Windows Tip Sheet

Compatibility Issues

Here's what you can do if your WinXP clients and Win2003 domain controller aren't cooperating.

I had a client who was struggling with a weird issue: WinXP clients were attempting to authenticate to a Win2003 SP1 domain controller and weren’t able to do so. In fact, the XP clients had just been joined to the domain and couldn’t even connect to the Internet any longer. Very weird -- join the domain, stop being a network client? I struggled, too, until I ran across this tip.

Seems that the domain has an IPSec policy, which had somehow -- as the tip suggests -- gotten corrupted. Since the policy was corrupted, the Win2003 machine couldn’t tell what traffic was allowed and what traffic wasn’t, so it took the safe route and just discarded all traffic that wasn’t permitted by the highly restrictive boot-time policy exemptions. Whoops.

The fix is apparently to fix some registry stuff from the command-line:

REG DELETE HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\
Local /F

REG ADD HKLM\System\CurrentControlSet\Services\IPSEC /V Start
/T REG_DWORD /F /D 1

regsvr32 -s polstore.dll

When the policy file couldn’t be read properly, IPSec defaulted to “Block” mode, which blocks pretty much all traffic except DHCP, which the computer would need to start up. By deleting the local policy, reconfiguring the IPSec service, and re-registering the policy store (which recreates the default local policy), you clear up the issue. You can read more about “Block” mode here.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.