Windows Tip Sheet
Here's what you can do if your WinXP clients and Win2003 domain controller aren't cooperating.
I had a client who was struggling with a weird issue: WinXP clients were attempting
to authenticate to a Win2003 SP1 domain controller and weren’t able to
do so. In fact, the XP clients had just been joined to the domain and couldn’t
even connect to the Internet any longer. Very weird -- join the domain, stop
being a network client? I struggled, too, until I ran across this
Seems that the domain has an IPSec policy, which had somehow -- as the tip
suggests -- gotten corrupted. Since the policy was corrupted, the Win2003 machine
couldn’t tell what traffic was allowed and what traffic wasn’t,
so it took the safe route and just discarded all traffic that wasn’t permitted
by the highly restrictive boot-time policy exemptions. Whoops.
The fix is apparently to fix some registry stuff from the command-line:
REG DELETE HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\
REG ADD HKLM\System\CurrentControlSet\Services\IPSEC /V Start
/T REG_DWORD /F /D 1
regsvr32 -s polstore.dll
When the policy file couldn’t be read properly, IPSec defaulted to “Block”
mode, which blocks pretty much all traffic except DHCP, which the computer would
need to start up. By deleting the local policy, reconfiguring the IPSec service,
and re-registering the policy store (which recreates the default local policy),
you clear up the issue. You can read more about “Block” mode here.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.