Re: IPSEC Failing (Secure Server)

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: microsoft (not_at_home.com)
Date: 11/17/04 

Date: Wed, 17 Nov 2004 16:27:11 -0600

I can see why having a 'Secure Server' policy would prevent Server A from
being able to communicate with the DC. Can you tell me why it works when I
configure the client to use the Server(Request Security) Setting?

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uh$30APzEHA.260@TK2MSFTNGP11.phx.gbl...
> You must exempt domain controller from your ipsec policy as domain
> controllers can not use ipsec to communicate with domain members because
> they are the kerberos distribution centers. Modify your ipsec policy by
> adding a new rule to it with a permit filter action and a filter with a
> mirrored entry for all traffic for domain controllers listed by their IP
> addresses . Reboot your server after configuring the ipsec policy and use
> the ipsecmon mmc snapin to verify that the new policy is in effect that
> exempts domain controllers. --- Steve
>
>
>
> "Aaron" <Aaron@discussions.microsoft.com> wrote in message
> news:4DEDBBBE-DA95-4CBB-9803-AFDDE7452CE2@microsoft.com...
> > Server A has local policy configured as Secure Server(Require Security).
> > Client B has local policy configured as Client(Respond Only). Both A
and
> > B
> > are members of the same W2K3 AD domain. Event log error on Server A:
IKE
> > security ssociation failed: Key Exchange Mode (Main Mode). Further
down
> > it
> > says, Failure Point: Me, Failure Reason: Failed to authenticate using
> > kerberos.
> >
> > Doing some trouble shooting, I found that if I changed the policy on
> > Server
> > A to Server(Request Security) the communication did occur and was
> > encapsulated (verified using NetMon). I also could get this to work if,
> > leaving the policy on Server A on Secure Server, I changed the policy on
> > Client B to Server(Request Security).
> >
> >
>
>

Relevant Pages

  • Re: How to allow users to create groups and shares
    ... Add the user/group to the Computer configuration, windows settings, security settings, Local policies, "Allow logon locally" in the Default domain controllers policy and on a existing or new created policy for the member servers. ... Filtering: Not Applied ... check with GPMC on the server or from a client the policy settings. ...
    (microsoft.public.windows.server.active_directory)
  • Domain Controller Security Policy errors
    ... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... The domain controller for Group Policy operations is not available. ...
    (microsoft.public.win2000.active_directory)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: Move W2K3 server to its own OU seperate from SBS (MyBusiness) OU
    ... OU and move the member server to so that it does not inherit it's GPO from ... policies from inheriting the default domain policies of the SBS ... section of the default domain policy. ... In direct answer to your question, you would need to filter this ...
    (microsoft.public.windows.server.sbs)
  • Re: How to allow users to create groups and shares
    ... policy and on a existing or new created policy for the member servers. ... Filtering: Not Applied ... Allow remote desktop connections ... check with GPMC on the server or from a client the policy settings. ...
    (microsoft.public.windows.server.active_directory)