|
Posted by Roger Abell [MVP] on September 12, 2006, 10:41 pm
Please log in for more thread options
You may be better off posting this to a networking newsgroup, as it is
pretty much a networkiing issue.
You did not state what filter rules are in use in the IPsec defs, so I just
assume all protocols/ports are allowed both ways if the SA binding can
be established for the AH packetting you are requiring.
I cannot off hand think of what differences in the defaults for IPsec in
W2k3 vs XP and w2k (and there are some) could be causing what you
report, and given that the 2k3 are successfully registering in WINS it is
opaque what is happening.
Let me recap . . .
The W2k3 are getting their names into WINS
The browselist on XP are showing everything except the W2k3
When on a W2k3 you do have a bowse list ? (i.e. someone is
successfully responding to their broadcast for a list?)
Here is an experiment, especially if your answer to the last one
is that no, they do not have a browselist.
Put an XP on the segment of the W2k3.
I am wondering, did you previously, before using IPsec, have
your servers resticted as to being master browsers??
Here is the thrust of the "put an XP on the segment" experiment.
You are allowing a Domain Master Browser to exist.
The browselist on a browsing machine is served to it by a Master
Browser. The Domain Master Browser collects and merges the
segmentwise lists from the Master Browser, adds domain info it
gets by reference to Wins / external domains, and then the Domain
Master Browser redistributes this to the Master Browsers.
So, either you do not have a Master Browser on the W2k3 segment
feeding into the Domain Master Browser, or your W2k3 are not
answering its broadcasts when it forms its segment list.
> My Active Directory domain is set up in such a way that the computers
> on the domain are supposed to use IPSec communication with each other
> (currently Authentication only, we may move to Encryption once I have
> more issues tested and working). To do so we created a new OU into
> which we move all our member computers, and group policy forces
> computers in that OU to use IPSec. The two domain controllers remain
> in the Domain Controllers OU, and are exempted completely from IPSec,
> as is required. The Domain controllers also run DNS for our domain,
> and one of them (nominally the backup) acts as the WINS server for our
> domain.
>
> All of my WinXP workstation boxes which have been added to the OU
> requiring IPSec have functioned just fine. They communicate using
> IPSec where they are supposed to, and all show up in the Network
> Browse List. My Windows 2003 Servers (member servers, not domain
> controllers), however, are all invisible to the Network Browse list.
> They are registered properly in both DNS and WINS. I can enumerate
> resources from those servers with a command such as "net view
> \servername" and map drives and printers and the like, ping them by
> name, etc... Everything except for being able to go out to My Network
> Places, and browse out to them through the Microsoft Network.
>
> If I do a "Browstat Status " from any of my Windows XP systems, I get
> everything returning properly as it should be. From my Windows 2003
> Servers, the results of the browstat status indicate they are unable to
> determine the Master Browser, even though all these system,
> workstations or servers, are essentially configured identically as far
> as network properties, domain, OU, etc... I have manually configured
> all my Windows Servers to not attempt to act as the Master Browser
> for the segment (IsDomainMaster registry setting), excepting the PDC,
> and only the other domain controller among my servers has the
> MaintainServerList registry setting enabled.
>
> At this point I'm kinda stumped, I've dug around on the internet quite
> a bit trying to find what might cause the servers to act differently
> than the XP workstations, but to no avail.
>
| 
XML Sitemap