OU GPO Corrupts 2003 Servers only??

I've got a really weird problem here and I've been beating my head
against the desk, even after engaging HP's MS support team.

Here's the setup:

DC= HP DL385 running 2003 Std x64
Member servers = mix of hardware, 2000 & 2003

I setup a GPO on the Servers OU and began moving servers into it a
while back. First starting with some of the development servers, all
Win2K Std Server. No problems there.

Then I added my first 2003 server (Enterprise) to the domain and OU.
Major problems the next day when I rebooted it after being in the OU
overnight. This member server is a ML530G2. I lost all network
connectivity to it, so I brought up the remote console through the iLo
(thank god it still worked, it's 300 miles away...) Login screen showed
that services had failed, so I logged in with local admin to check it
out.

First error msg in the System eventlog was for IPSec. Said that it had
entered blocking mode:

"The IPSec driver has entered Block mode. IPSec will discard all
inbound and outbound TCP/IP network traffic that is not permitted by
boot-time IPSec Policy exemptions. User Action: To restore full
unsecured TCP/IP connectivity, disable the IPSec services, and then
restart the computer. For detailed troubleshooting information, review
the events in the Security event log."

No configuration changes ever made to IPSec. I don't even use it. I
tried disabling it and restarting but still no dice. Log also showed:

"The IPSEC Services service terminated with the following error:
The endpoint mapper database entry could not be created."

Checked the network connection to see why it wasn't talking to the rest
of the network the window was blank. No network connections. Device
manager still shows the onboard NIC with no problems but the network
connections window is empty.

The only way to get the server back on the network again is to remove
it from the domain. Reboot once for the domain removal and another to
refresh the local policy store after it comes back up. I can then
choose to re-add to the domain and leave out of the OU in question, or
just not put on the domain again.

How can I figure out what it causing this problem with 2003 servers and
not affecting 2000 servers?

I have the HTM or XML exports of the GPO if anyone would like to see
them. I just don't want to post them here (don't know how well they
would post).

If anyone has some tips on troubleshooting this GPO problem, please let
me know!

.

Relevant Pages

  • Re: Dcidag errors
    ... Port blockage between servers ... Other sorts of networking issues (lack of connectivity between the points ... These errors are typically a result of a network connectivity issue of some ... > replicating this nc. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Very Strange Network Problem HELP!!!
    ... 'zero connectivity' and worries about 'touching' the old network seem odd. ... First, a single user, with the servers on just ... > switch, and we do have the problem again. ...
    (microsoft.public.win2000.networking)
  • Re: Strange Terminal Server problem
    ... 898060 - Network connectivity between clients and servers may not ... > I have two terminal servers on a private network. ... > running on Win2k, the other on Win2k3. ...
    (microsoft.public.windows.terminal_services)
  • Win2003 Servers hidden from Network Browse list when using IPSec
    ... computers in that OU to use IPSec. ... in the Domain Controllers OU, and are exempted completely from IPSec, ... IPSec where they are supposed to, and all show up in the Network ... My Windows 2003 Servers (member servers, ...
    (microsoft.public.windows.server.security)
  • Re: Win2003 Servers hidden from Network Browse list when using IPSec
    ... You did not state what filter rules are in use in the IPsec defs, ... You are allowing a Domain Master Browser to exist. ... IPSec where they are supposed to, and all show up in the Network ... My Windows 2003 Servers (member servers, ...
    (microsoft.public.windows.server.security)