Re: OU GPO Corrupts 2003 Servers only??
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 5 Apr 2006 06:36:11 -0700
OK, taking what you have stated at face value, that NO WHERE in
the domain is there an IPsec policy defined and assigned that would
have impact on the Servers OU . . .
then you are looking at the effect of the default behaviors of IPsec
in W2k3, which are different from those in W2k.
In W2k3 the IPsec Policy Agent will block inbound during the boot
process, and then transition to its normal, configured state once the
boot process has completed and policy that should be in effect has
been determined.
I encountered issues similar to what you detail, with x86 W2k3
pre-Sp1 which seemed to clear once Sp1 released, and which
only happened where there was an assigned IPsec policy.
So, I am running on similar, but quite different in cause, scenario.
It appears to me that your machine is never successfully determining
what should be the IPsec policy, per GPOs of the domain it is in,
and so it does not allow the transition out from the boottime blocking
mode into its defined runtime mode.
http://technet2.microsoft.com/windowsserver/en/library/b0b6adaa-6b38-4952-b055-14559f46e5611033.mspx
You could try using the ipsec command context in netsh to set
the exceptions allowed during the blocking phase in order to
guarantee that communications with DCs can happen,
but
this should not be necessary, and also given the remoting
involved that would be a tedious process.
Hence, I would suggest raising this over in the newsgroup
microsoft.public.windows.networking.ipsec
Your solution, given that you are not using IPsec, may be in
setting via netsh in a startup script or via reg edit from GPO
on your Servers OU so that startup mode is stateful instead
of blocking. However, from what you have said, without
first resolving why your server is not exiting from blocking
mode on its initial reboots after join, these ways of settings
startup mode to stateful would be a catch-22. So again, I
would suggest posting over to the IPsec newsgroup to see
about fixing the presently observed behavior (no exit from
blocking mode).
<ajohnson@xxxxxxxxxxxxxx> wrote in message
news:1144166651.727746.184070@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I've got a really weird problem here and I've been beating my head
against the desk, even after engaging HP's MS support team.
Here's the setup:
DC= HP DL385 running 2003 Std x64
Member servers = mix of hardware, 2000 & 2003
I setup a GPO on the Servers OU and began moving servers into it a
while back. First starting with some of the development servers, all
Win2K Std Server. No problems there.
Then I added my first 2003 server (Enterprise) to the domain and OU.
Major problems the next day when I rebooted it after being in the OU
overnight. This member server is a ML530G2. I lost all network
connectivity to it, so I brought up the remote console through the iLo
(thank god it still worked, it's 300 miles away...) Login screen showed
that services had failed, so I logged in with local admin to check it
out.
First error msg in the System eventlog was for IPSec. Said that it had
entered blocking mode:
"The IPSec driver has entered Block mode. IPSec will discard all
inbound and outbound TCP/IP network traffic that is not permitted by
boot-time IPSec Policy exemptions. User Action: To restore full
unsecured TCP/IP connectivity, disable the IPSec services, and then
restart the computer. For detailed troubleshooting information, review
the events in the Security event log."
No configuration changes ever made to IPSec. I don't even use it. I
tried disabling it and restarting but still no dice. Log also showed:
"The IPSEC Services service terminated with the following error:
The endpoint mapper database entry could not be created."
Checked the network connection to see why it wasn't talking to the rest
of the network the window was blank. No network connections. Device
manager still shows the onboard NIC with no problems but the network
connections window is empty.
The only way to get the server back on the network again is to remove
it from the domain. Reboot once for the domain removal and another to
refresh the local policy store after it comes back up. I can then
choose to re-add to the domain and leave out of the OU in question, or
just not put on the domain again.
How can I figure out what it causing this problem with 2003 servers and
not affecting 2000 servers?
I have the HTM or XML exports of the GPO if anyone would like to see
them. I just don't want to post them here (don't know how well they
would post).
If anyone has some tips on troubleshooting this GPO problem, please let
me know!
.
- Follow-Ups:
- Re: OU GPO Corrupts 2003 Servers only??
- From: andrewjtx
- Re: OU GPO Corrupts 2003 Servers only??
- References:
- OU GPO Corrupts 2003 Servers only??
- From: ajohnson
- OU GPO Corrupts 2003 Servers only??
- Prev by Date: Re: adm file for regional options
- Next by Date: Error viewing GP object settings...
- Previous by thread: OU GPO Corrupts 2003 Servers only??
- Next by thread: Re: OU GPO Corrupts 2003 Servers only??
- Index(es):
Relevant Pages
|
