Accessing Windows 2000 Server Remote Registry

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Not sure if this is related to GPO but I am unable to access the registry,
browse via network neighborhood, etc. to a Windows 2000 member server from
another Windows NT 4 member server. I cannot do this from any of my NT 4
member servers. Both are logged in as the domain admin. Any thoughts are
appreciated.

--
netwerktek
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

It might be a name resolution problem. Try connecting via the computers IP
address instead of name to see if that helps and verify that you can ping
the computer from the source computer. Since you are still using wins, make
sure that W2K server is also a wins client. Do you get any error messages
when you try to connect?? The link below explains problems that can arise
from incompatible security settings [security options in security policy
such as Local Security Policy] on a W2K computer. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look at
Examples of Compatibility Problems particularly for anonymous access and
digitally sign communications.

"Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
> Not sure if this is related to GPO but I am unable to access the registry,
> browse via network neighborhood, etc. to a Windows 2000 member server from
> another Windows NT 4 member server. I cannot do this from any of my NT 4
> member servers. Both are logged in as the domain admin. Any thoughts are
> appreciated.
>
> --
> netwerktek
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I can resolve the name fine. It is accessing it when I run into issues.
Access Denied is the message I get. I have looked at the article you
suggested but so far none of the settings are relevant or have made a
differnce if I changed them. I can get to the same NT server from the W2K
server but not the other way around. Strange and frustrating.

"Steven L Umbach" wrote:

> It might be a name resolution problem. Try connecting via the computers IP
> address instead of name to see if that helps and verify that you can ping
> the computer from the source computer. Since you are still using wins, make
> sure that W2K server is also a wins client. Do you get any error messages
> when you try to connect?? The link below explains problems that can arise
> from incompatible security settings [security options in security policy
> such as Local Security Policy] on a W2K computer. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look at
> Examples of Compatibility Problems particularly for anonymous access and
> digitally sign communications.
>
> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
> > Not sure if this is related to GPO but I am unable to access the registry,
> > browse via network neighborhood, etc. to a Windows 2000 member server from
> > another Windows NT 4 member server. I cannot do this from any of my NT 4
> > member servers. Both are logged in as the domain admin. Any thoughts are
> > appreciated.
> >
> > --
> > netwerktek
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hmm. Can you access the W2K servers in question from another W2K computer??
Do you have at least service pack 4 installed on the NT and W2K servers? Try
enabling audting of logon events in the local security policy of one of the
W2K servers you are trying to access to see if any logon failures are
recorded in the security log that may be helpful. --- Steve


"Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
> I can resolve the name fine. It is accessing it when I run into issues.
> Access Denied is the message I get. I have looked at the article you
> suggested but so far none of the settings are relevant or have made a
> differnce if I changed them. I can get to the same NT server from the W2K
> server but not the other way around. Strange and frustrating.
>
> "Steven L Umbach" wrote:
>
> > It might be a name resolution problem. Try connecting via the computers
IP
> > address instead of name to see if that helps and verify that you can
ping
> > the computer from the source computer. Since you are still using wins,
make
> > sure that W2K server is also a wins client. Do you get any error
messages
> > when you try to connect?? The link below explains problems that can
arise
> > from incompatible security settings [security options in security policy
> > such as Local Security Policy] on a W2K computer. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look
at
> > Examples of Compatibility Problems particularly for anonymous access and
> > digitally sign communications.
> >
> > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
> > > Not sure if this is related to GPO but I am unable to access the
registry,
> > > browse via network neighborhood, etc. to a Windows 2000 member server
from
> > > another Windows NT 4 member server. I cannot do this from any of my NT
4
> > > member servers. Both are logged in as the domain admin. Any thoughts
are
> > > appreciated.
> > >
> > > --
> > > netwerktek
> >
> >
> >
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Yes from W2K to W2K no problem. All W2K have SP4 and all NT4 have SP6a. Will
take a look at auditing and let you know.

"Steven L Umbach" wrote:

> Hmm. Can you access the W2K servers in question from another W2K computer??
> Do you have at least service pack 4 installed on the NT and W2K servers? Try
> enabling audting of logon events in the local security policy of one of the
> W2K servers you are trying to access to see if any logon failures are
> recorded in the security log that may be helpful. --- Steve
>
>
> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
> > I can resolve the name fine. It is accessing it when I run into issues.
> > Access Denied is the message I get. I have looked at the article you
> > suggested but so far none of the settings are relevant or have made a
> > differnce if I changed them. I can get to the same NT server from the W2K
> > server but not the other way around. Strange and frustrating.
> >
> > "Steven L Umbach" wrote:
> >
> > > It might be a name resolution problem. Try connecting via the computers
> IP
> > > address instead of name to see if that helps and verify that you can
> ping
> > > the computer from the source computer. Since you are still using wins,
> make
> > > sure that W2K server is also a wins client. Do you get any error
> messages
> > > when you try to connect?? The link below explains problems that can
> arise
> > > from incompatible security settings [security options in security policy
> > > such as Local Security Policy] on a W2K computer. --- Steve
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look
> at
> > > Examples of Compatibility Problems particularly for anonymous access and
> > > digitally sign communications.
> > >
> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
> > > > Not sure if this is related to GPO but I am unable to access the
> registry,
> > > > browse via network neighborhood, etc. to a Windows 2000 member server
> from
> > > > another Windows NT 4 member server. I cannot do this from any of my NT
> 4
> > > > member servers. Both are logged in as the domain admin. Any thoughts
> are
> > > > appreciated.
> > > >
> > > > --
> > > > netwerktek
> > >
> > >
> > >
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

No events in the security log. Arrgh!

"Steven L Umbach" wrote:

> Hmm. Can you access the W2K servers in question from another W2K computer??
> Do you have at least service pack 4 installed on the NT and W2K servers? Try
> enabling audting of logon events in the local security policy of one of the
> W2K servers you are trying to access to see if any logon failures are
> recorded in the security log that may be helpful. --- Steve
>
>
> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
> > I can resolve the name fine. It is accessing it when I run into issues.
> > Access Denied is the message I get. I have looked at the article you
> > suggested but so far none of the settings are relevant or have made a
> > differnce if I changed them. I can get to the same NT server from the W2K
> > server but not the other way around. Strange and frustrating.
> >
> > "Steven L Umbach" wrote:
> >
> > > It might be a name resolution problem. Try connecting via the computers
> IP
> > > address instead of name to see if that helps and verify that you can
> ping
> > > the computer from the source computer. Since you are still using wins,
> make
> > > sure that W2K server is also a wins client. Do you get any error
> messages
> > > when you try to connect?? The link below explains problems that can
> arise
> > > from incompatible security settings [security options in security policy
> > > such as Local Security Policy] on a W2K computer. --- Steve
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look
> at
> > > Examples of Compatibility Problems particularly for anonymous access and
> > > digitally sign communications.
> > >
> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
> > > > Not sure if this is related to GPO but I am unable to access the
> registry,
> > > > browse via network neighborhood, etc. to a Windows 2000 member server
> from
> > > > another Windows NT 4 member server. I cannot do this from any of my NT
> 4
> > > > member servers. Both are logged in as the domain admin. Any thoughts
> are
> > > > appreciated.
> > > >
> > > > --
> > > > netwerktek
> > >
> > >
> > >
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

This sounds like it could be a failure in negotiating the security
protocol to use, in the signing requirements for schannel, or such.
Is this a problem access all uplevel machines from NT4 or only
accessing some of them? I am guessing only some of them,
and this is a setting in the local security policy of the member,
rather than some setting(s) being applied domain-wide from GPO.
Take a look at a couple settings first on the inaccessible W2k:
do not have set: require strong Windows 2000 session key
change to when possible if set to always: the digitally sign and
the digitally encrypt communications settings (2 sets of policies)
for the W2k's server behaviors

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
>I can resolve the name fine. It is accessing it when I run into issues.
> Access Denied is the message I get. I have looked at the article you
> suggested but so far none of the settings are relevant or have made a
> differnce if I changed them. I can get to the same NT server from the W2K
> server but not the other way around. Strange and frustrating.
>
> "Steven L Umbach" wrote:
>
>> It might be a name resolution problem. Try connecting via the computers
>> IP
>> address instead of name to see if that helps and verify that you can ping
>> the computer from the source computer. Since you are still using wins,
>> make
>> sure that W2K server is also a wins client. Do you get any error messages
>> when you try to connect?? The link below explains problems that can arise
>> from incompatible security settings [security options in security policy
>> such as Local Security Policy] on a W2K computer. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look
>> at
>> Examples of Compatibility Problems particularly for anonymous access and
>> digitally sign communications.
>>
>> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
>> > Not sure if this is related to GPO but I am unable to access the
>> > registry,
>> > browse via network neighborhood, etc. to a Windows 2000 member server
>> > from
>> > another Windows NT 4 member server. I cannot do this from any of my NT
>> > 4
>> > member servers. Both are logged in as the domain admin. Any thoughts
>> > are
>> > appreciated.
>> >
>> > --
>> > netwerktek
>>
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

On the inaccessible W2K Member Server, Locally all digitally signed policies
are disabled with "Digitally sign server comm (when possible)" being enabled
via GPO. Also all of the Secure Channel policies are disabled both locally
and via GPO. Still no go.

"Roger Abell [MVP]" wrote:

> This sounds like it could be a failure in negotiating the security
> protocol to use, in the signing requirements for schannel, or such.
> Is this a problem access all uplevel machines from NT4 or only
> accessing some of them? I am guessing only some of them,
> and this is a setting in the local security policy of the member,
> rather than some setting(s) being applied domain-wide from GPO.
> Take a look at a couple settings first on the inaccessible W2k:
> do not have set: require strong Windows 2000 session key
> change to when possible if set to always: the digitally sign and
> the digitally encrypt communications settings (2 sets of policies)
> for the W2k's server behaviors
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
> >I can resolve the name fine. It is accessing it when I run into issues.
> > Access Denied is the message I get. I have looked at the article you
> > suggested but so far none of the settings are relevant or have made a
> > differnce if I changed them. I can get to the same NT server from the W2K
> > server but not the other way around. Strange and frustrating.
> >
> > "Steven L Umbach" wrote:
> >
> >> It might be a name resolution problem. Try connecting via the computers
> >> IP
> >> address instead of name to see if that helps and verify that you can ping
> >> the computer from the source computer. Since you are still using wins,
> >> make
> >> sure that W2K server is also a wins client. Do you get any error messages
> >> when you try to connect?? The link below explains problems that can arise
> >> from incompatible security settings [security options in security policy
> >> such as Local Security Policy] on a W2K computer. --- Steve
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- look
> >> at
> >> Examples of Compatibility Problems particularly for anonymous access and
> >> digitally sign communications.
> >>
> >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> >> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
> >> > Not sure if this is related to GPO but I am unable to access the
> >> > registry,
> >> > browse via network neighborhood, etc. to a Windows 2000 member server
> >> > from
> >> > another Windows NT 4 member server. I cannot do this from any of my NT
> >> > 4
> >> > member servers. Both are logged in as the domain admin. Any thoughts
> >> > are
> >> > appreciated.
> >> >
> >> > --
> >> > netwerktek
> >>
> >>
> >>
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Keep in mind that when you change Local Security Policy on a Windows 2000
computer that you need to see the desired settings as the "effective"
settings after a refresh via secedit /refreshpolicy machine_policy /enforce
or a reboot. Unlike Windows 2003 it is not apparent that there is an
overriding domain/OU policy when you change local policy.

If you have name resolution and connectivity [ping, etc] to the server in
question and domain controller most likely your problem is security policy
security options or an ipsec policy [ such as require policy ] enabled on
the W2K server that does not allow access from non ipsec aware computers
such as NT4.0. If you run the support tool netdiag as in " netdiag
/test:ipsec /debug " on the W2K server it will display any ipsec policy
assigned and details of it.

As far as security policy make sure that the effective setting for the
security option on the W2K server in question for additional restrictions
for anonymous access is NOT set to " no access without explicit anonymous
permissions". I would also try setting the lan manager authentication level
to "send ntlmv2 responses only" assuming it does not need to access shares
on W9X computers. I believe you said you already disable the two "always"
settings for digitally sign communications and have left the "when possible"
settings enabled. Beyond that if you do not have luck I would monitor both
sides of the packet exchange sequence with netmon, which is available to
server operating systems via add and remove programs - Windows components,
or use Ethereal to see what is going on at the packet level. --- Steve

http://support.microsoft.com/?kbid=243270 -- netmon, how to install and
link on how to use.

"Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
news:FAB3C5B8-D231-414C-A255-065459CF1467@microsoft.com...
> No events in the security log. Arrgh!
>
> "Steven L Umbach" wrote:
>
>> Hmm. Can you access the W2K servers in question from another W2K
>> computer??
>> Do you have at least service pack 4 installed on the NT and W2K servers?
>> Try
>> enabling audting of logon events in the local security policy of one of
>> the
>> W2K servers you are trying to access to see if any logon failures are
>> recorded in the security log that may be helpful. --- Steve
>>
>>
>> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
>> > I can resolve the name fine. It is accessing it when I run into issues.
>> > Access Denied is the message I get. I have looked at the article you
>> > suggested but so far none of the settings are relevant or have made a
>> > differnce if I changed them. I can get to the same NT server from the
>> > W2K
>> > server but not the other way around. Strange and frustrating.
>> >
>> > "Steven L Umbach" wrote:
>> >
>> > > It might be a name resolution problem. Try connecting via the
>> > > computers
>> IP
>> > > address instead of name to see if that helps and verify that you can
>> ping
>> > > the computer from the source computer. Since you are still using
>> > > wins,
>> make
>> > > sure that W2K server is also a wins client. Do you get any error
>> messages
>> > > when you try to connect?? The link below explains problems that can
>> arise
>> > > from incompatible security settings [security options in security
>> > > policy
>> > > such as Local Security Policy] on a W2K computer. --- Steve
>> > >
>> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
>> > > look
>> at
>> > > Examples of Compatibility Problems particularly for anonymous access
>> > > and
>> > > digitally sign communications.
>> > >
>> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
>> > > > Not sure if this is related to GPO but I am unable to access the
>> registry,
>> > > > browse via network neighborhood, etc. to a Windows 2000 member
>> > > > server
>> from
>> > > > another Windows NT 4 member server. I cannot do this from any of my
>> > > > NT
>> 4
>> > > > member servers. Both are logged in as the domain admin. Any
>> > > > thoughts
>> are
>> > > > appreciated.
>> > > >
>> > > > --
>> > > > netwerktek
>> > >
>> > >
>> > >
>>
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I also want to add to run netstat -an on the Windows 2000 server to make
sure that port 139 TCP is listening and use portqry from another Windows
2000 box to verify that it is available to the remote computer. Portqry is a
Windows command line port to process mapper and port scanner. You can use it
to scan for a single port availability. --- Steve

http://support.microsoft.com/kb/310099 -- portqry and how to use.

portqry -n xxx.xxx.xxx.xxx -p tcp -e 139 --- use to resolve name of IP
address xxx.xxx.xxx.xxx and check availability of port 139 TCP.

"Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
news:FAB3C5B8-D231-414C-A255-065459CF1467@microsoft.com...
> No events in the security log. Arrgh!
>
> "Steven L Umbach" wrote:
>
>> Hmm. Can you access the W2K servers in question from another W2K
>> computer??
>> Do you have at least service pack 4 installed on the NT and W2K servers?
>> Try
>> enabling audting of logon events in the local security policy of one of
>> the
>> W2K servers you are trying to access to see if any logon failures are
>> recorded in the security log that may be helpful. --- Steve
>>
>>
>> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
>> > I can resolve the name fine. It is accessing it when I run into issues.
>> > Access Denied is the message I get. I have looked at the article you
>> > suggested but so far none of the settings are relevant or have made a
>> > differnce if I changed them. I can get to the same NT server from the
>> > W2K
>> > server but not the other way around. Strange and frustrating.
>> >
>> > "Steven L Umbach" wrote:
>> >
>> > > It might be a name resolution problem. Try connecting via the
>> > > computers
>> IP
>> > > address instead of name to see if that helps and verify that you can
>> ping
>> > > the computer from the source computer. Since you are still using
>> > > wins,
>> make
>> > > sure that W2K server is also a wins client. Do you get any error
>> messages
>> > > when you try to connect?? The link below explains problems that can
>> arise
>> > > from incompatible security settings [security options in security
>> > > policy
>> > > such as Local Security Policy] on a W2K computer. --- Steve
>> > >
>> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
>> > > look
>> at
>> > > Examples of Compatibility Problems particularly for anonymous access
>> > > and
>> > > digitally sign communications.
>> > >
>> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
>> > > > Not sure if this is related to GPO but I am unable to access the
>> registry,
>> > > > browse via network neighborhood, etc. to a Windows 2000 member
>> > > > server
>> from
>> > > > another Windows NT 4 member server. I cannot do this from any of my
>> > > > NT
>> 4
>> > > > member servers. Both are logged in as the domain admin. Any
>> > > > thoughts
>> are
>> > > > appreciated.
>> > > >
>> > > > --
>> > > > netwerktek
>> > >
>> > >
>> > >
>>
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I also want to add to run netstat -an on the Windows 2000 server to make
sure that port 139 TCP is listening and use portqry from another Windows
2000 box to verify that it is available to the remote computer. Portqry is a
Windows command line port to process mapper and port scanner. You can use it
to scan for a single port availability. --- Steve

http://support.microsoft.com/kb/310099 -- portqry and how to use.

portqry -n xxx.xxx.xxx.xxx -p tcp -e 139 --- use to resolve name of IP
address xxx.xxx.xxx.xxx and check availability of port 139 TCP.

"Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
news:FAB3C5B8-D231-414C-A255-065459CF1467@microsoft.com...
> No events in the security log. Arrgh!
>
> "Steven L Umbach" wrote:
>
>> Hmm. Can you access the W2K servers in question from another W2K
>> computer??
>> Do you have at least service pack 4 installed on the NT and W2K servers?
>> Try
>> enabling audting of logon events in the local security policy of one of
>> the
>> W2K servers you are trying to access to see if any logon failures are
>> recorded in the security log that may be helpful. --- Steve
>>
>>
>> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
>> > I can resolve the name fine. It is accessing it when I run into issues.
>> > Access Denied is the message I get. I have looked at the article you
>> > suggested but so far none of the settings are relevant or have made a
>> > differnce if I changed them. I can get to the same NT server from the
>> > W2K
>> > server but not the other way around. Strange and frustrating.
>> >
>> > "Steven L Umbach" wrote:
>> >
>> > > It might be a name resolution problem. Try connecting via the
>> > > computers
>> IP
>> > > address instead of name to see if that helps and verify that you can
>> ping
>> > > the computer from the source computer. Since you are still using
>> > > wins,
>> make
>> > > sure that W2K server is also a wins client. Do you get any error
>> messages
>> > > when you try to connect?? The link below explains problems that can
>> arise
>> > > from incompatible security settings [security options in security
>> > > policy
>> > > such as Local Security Policy] on a W2K computer. --- Steve
>> > >
>> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
>> > > look
>> at
>> > > Examples of Compatibility Problems particularly for anonymous access
>> > > and
>> > > digitally sign communications.
>> > >
>> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> > > news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
>> > > > Not sure if this is related to GPO but I am unable to access the
>> registry,
>> > > > browse via network neighborhood, etc. to a Windows 2000 member
>> > > > server
>> from
>> > > > another Windows NT 4 member server. I cannot do this from any of my
>> > > > NT
>> 4
>> > > > member servers. Both are logged in as the domain admin. Any
>> > > > thoughts
>> are
>> > > > appreciated.
>> > > >
>> > > > --
>> > > > netwerktek
>> > >
>> > >
>> > >
>>
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hmmm . . . I think we need more info.
Anything of use in sec event logs of the W2k target or the NT4 ?
When you said browsing does not work, I assumed you meant
that you could navigate to the listing but not successfully access
the share? In other words, direct mapping fails as well?
Is there any category of access that does work to the W2k from NT4?

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
news:1E249DFB-851F-4D4C-8A47-2CC302CD88C2@microsoft.com...
> On the inaccessible W2K Member Server, Locally all digitally signed
policies
> are disabled with "Digitally sign server comm (when possible)" being
enabled
> via GPO. Also all of the Secure Channel policies are disabled both locally
> and via GPO. Still no go.
>
> "Roger Abell [MVP]" wrote:
>
> > This sounds like it could be a failure in negotiating the security
> > protocol to use, in the signing requirements for schannel, or such.
> > Is this a problem access all uplevel machines from NT4 or only
> > accessing some of them? I am guessing only some of them,
> > and this is a setting in the local security policy of the member,
> > rather than some setting(s) being applied domain-wide from GPO.
> > Take a look at a couple settings first on the inaccessible W2k:
> > do not have set: require strong Windows 2000 session key
> > change to when possible if set to always: the digitally sign and
> > the digitally encrypt communications settings (2 sets of policies)
> > for the W2k's server behaviors
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Server System: Security)
> > MCDBA, MCSE W2k3+W2k+Nt4
> > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> > news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
> > >I can resolve the name fine. It is accessing it when I run into issues.
> > > Access Denied is the message I get. I have looked at the article you
> > > suggested but so far none of the settings are relevant or have made a
> > > differnce if I changed them. I can get to the same NT server from the
W2K
> > > server but not the other way around. Strange and frustrating.
> > >
> > > "Steven L Umbach" wrote:
> > >
> > >> It might be a name resolution problem. Try connecting via the
computers
> > >> IP
> > >> address instead of name to see if that helps and verify that you can
ping
> > >> the computer from the source computer. Since you are still using
wins,
> > >> make
> > >> sure that W2K server is also a wins client. Do you get any error
messages
> > >> when you try to connect?? The link below explains problems that can
arise
> > >> from incompatible security settings [security options in security
policy
> > >> such as Local Security Policy] on a W2K computer. --- Steve
> > >>
> > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
look
> > >> at
> > >> Examples of Compatibility Problems particularly for anonymous access
and
> > >> digitally sign communications.
> > >>
> > >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> > >> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
> > >> > Not sure if this is related to GPO but I am unable to access the
> > >> > registry,
> > >> > browse via network neighborhood, etc. to a Windows 2000 member
server
> > >> > from
> > >> > another Windows NT 4 member server. I cannot do this from any of my
NT
> > >> > 4
> > >> > member servers. Both are logged in as the domain admin. Any
thoughts
> > >> > are
> > >> > appreciated.
> > >> >
> > >> > --
> > >> > netwerktek
> > >>
> > >>
> > >>
> >
> >
> >
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Disabling the IPSEC Agent service on the W2K server fixed the issue!

"Roger Abell" wrote:

> Hmmm . . . I think we need more info.
> Anything of use in sec event logs of the W2k target or the NT4 ?
> When you said browsing does not work, I assumed you meant
> that you could navigate to the listing but not successfully access
> the share? In other words, direct mapping fails as well?
> Is there any category of access that does work to the W2k from NT4?
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> news:1E249DFB-851F-4D4C-8A47-2CC302CD88C2@microsoft.com...
> > On the inaccessible W2K Member Server, Locally all digitally signed
> policies
> > are disabled with "Digitally sign server comm (when possible)" being
> enabled
> > via GPO. Also all of the Secure Channel policies are disabled both locally
> > and via GPO. Still no go.
> >
> > "Roger Abell [MVP]" wrote:
> >
> > > This sounds like it could be a failure in negotiating the security
> > > protocol to use, in the signing requirements for schannel, or such.
> > > Is this a problem access all uplevel machines from NT4 or only
> > > accessing some of them? I am guessing only some of them,
> > > and this is a setting in the local security policy of the member,
> > > rather than some setting(s) being applied domain-wide from GPO.
> > > Take a look at a couple settings first on the inaccessible W2k:
> > > do not have set: require strong Windows 2000 session key
> > > change to when possible if set to always: the digitally sign and
> > > the digitally encrypt communications settings (2 sets of policies)
> > > for the W2k's server behaviors
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Server System: Security)
> > > MCDBA, MCSE W2k3+W2k+Nt4
> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> > > news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
> > > >I can resolve the name fine. It is accessing it when I run into issues.
> > > > Access Denied is the message I get. I have looked at the article you
> > > > suggested but so far none of the settings are relevant or have made a
> > > > differnce if I changed them. I can get to the same NT server from the
> W2K
> > > > server but not the other way around. Strange and frustrating.
> > > >
> > > > "Steven L Umbach" wrote:
> > > >
> > > >> It might be a name resolution problem. Try connecting via the
> computers
> > > >> IP
> > > >> address instead of name to see if that helps and verify that you can
> ping
> > > >> the computer from the source computer. Since you are still using
> wins,
> > > >> make
> > > >> sure that W2K server is also a wins client. Do you get any error
> messages
> > > >> when you try to connect?? The link below explains problems that can
> arise
> > > >> from incompatible security settings [security options in security
> policy
> > > >> such as Local Security Policy] on a W2K computer. --- Steve
> > > >>
> > > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
> look
> > > >> at
> > > >> Examples of Compatibility Problems particularly for anonymous access
> and
> > > >> digitally sign communications.
> > > >>
> > > >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
> > > >> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
> > > >> > Not sure if this is related to GPO but I am unable to access the
> > > >> > registry,
> > > >> > browse via network neighborhood, etc. to a Windows 2000 member
> server
> > > >> > from
> > > >> > another Windows NT 4 member server. I cannot do this from any of my
> NT
> > > >> > 4
> > > >> > member servers. Both are logged in as the domain admin. Any
> thoughts
> > > >> > are
> > > >> > appreciated.
> > > >> >
> > > >> > --
> > > >> > netwerktek
> > > >>
> > > >>
> > > >>
> > >
> > >
> > >
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

You might want to look at unassigning the ipsec policy on that computer as a
more permanent solution. Open Local Security Policy/security settings -
ipsec policy and if any are assigned, change it to unassigned or assign the
request policy. Ipsec policy could also be set at the domain/OU level.
Running the command " netdiag/test:ipsec " will show what ipsec policy is
assigned to a computer. You may first need to install the netdiag support
tool. Thanks for reporting back also. --- Steve


"Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
news:C88BC04F-EC15-4C7A-9388-1BB7198AA56D@microsoft.com...
> Disabling the IPSEC Agent service on the W2K server fixed the issue!
>
> "Roger Abell" wrote:
>
>> Hmmm . . . I think we need more info.
>> Anything of use in sec event logs of the W2k target or the NT4 ?
>> When you said browsing does not work, I assumed you meant
>> that you could navigate to the listing but not successfully access
>> the share? In other words, direct mapping fails as well?
>> Is there any category of access that does work to the W2k from NT4?
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server System: Security)
>> MCSE (W2k3,W2k,Nt4) MCDBA
>> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> news:1E249DFB-851F-4D4C-8A47-2CC302CD88C2@microsoft.com...
>> > On the inaccessible W2K Member Server, Locally all digitally signed
>> policies
>> > are disabled with "Digitally sign server comm (when possible)" being
>> enabled
>> > via GPO. Also all of the Secure Channel policies are disabled both
>> > locally
>> > and via GPO. Still no go.
>> >
>> > "Roger Abell [MVP]" wrote:
>> >
>> > > This sounds like it could be a failure in negotiating the security
>> > > protocol to use, in the signing requirements for schannel, or such.
>> > > Is this a problem access all uplevel machines from NT4 or only
>> > > accessing some of them? I am guessing only some of them,
>> > > and this is a setting in the local security policy of the member,
>> > > rather than some setting(s) being applied domain-wide from GPO.
>> > > Take a look at a couple settings first on the inaccessible W2k:
>> > > do not have set: require strong Windows 2000 session key
>> > > change to when possible if set to always: the digitally sign and
>> > > the digitally encrypt communications settings (2 sets of policies)
>> > > for the W2k's server behaviors
>> > >
>> > > --
>> > > Roger Abell
>> > > Microsoft MVP (Windows Server System: Security)
>> > > MCDBA, MCSE W2k3+W2k+Nt4
>> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> > > news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
>> > > >I can resolve the name fine. It is accessing it when I run into
>> > > >issues.
>> > > > Access Denied is the message I get. I have looked at the article
>> > > > you
>> > > > suggested but so far none of the settings are relevant or have made
>> > > > a
>> > > > differnce if I changed them. I can get to the same NT server from
>> > > > the
>> W2K
>> > > > server but not the other way around. Strange and frustrating.
>> > > >
>> > > > "Steven L Umbach" wrote:
>> > > >
>> > > >> It might be a name resolution problem. Try connecting via the
>> computers
>> > > >> IP
>> > > >> address instead of name to see if that helps and verify that you
>> > > >> can
>> ping
>> > > >> the computer from the source computer. Since you are still using
>> wins,
>> > > >> make
>> > > >> sure that W2K server is also a wins client. Do you get any error
>> messages
>> > > >> when you try to connect?? The link below explains problems that
>> > > >> can
>> arise
>> > > >> from incompatible security settings [security options in security
>> policy
>> > > >> such as Local Security Policy] on a W2K computer. --- Steve
>> > > >>
>> > > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
>> look
>> > > >> at
>> > > >> Examples of Compatibility Problems particularly for anonymous
>> > > >> access
>> and
>> > > >> digitally sign communications.
>> > > >>
>> > > >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in
>> > > >> message
>> > > >> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
>> > > >> > Not sure if this is related to GPO but I am unable to access the
>> > > >> > registry,
>> > > >> > browse via network neighborhood, etc. to a Windows 2000 member
>> server
>> > > >> > from
>> > > >> > another Windows NT 4 member server. I cannot do this from any of
>> > > >> > my
>> NT
>> > > >> > 4
>> > > >> > member servers. Both are logged in as the domain admin. Any
>> thoughts
>> > > >> > are
>> > > >> > appreciated.
>> > > >> >
>> > > >> > --
>> > > >> > netwerktek
>> > > >>
>> > > >>
>> > > >>
>> > >
>> > >
>> > >
>>
>>
>>