Re: IPSec policy How to remove it?
From: David Beder [MSFT] (dbeder_at_online.microsoft.com)
Date: 11/24/03
- Previous message: Ramakrishna Velaga: "Force Logoff"
- In reply to: Ion Marculescu: "IPSec policy How to remove it?"
- Next in thread: Ion Marculescu: "Re: IPSec policy How to remove it?"
- Reply: Ion Marculescu: "Re: IPSec policy How to remove it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 23 Nov 2003 23:55:57 -0800
Unfortunately, win2k gp interactions aren't as refined as in win2k3.
There are a few things you can do to clean up the issue by deleting various
registry keys but I'd first try the following solution.
1) in the OU, assign the client policy
2) on the aflicted servers, set the ipsec service to disabled
3) join the servers to the new OU to get the new client policy aplied,
overwriting the server policy (you might want to use secedit to force a
refresh just to make sure)
4) set the ipsec service back to it's original autostart setting
5) unassign the client policy in the OU
6) use secedit to force a policy referesh on the servers or just reboot them
If this doesn't seem to work let me know and I'll walk you through some of
the registry whacking stuff, but even then it'll probably still require
steps 1 and 5.
As for why the machines won't communicate to each other in the first place,
the usual cause is that the Server policy requires kerberos as an
authentication mechanism. For kerberos authentication, communication with
the DC is required and you get into a circular argument.
-- David Microsoft Windows Networking This posting is provided "AS IS" with no warranties, and confers no rights. "Ion Marculescu" <ionm@bluewin.ch> wrote in message news:Ovws4AUsDHA.2060@TK2MSFTNGP10.phx.gbl... > I make a test today with 2 computers in a OU. I activate the IPSec Secure > the server (Require security) in a GPO link to one OU. Result. Both > computers are unable to communicate with each other. I understand that the > communication is impossible with domain controllers who has no IPSec policy > but I cannot understand why they cannot communicate one with the other. Now > I cannot reverse. I remove the policy in the domain but the 2 computers are > not able to communicate with the DC. I try to modify the local policy > without no result. I make computers part of a workgroup. Policy still in > function. I cannot remove this IPSec Policy. I know that to reverse security > parameters you must make a policy with other parameters, It is not enough to > remove the policy. I try to apply the template setup security with secedit > without result. How to remove the IPSec policy? How to restore the security > parameters on a computer who is now part of a workgroup and remove IPSec > policy who was applied when it was part of a domain and make this computer > work? > Some years ago I had a similar problem with a bad Policy implemented in the > domain and even when you configure the computer part of a workgroup the > security parameters continue to apply and the computer is out of function. I > think that it must be possible to reset the security parameters on a > computer in such a situation. > >
- Previous message: Ramakrishna Velaga: "Force Logoff"
- In reply to: Ion Marculescu: "IPSec policy How to remove it?"
- Next in thread: Ion Marculescu: "Re: IPSec policy How to remove it?"
- Reply: Ion Marculescu: "Re: IPSec policy How to remove it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
