Re: Securing the communication between all workstations in a domain

From: Steven L Umbach (
Date: 02/17/03

From: "Steven L Umbach" <>
Date: Mon, 17 Feb 2003 15:58:29 GMT

Hi Vijay. I am no expert at Ipsec. I would try using the server (request
security) policy in that OU - the secure policy is rather extreme and can
take some tweaking to get it right. . Monitor results using ipsecmon to see
what is going on. You might have to create a custom policy exempting domain
controllers from ipsec traffic by their tcp/ip addresses per knowledge base
article link. Generally from what I have read Ipsec is usually implemented
in such a way that non domain controller servers such as file/application
servers are put in their own OU and assigned either secure server or server
ipsec policy. Then the workstations are put in their own OU with client
ipsec policy. There should be very little if any workstation to workstation
traffic in a high secure network anyway. I think your problem is that the
computers you have assigned ipsec policy to are unable to access the domain
controller, and since the domain controller is the Active Directory dns
server you are unable to find/communicate with ANY other computers until you
exempt the domain controllers from ipsec traffic - a request policy may work
for you to remedy that - I am not sure. Try pinging the domain cotroller by
fully qualified domain name or use nslookup to see if that is an issue.When
I was experimenting with ipsec a while back I noticed it took a while for
new policies to take effect and I usually ended up rebooting a computer to
update it. Again the ipsecmon utility (at the command prompt) was extremely
helpful in troublesooting ipsec. Sorry I could not be of more help. --

"Ch.Vijay" <> wrote in message
> Hi Steve
> according to u I placed 2 computers in one OU and
> assigned group policy for that OU. Assigned IPsec polocy
> as Secure server for that OU
> After some time both machines are unable to
> communicate with each together as well as domain
> controllers. Domain controllers are able to talk each
> together.
> Vijay
> >-----Original Message-----
> > Possibly one of the domain controllers had not had
> its' policy
> >updated yet when the other domain controller was
> expecting ipsec
> >communications. There are some issues about using ipsec
> on domain
> >controllers, particularly when it comes to communications
> with non domain
> >controllers (member servers and workstations). Ipsecmon
> is very helpful at
> >seeing what is going on. You might want to try using
> request security rule
> >instead which still would give you secure communications
> if all computers in
> >the domain are W2K or later. You could also try putting
> all computers (with
> >exception of domain controllers) in a separate OU with a
> security policy for
> >ipsec defined for them and not involving the domain
> controllers. Most (if
> >not all) communications with and between domain
> controllers that involve any
> >sensitive information is encrypted anyhow, such as
> authentication and Active
> >Directory replication. Of course if you want to use your
> domain controller
> >as a file server than that would be a problem, but that
> is not recommended
> >practice. See links for more info. --- Steve
> >
> >
> >
> urity/ipsecsteps.a
> >sp
> >
> >
> >
> >"Vijay" <> wrote in message
> >news:031401c2d587$330e6d80$a301280a@phx.gbl...
> >> Hi
> >>
> >> I want to secure all the communications between all
> >> workstations and servers and domain controllers in a
> >> domain using IPSec& Kerberose.
> >> How can I implement this in windows2003 domain.
> >> In my test setup when I select default domain policy as
> a
> >> secure server in one of the domain controllers ,
> >> communcation between domain controllers including
> >> replication is not happening? Any solutions..
> >
> >
> >.
> >