Internet Protocol Security
Internet Protocol Security |
|
This section contains procedures for determining and correcting possible reasons for IPSec-secured communications.
Because Active Directory treats the last information saved as current, if multiple administrators are editing a policy it is possible to break the links between policy components. For example:
This means that Filter A has a link to Policy A, and Filter B links to Policy B.
If both save the changes simultaneously, it is possible for Filter C to link to both Policy A and Policy B. Because that is unlikely, if Policy A is saved last, it overwrites the link from Filter C to Policy B. Filter C only links to Policy A. This causes problems when Filter C is modified. Only Policy A picks up the new changes; Policy B does not.
The policy integrity check eliminates this problem by verifying the links in all IPSec policies. It is a good idea to run the integrity check after making modifications to a policy.
To check policy integrity
All the IPSec policies listed in the console are checked. If any filters or settings are invalid, an error message is displayed.
Restarting the policy agent might be necessary to clear up old SAs, or to force a policy download from the Active Directory to domain clients. The computer must be restarted in order to properly restart the policy agent.
The restart of the policy agent also forces the restart of the IPSec driver.
Use Event Viewer to determine possible causes of failure if the policy agent does not start.
If the files necessary for IPSec components, such as IKE, the IPSec policy agent, or the IPSec Driver have been removed or deleted, you can reinstall the IPSec components by removing and reinstalling TCP/IP. The IPSec components are reinstalled as part of the Internet Protocol installation. For procedural information on how to remove and reinstall the Internet Protocol, see the Windows 2000 Help.