Archived from groups: microsoft.public.win2000.security (
More info?)
You might want to look at unassigning the ipsec policy on that computer as a
more permanent solution. Open Local Security Policy/security settings -
ipsec policy and if any are assigned, change it to unassigned or assign the
request policy. Ipsec policy could also be set at the domain/OU level.
Running the command " netdiag/test:ipsec " will show what ipsec policy is
assigned to a computer. You may first need to install the netdiag support
tool. Thanks for reporting back also. --- Steve
"Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
news:C88BC04F-EC15-4C7A-9388-1BB7198AA56D@microsoft.com...
> Disabling the IPSEC Agent service on the W2K server fixed the issue!
>
> "Roger Abell" wrote:
>
>> Hmmm . . . I think we need more info.
>> Anything of use in sec event logs of the W2k target or the NT4 ?
>> When you said browsing does not work, I assumed you meant
>> that you could navigate to the listing but not successfully access
>> the share? In other words, direct mapping fails as well?
>> Is there any category of access that does work to the W2k from NT4?
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server System: Security)
>> MCSE (W2k3,W2k,Nt4) MCDBA
>> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> news:1E249DFB-851F-4D4C-8A47-2CC302CD88C2@microsoft.com...
>> > On the inaccessible W2K Member Server, Locally all digitally signed
>> policies
>> > are disabled with "Digitally sign server comm (when possible)" being
>> enabled
>> > via GPO. Also all of the Secure Channel policies are disabled both
>> > locally
>> > and via GPO. Still no go.
>> >
>> > "Roger Abell [MVP]" wrote:
>> >
>> > > This sounds like it could be a failure in negotiating the security
>> > > protocol to use, in the signing requirements for schannel, or such.
>> > > Is this a problem access all uplevel machines from NT4 or only
>> > > accessing some of them? I am guessing only some of them,
>> > > and this is a setting in the local security policy of the member,
>> > > rather than some setting(s) being applied domain-wide from GPO.
>> > > Take a look at a couple settings first on the inaccessible W2k:
>> > > do not have set: require strong Windows 2000 session key
>> > > change to when possible if set to always: the digitally sign and
>> > > the digitally encrypt communications settings (2 sets of policies)
>> > > for the W2k's server behaviors
>> > >
>> > > --
>> > > Roger Abell
>> > > Microsoft MVP (Windows Server System: Security)
>> > > MCDBA, MCSE W2k3+W2k+Nt4
>> > > "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in message
>> > > news:85177CEE-9CA6-448B-A98E-2655FB5F1AA1@microsoft.com...
>> > > >I can resolve the name fine. It is accessing it when I run into
>> > > >issues.
>> > > > Access Denied is the message I get. I have looked at the article
>> > > > you
>> > > > suggested but so far none of the settings are relevant or have made
>> > > > a
>> > > > differnce if I changed them. I can get to the same NT server from
>> > > > the
>> W2K
>> > > > server but not the other way around. Strange and frustrating.
>> > > >
>> > > > "Steven L Umbach" wrote:
>> > > >
>> > > >> It might be a name resolution problem. Try connecting via the
>> computers
>> > > >> IP
>> > > >> address instead of name to see if that helps and verify that you
>> > > >> can
>> ping
>> > > >> the computer from the source computer. Since you are still using
>> wins,
>> > > >> make
>> > > >> sure that W2K server is also a wins client. Do you get any error
>> messages
>> > > >> when you try to connect?? The link below explains problems that
>> > > >> can
>> arise
>> > > >> from incompatible security settings [security options in security
>> policy
>> > > >> such as Local Security Policy] on a W2K computer. --- Steve
>> > > >>
>> > > >>
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
>> look
>> > > >> at
>> > > >> Examples of Compatibility Problems particularly for anonymous
>> > > >> access
>> and
>> > > >> digitally sign communications.
>> > > >>
>> > > >> "Netwerktek" <Netwerktek@discussions.microsoft.com> wrote in
>> > > >> message
>> > > >> news:26FFD10B-33B5-41ED-B808-85BC5095849D@microsoft.com...
>> > > >> > Not sure if this is related to GPO but I am unable to access the
>> > > >> > registry,
>> > > >> > browse via network neighborhood, etc. to a Windows 2000 member
>> server
>> > > >> > from
>> > > >> > another Windows NT 4 member server. I cannot do this from any of
>> > > >> > my
>> NT
>> > > >> > 4
>> > > >> > member servers. Both are logged in as the domain admin. Any
>> thoughts
>> > > >> > are
>> > > >> > appreciated.
>> > > >> >
>> > > >> > --
>> > > >> > netwerktek
>> > > >>
>> > > >>
>> > > >>
>> > >
>> > >
>> > >
>>
>>
>>