Win2003 Servers hidden from Network Browse list when using IPSec

My Active Directory domain is set up in such a way that the computers
on the domain are supposed to use IPSec communication with each other
(currently Authentication only, we may move to Encryption once I have
more issues tested and working). To do so we created a new OU into
which we move all our member computers, and group policy forces
computers in that OU to use IPSec. The two domain controllers remain
in the Domain Controllers OU, and are exempted completely from IPSec,
as is required. The Domain controllers also run DNS for our domain,
and one of them (nominally the backup) acts as the WINS server for our
domain.

All of my WinXP workstation boxes which have been added to the OU
requiring IPSec have functioned just fine. They communicate using
IPSec where they are supposed to, and all show up in the Network
Browse List. My Windows 2003 Servers (member servers, not domain
controllers), however, are all invisible to the Network Browse list.
They are registered properly in both DNS and WINS. I can enumerate
resources from those servers with a command such as "net view
\\servername" and map drives and printers and the like, ping them by
name, etc... Everything except for being able to go out to My Network
Places, and browse out to them through the Microsoft Network.

If I do a "Browstat Status " from any of my Windows XP systems, I get
everything returning properly as it should be. From my Windows 2003
Servers, the results of the browstat status indicate they are unable to
determine the Master Browser, even though all these system,
workstations or servers, are essentially configured identically as far
as network properties, domain, OU, etc... I have manually configured
all my Windows Servers to not attempt to act as the Master Browser
for the segment (IsDomainMaster registry setting), excepting the PDC,
and only the other domain controller among my servers has the
MaintainServerList registry setting enabled.

At this point I'm kinda stumped, I've dug around on the internet quite
a bit trying to find what might cause the servers to act differently
than the XP workstations, but to no avail.

.

Relevant Pages

  • Re: IPSec / domain isolation: confusing MS documents
    ... simply not possible using ipsec and that is their choice. ... network with stated consequences. ... If the domain controllers are Windows 2003 I would use Software ... set the security option for lan manager authentication level to be send ...
    (microsoft.public.windows.server.security)
  • OU GPO Corrupts 2003 Servers only??
    ... I setup a GPO on the Servers OU and began moving servers into it a ... connectivity to it, so I brought up the remote console through the iLo ... First error msg in the System eventlog was for IPSec. ... inbound and outbound TCP/IP network traffic that is not permitted by ...
    (microsoft.public.windows.group_policy)
  • Re: Empty Network Places
    ... -- There is general misconfiguration or problems on domain controllers or computers. ... when you have network problems - especially the pdc/pdc fsmo. ... controllers, dns servers, wins server, master browsers. ...
    (microsoft.public.win2000.networking)
  • Re: Multiple DNS Servers
    ... > network and all of them have their own copy of DNS ... It seems that some of the DNS servers are not ... This gets replicated to other domain controllers with AD's ...
    (microsoft.public.win2000.dns)
  • Re: IPSec / domain isolation: confusing MS documents
    ... right for access this computer from the network will not work for computer ... If the domain controllers are Windows 2003 I would use Software ... If anyone has another idea how to protect the file server ressources on ... Windows XP systems at a customer location with IPSec. ...
    (microsoft.public.windows.server.security)