Assigning IPSec Policies to Servers and Workstations on Your Network

I recently used a Group Policy Object (GPO) linked to all my domain controllers (DCs) and servers to assign the Secure Server (Require Security) IP Security (IPSec) policy. At the same time, I assigned the Client (Respond Only) IPSec policy in the Default Domain Policy GPO. After I assigned the policies, only a few workstations could access any server or DC. To recover, I unassigned the Secure Server (Require Security) policy. What did I do wrong?

The problem you're experiencing is with the sequence of events you performed. When you assigned both policies at the same time, the DCs applied the change first because DCs reapply Group Policy every 5 minutes by default. Other computers in the domain reapply Group Policy every 90 minutes with a random offset between 0 and 30 minutes to prevent sudden surges in Group Policy traffic that could adversely affect network performance or overwhelm DCs. After the DCs assigned the Secure Server (Require Security) IPSec policy, they started refusing unsecured connections from your workstations. The few workstations that could still connect to the DCs just happened to reapply Group Policy between the time you assigned the Client (Respond Only) IPSec policy and the time the DCs reapplied Group Policy. In future modifications to IPSec policy, remember to assign your policy on client machines first, then configure your servers.

To verify that a given client has assigned an IPSec policy from a GPO in Active Directory (AD), open Local Security Settings on that client and select IP Security Policies on Local Computer. If the client is using an IPSec policy from a GPO in AD, you'll receive a popup message that says An IPSec policy has been provided by the domain controller. Domain provided policy overrides policy settings made on the local (or remote) machine. To make sure the computer is using the desired policy, you can load the IP Security Monitor (Ipsecmon) that comes with the Microsoft Windows 2000 Server Resource Kit. Ipsecmon displays IPSec status information, including the name of the IPSec policy currently in use. However, Ipsecmon displays information only when a security association (i.e., an IPSec session with another computer) is currently in effect. Therefore, you need to initiate communications with another computer before checking Ipsecmon.

—Randy Franklin Smith