K2000: USMT and Windows Firewall
I'm testing USMT from the kbox and getting the NT_STATUS_IO_TIMEOUT error when the firewall is enabled on the xp target pc. I've already allowed access to TCP ports 139 and 445 in all profiles from the kbox IP through a gpo and ran gpupdate /force, but still get the error if the firewall is enabled. No problem when the fw is disabled. Simple file sharing is off.
Is another port required?
Thanks.
Answers (4)
you can disable the firewall on the xp target. open a command prompt, do a netstart -a and note the ports inuse, start the USMT running, while it is going do another netstat -a and see what additional ports you are using by comparing to the first netstat command
Comments:
-
may also need UDP ports - SMal.tmcc 11 years ago
D'oh! on the netstat. I found tcp port 1337, plus a couple of dynamic ports opened from the kbox. 1337 appears to be the Mice and Men DNS implementation. Hmmmm.
Comments:
-
maybe the firewall is blocking the program vs the port. have logging enabled and try it and see what the logs say - SMal.tmcc 11 years ago
For XP, I found that adding the Remote Admin exception to my gpo and using the kbox IP fixed the problem. For windows 7, I saw the requirement to disable the uac setting "Run all admins in admin approval". Since that completely breaks UAC and the ability for a non-admin to use the "Run As" option, that's not going to work for us. Is there anything else I can do with the uac in a gpo short of disabling it altogether, and still get usmt to work?
Comments:
-
you can run the loadstate command as administrator.
this is from the MS point of view
http://technet.microsoft.com/en-us/library/dd883247(WS.10).aspx - SMal.tmcc 11 years ago
If you are replacing or reimaging from xp to 7 you could do this task manually. A tech visits the XP machine to be upgraded and runs the Windows Easy Transfer, during that process they also note the software and printers above the normal image on the system and also include any files not in the default locations. That mig file is then stored on our IT server. The machine is replaced or reimaged. The tech names it correctly and joins it to the domain. either get pushes or installs any extra needed software. The tech then goes to the server and double clicks on the MIG file and brings it to the new machine/image.
Comments:
-
Yup, I was just trying to save a visit to the user PC since we're spread out across several buildings.
Thanks for all the info. - tpr 11 years ago -
Our campus has 6 sites so I know what you mean, I have been remoting my away machines and doing the migration and preping the w7 box in my office with any additional software and mig file. I have then can have a student tech go swap the boxes. I have been doing in place remote upgrades on the same machine, just find someone there to put a sign on the machine and I do it all remotely. - SMal.tmcc 11 years ago