Firewall Service Cannot Start When Not Connected to Domain

We have a Vista Ultimate installation with all service packs installed.
Both the local security policy and the domain policy after joining a domain
have the reserved accounts NETWORK SERVICE and LOCAL SERVICE configured to
start as a service. If we disconnect the notebook from the domain and
restart it, the Windows Firewall service refuses to start. All attempts to
manage the firewall fail because the service reports it has not started.
If you manually attempt to start the firewall service it fails.

As soon as we put the notebook back on the domain network and reboot it
works.

Does anyone have any insight on why this happens and how we can get the
firewall to start? Any sequence that effectively prevents the firewall
from starting strikes me as a pretty serious misfeature. The notebook is
often used to configure devices by cross connecting straight to the device,
so we cannot count on being on the domain network, but clearly we want a
working firewall at all times.

--
W

Hi
When it is Off the domain what are you trying to connect to?
Who ever controls the Domain Polices has to configure the computer to
function in a none domain environment when needed.
Jack (MS, MVP-Networking).

"W" <persistentone@spamarrest.com> wrote in message
news:y-OdnS6burgm5JrWnZ2dnUVZ_vSdnZ2d@giganews.com...
> We have a Vista Ultimate installation with all service packs installed.
> Both the local security policy and the domain policy after joining a
> domain have the reserved accounts NETWORK SERVICE and LOCAL SERVICE
> configured to start as a service. If we disconnect the notebook from
> the domain and restart it, the Windows Firewall service refuses to start.
> All attempts to manage the firewall fail because the service reports it
> has not started. If you manually attempt to start the firewall service it
> fails.
>
> As soon as we put the notebook back on the domain network and reboot it
> works.
>
> Does anyone have any insight on why this happens and how we can get the
> firewall to start? Any sequence that effectively prevents the firewall
> from starting strikes me as a pretty serious misfeature. The notebook
> is often used to configure devices by cross connecting straight to the
> device, so we cannot count on being on the domain network, but clearly we
> want a working firewall at all times.
>
> --
> W
>

"Jack [MVP-Networking]" <jack@discussiongroup.com> wrote in message
news:erFE50xaKHA.428@TK2MSFTNGP06.phx.gbl...
> Hi
> When it is Off the domain what are you trying to connect to?
> Who ever controls the Domain Polices has to configure the computer to
> function in a none domain environment when needed.
> Jack (MS, MVP-Networking).

What I am saying is that when the computer is off the domain, the firewall
service is *refusing to startup at all*. That cannot be a feature, can
it?


--
W

> "W" <persistentone@spamarrest.com> wrote in message
> news:y-OdnS6burgm5JrWnZ2dnUVZ_vSdnZ2d@giganews.com...
>> We have a Vista Ultimate installation with all service packs installed.
>> Both the local security policy and the domain policy after joining a
>> domain have the reserved accounts NETWORK SERVICE and LOCAL SERVICE
>> configured to start as a service. If we disconnect the notebook from
>> the domain and restart it, the Windows Firewall service refuses to start.
>> All attempts to manage the firewall fail because the service reports it
>> has not started. If you manually attempt to start the firewall service it
>> fails.
>>
>> As soon as we put the notebook back on the domain network and reboot it
>> works.
>>
>> Does anyone have any insight on why this happens and how we can get the
>> firewall to start? Any sequence that effectively prevents the firewall
>> from starting strikes me as a pretty serious misfeature. The notebook
>> is often used to configure devices by cross connecting straight to the
>> device, so we cannot count on being on the domain network, but clearly we
>> want a working firewall at all times.

Hi
No it is not a feature.
Just being of the Domain just not mean that the computer is automatically
re-configured itself for regular Peer-to-Peer network.
Who ever configures the domain has to take a look to make sure that the
right open configuration is available.
Jack (MS, MVP-Networking).

"W" <persistentone@spamarrest.com> wrote in message
news:TsKdnQ3I1cmJtJbWnZ2dnUVZ_uydnZ2d@giganews.com ...
> "Jack [MVP-Networking]" <jack@discussiongroup.com> wrote in message
> news:erFE50xaKHA.428@TK2MSFTNGP06.phx.gbl...
>> Hi
>> When it is Off the domain what are you trying to connect to?
>> Who ever controls the Domain Polices has to configure the computer to
>> function in a none domain environment when needed.
>> Jack (MS, MVP-Networking).
>
> What I am saying is that when the computer is off the domain, the firewall
> service is *refusing to startup at all*. That cannot be a feature, can
> it?
>
>
> --
> W
>
>> "W" <persistentone@spamarrest.com> wrote in message
>> news:y-OdnS6burgm5JrWnZ2dnUVZ_vSdnZ2d@giganews.com...
>>> We have a Vista Ultimate installation with all service packs installed.
>>> Both the local security policy and the domain policy after joining a
>>> domain have the reserved accounts NETWORK SERVICE and LOCAL SERVICE
>>> configured to start as a service. If we disconnect the notebook
>>> from the domain and restart it, the Windows Firewall service refuses to
>>> start. All attempts to manage the firewall fail because the service
>>> reports it has not started. If you manually attempt to start the
>>> firewall service it fails.
>>>
>>> As soon as we put the notebook back on the domain network and reboot it
>>> works.
>>>
>>> Does anyone have any insight on why this happens and how we can get the
>>> firewall to start? Any sequence that effectively prevents the
>>> firewall from starting strikes me as a pretty serious misfeature.
>>> The notebook is often used to configure devices by cross connecting
>>> straight to the device, so we cannot count on being on the domain
>>> network, but clearly we want a working firewall at all times.
>
>

"Jack [MVP-Networking]" <jack@discussiongroup.com> wrote in message
news:OYKC3QLbKHA.5156@TK2MSFTNGP05.phx.gbl...
> No it is not a feature.
> Just being of the Domain just not mean that the computer is automatically
> re-configured itself for regular Peer-to-Peer network.
> Who ever configures the domain has to take a look to make sure that the
> right open configuration is available.

I think we may be talking different points. Distinguish two cases:

Case A: Disconnect from the domain and start the computer. After
firewall starts, it has a different configuration than the one in the
domain.

Case B: Disconnect from the domain and start the computer. Firewall
refuses to start at all. Attempts to manually start the firewall *service*
fail. There is no issue about the firewall's configuration because the
firewall cannot even be started.

I am describing Case B. This isn't an issue of how we configured the
firewall rules in or out of the domain. This is a Windows service startup
issue. The firewall service cannot even be started.

--
W


> "W" <persistentone@spamarrest.com> wrote in message
> news:TsKdnQ3I1cmJtJbWnZ2dnUVZ_uydnZ2d@giganews.com ...
>> "Jack [MVP-Networking]" <jack@discussiongroup.com> wrote in message
>> news:erFE50xaKHA.428@TK2MSFTNGP06.phx.gbl...
>>> Hi
>>> When it is Off the domain what are you trying to connect to?
>>> Who ever controls the Domain Polices has to configure the computer to
>>> function in a none domain environment when needed.
>>> Jack (MS, MVP-Networking).
>>
>> What I am saying is that when the computer is off the domain, the
>> firewall service is *refusing to startup at all*. That cannot be a
>> feature, can it?
>>
>>
>> --
>> W
>>
>>> "W" <persistentone@spamarrest.com> wrote in message
>>> news:y-OdnS6burgm5JrWnZ2dnUVZ_vSdnZ2d@giganews.com...
>>>> We have a Vista Ultimate installation with all service packs installed.
>>>> Both the local security policy and the domain policy after joining a
>>>> domain have the reserved accounts NETWORK SERVICE and LOCAL SERVICE
>>>> configured to start as a service. If we disconnect the notebook
>>>> from the domain and restart it, the Windows Firewall service refuses to
>>>> start. All attempts to manage the firewall fail because the service
>>>> reports it has not started. If you manually attempt to start the
>>>> firewall service it fails.
>>>>
>>>> As soon as we put the notebook back on the domain network and reboot it
>>>> works.
>>>>
>>>> Does anyone have any insight on why this happens and how we can get the
>>>> firewall to start? Any sequence that effectively prevents the
>>>> firewall from starting strikes me as a pretty serious misfeature. The
>>>> notebook is often used to configure devices by cross connecting
>>>> straight to the device, so we cannot count on being on the domain
>>>> network, but clearly we want a working firewall at all times.