MCSE CCNA CCNP Bootcamp Training

 

Free MCSE Free MCSE Training MCSE MCSE 2003 MCSE Books MCSE Boot Camp MCSE Brain dumps MCSE Certification MCSE Exam MCSE Free MCSE Jobs MCSE Logo MCSE Online MCSE Online Training MCSE Practice MCSE Practice Exams MCSE Practice Tests MCSE Requirements MCSE Resume MCSE Salary MCSE Self Paced Training Kit MCSE Study MCSE Study Guide MCSE Study Guides MCSE Test MCSE Testing MCSE Training MCSE Training Kit MCSE Training Video MCSE Windows 2003 Microsoft MCSE Training Training MCSE Windows 2003 MCSE

 

Important: Several features in the Windows Server 2003 family implementation of IPSec are not provided in Windows 2000 or in Windows XP. To ensure that the same IPSec policy functions as expected on computers running the Windows Server 2003 family and on computers running Windows 2000 or Windows XP, test the policy thoroughly on all relevant operating systems before deployment. If you plan to apply IPSec policies that use the new features that are available only in the Windows Server 2003 family implementation of IPSec, do not use the Windows 2000 or the Windows XP version of the IP Security Policy Management console to manage these policies. The settings in the earlier versions of the IP Security Policy Management console will override the settings in the Windows Server 2003 family IPSec policy, and the new features will not be functional. Lets say you want to block PING traffic for a set of computers. In order for this tip to work, you need the following to be true: An exiting Active Directory infrastructure (working with no errors, duh...). All computers that need to be configured must be running Windows 2000 or higher. An OU where the computer accounts should be placed. If no OU is applicable for your situation, you'll need to configure the GPO on the Domain level, and thus affect all the members in the domain. That's why I suggest creating an OU and placing the computer accounts in it. Next we need to configure IPSec Policies inside the GPO. We can do so by editing the GPO, and manually configuring the IPSec Policy, just like you did in Block Ping Traffic with IPSec. The only difference is that here you're editing the IPSec policies as a part of a larger GPO, not just for the local computer. If all the above exists we can now begin the configure the GPO. Open Active Directory Users & Computers. Right-click the domain (or an OU if you want to only configure a specific set of computers). Choose Properties. In the Properties window click the Group Policy tab. Click New to configure a new GPO (if you don't have one set for that OU already). Give it a descriptive name, such as Secure Services. Note: If you're configuring a Windows Server 2003 DC computer that has GPMC installed (read Download GPMC), you can shorten this action by simply opening the Group Policy Management snap-in from the Administrative Tools and selecting your desired GPO. Click Edit to edit the GPO. Navigate to Computer Settings > Windows Settings > Security Settings > IP Security Policies on Active Directory. You can now manually configure the IPSec Policy. See Block Ping Traffic with IPSec for examples.   Or, if already configured, import it as an .IPSEC file.   After the new IPSec Policy is in place, right-click it and select Assign.   In order for the changes to take place, either reboot the client computers or refresh their computer policy. Run the following command: secedit /refreshpolicy machine_policy /enforce In Windows XP and Windows Server 2003 you should type gpupdate /force When assigning an IPSec policy in Active Directory, consider the following: The list of all IPSec policies is available to assign at any level in the Active Directory hierarchy. However, only a single IPSec policy can be assigned at a specific level in Active Directory. An IPSec policy that is assigned to an organizational unit in Active Directory takes precedence over a domain-level policy for members of that organizational unit. An IPSec policy that is assigned to the lowest-level OU in the domain hierarchy overrides an IPSec policy that is assigned to a higher-level OU, for member computers of that OU. An OU inherits the policy of its parent OU unless either policy inheritance is explicitly blocked or policy is explicitly assigned. IPSec policies from different organizational units are never merged. The highest possible level of the Active Directory hierarchy should be used to assign policies to reduce the amount of configuration and administration required. An IPSec policy might remain active even after the Group Policy object to which it is assigned has been deleted. Because of this, you should unassign the IPSec policy before you delete the policy object. To prevent problems, use the following procedure: Unassign the IPSec policy in the Group Policy object. Wait 24 hours to ensure that the change is propagated. Delete the Group Policy object. If you delete the Group Policy object without following this procedure, computers in the Active Directory container to which the IPSec policy is assigned treat the IPSec policy as if it cannot be located and continue to use a cached copy. Before assigning an IPSec policy to a Group Policy object, verify the Group Policy settings that are required for the IPSec policy. For example, if an IPSec policy requires certificate authentication, assign the Group Policy settings that allow computers to enroll for certificates (usually one or two days before you assign the IPSec policy that requires use of the computer certificate). In addition, you should test the certificate enrollment process and resolve any errors before assigning the IPSec policy.