Re: Intersite authentication problem

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: David (dmonks_at_cn4c.org.uk)
Date: 12/03/04 

Date: 3 Dec 2004 11:15:39 -0800

Thanks again, Bill.

> Are you auditing "Account logon events" and "logon events" success and
> failure? The default is "success" only!

I've just updated security logging on B to pick up most everything.
Should give me plenty of bedtime reading! So far, only successes
logged -- including logon/logoff and provilege use from user
SERVER-A$.

> Here is one important question, can you access the sysvol share on "B" from
> "A"?

SYSVOL behaves the same as other shares: I can access it provided I
offer other credentials than the standard domain administrator
account. SERVER-B\administrator works fine, for instance, as do other
accounts in the domain admins group.

> Is IPSec running on "A" or on "B" and "C" or a combination of the three?

Our VPN is implemented by our routers, so IPSec shouldn't be required
AFAICT. However, the service is running on all 3 servers. No
policies are in use, though. Not sure what the repercussions of any
of this are.

> If you can get to Sysvol share, then fixing this is not that big of a deal!
> IPSec can have configuration issues that could give you the symptoms that
> you're experiencing. Disabling IPSec for testing is very simple!

Can I sefely turn off IPSec services across the board?

> Did you happen to update the machines recently with new security patches?

Nothing new....

If you see this Friday, have a great weekend.

Regards

David

Relevant Pages

  • Re: joining a computer to a domain
    ... Just to add that it could be a security breach if ipsec negotiation policies ... are in effect to prevent non domain computers from communication with domain ... > By giving users domain account you express your trust in them. ... >> I had always been under the impression that a domain administrator ...
    (microsoft.public.windows.server.general)
  • Re: joining a computer to a domain
    ... Just to add that it could be a security breach if ipsec negotiation policies ... are in effect to prevent non domain computers from communication with domain ... > By giving users domain account you express your trust in them. ... >> I had always been under the impression that a domain administrator ...
    (microsoft.public.windows.server.active_directory)
  • Re: joining a computer to a domain
    ... Just to add that it could be a security breach if ipsec negotiation policies ... are in effect to prevent non domain computers from communication with domain ... > By giving users domain account you express your trust in them. ... >> I had always been under the impression that a domain administrator ...
    (microsoft.public.windows.server.security)
  • Re: Problem to start IPSec Service
    ... I need IPSec Sevice to use it for a L2TP IPSec VPN connection. ... IPv6 is not install on my computer. ... Could not start the IPSEC Services service on Local Computer. ... at the Event Viewer for more information? ...
    (microsoft.public.windowsxp.general)
  • Re: IPSec policy agent changed event error
    ... initialization. ... software that installed their own winsock provider. ... In the meantime if you are not using IPSec ... > IPSec Services: IPSec Services failed to initialize IKE module with error ...
    (microsoft.public.windowsxp.security_admin)