Kind of sounds like you have a DNS problem (inability to consistently locate
a DC for the necessary authentication, and IPsec failures may just be a
victom of that problem.)

In any case, if you have 'Audit Logon Events' Success and Failure auditing
enabled you should see 547 failure events in the Security log if there is an
IPsec negotiation failure. You'll also see addditional traffic for IPsec
MM/QM creations in the form of 541 and 542 events as well.

From there you can refer to the Chapter 7 IPsec troubleshooting guide from
the domain isolation doc for detailed information on each of the events and
suggestions for correcting them. If that doesn't provide enough information
you should look into enabling the oakley.log file for even more detailed
information.

Lastly, all this is assuming that you are not using IPsec to secure the
traffic between the client and the DC since that is an unsupported
configuration and prone to many problems. e.g. the DC's IP address should
be permitted in the policy.

http://www.microsoft.com/technet/sec.../IPsecch7.mspx

jason


"Bob Grabbe" wrote in message
news:%23%23FS%23vbmFHA.420@TK2MSFTNGP09.phx.gbl...
> Wondering if anyone has seen this. I have a server on my internal network
> that I am doing disk to disk backups using robocopy overnight with a
> scheduled task. Ipsec policy is set to use esp, with AD authentication.
> When the job starts, 9 pm, the first three or four jobs work fine, then
> the server starts losing it's connection and can't copy anything else. If
> I ping it from one of the DC's it starts working again.
> It looks like the ipsec policy is working from the start, but after a
> while it can't contact the DC to authenticate the other servers until the
> DC sends something to it. I've been through the policies on both sides,
> can't find anything wrong. The server is Win2k3, windows 2000 functional
> domain. I'm not seeing anything in the event log, the only thing I see is
> when I try to log on to the server it sometimes saysd the domain is not
> available.
> Any help appreciated.
> --
> Bob Grabbe
> bgrabbe@umich.edu
>
>

Of course, it's AD integrated dns, so it's a dns/authentication problem,.I
didn't know that ipsec wasn't supported to a dc, though.
It all worked fine for about two months until I had to rebuild the server,
it's been the last 2 - 3 weeks that I've had the problem, on the new build.
I'll set the dc's to permit, that probably will fix it.
Thanks
Bob Grabbe
bgrabbe@umich.edu

"Jason Popp [MSFT]" wrote in message
news:Oehy3VcmFHA.2628@tk2msftngp13.phx.gbl...
> Kind of sounds like you have a DNS problem (inability to consistently
> locate a DC for the necessary authentication, and IPsec failures may just
> be a victom of that problem.)
>
> In any case, if you have 'Audit Logon Events' Success and Failure auditing
> enabled you should see 547 failure events in the Security log if there is
> an IPsec negotiation failure. You'll also see addditional traffic for
> IPsec MM/QM creations in the form of 541 and 542 events as well.
>
> From there you can refer to the Chapter 7 IPsec troubleshooting guide from
> the domain isolation doc for detailed information on each of the events
> and suggestions for correcting them. If that doesn't provide enough
> information you should look into enabling the oakley.log file for even
> more detailed information.
>
> Lastly, all this is assuming that you are not using IPsec to secure the
> traffic between the client and the DC since that is an unsupported
> configuration and prone to many problems. e.g. the DC's IP address should
> be permitted in the policy.
>
> http://www.microsoft.com/technet/sec.../IPsecch7.mspx
>
> jason
>
>
> "Bob Grabbe" wrote in message
> news:%23%23FS%23vbmFHA.420@TK2MSFTNGP09.phx.gbl...
>> Wondering if anyone has seen this. I have a server on my internal network
>> that I am doing disk to disk backups using robocopy overnight with a
>> scheduled task. Ipsec policy is set to use esp, with AD authentication.
>> When the job starts, 9 pm, the first three or four jobs work fine, then
>> the server starts losing it's connection and can't copy anything else. If
>> I ping it from one of the DC's it starts working again.
>> It looks like the ipsec policy is working from the start, but after a
>> while it can't contact the DC to authenticate the other servers until the
>> DC sends something to it. I've been through the policies on both sides,
>> can't find anything wrong. The server is Win2k3, windows 2000 functional
>> domain. I'm not seeing anything in the event log, the only thing I see is
>> when I try to log on to the server it sometimes saysd the domain is not
>> available.
>> Any help appreciated.
>> --
>> Bob Grabbe
>> bgrabbe@umich.edu
>>
>>
>
>