "my dime", on my time, at work, while
> > taking care of the much much more complex, stressfull, and more technical
> > environment at the same time.
> >
> > Call MS Support Services for help.  Pay the $245 like the rest of us.
> > Here's the number,...it is even toll free.
> > 1-800-936-4900
> >
> > --
> > Phillip Windell
> > www.wandtv.com
> >
> >
> >