Re: Does IPsec only work within domain with Kerberos?

From: Steven L Umbach (n9rou@attbi.com)
Date: 03/11/03

• Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: "Messanger Service" pop-ups"
• Previous message: Vishal Agarwal[MSFT]: "Re: Certificate Enrollment Error #80095005"
• In reply to: Charles Kerekes: "Does IPsec only work within domain with Kerberos?"
• Next in thread: David Beder: "Re: Does IPsec only work within domain with Kerberos?"
• Reply: David Beder: "Re: Does IPsec only work within domain with Kerberos?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Steven L Umbach" <n9rou@attbi.com>
Date: Tue, 11 Mar 2003 02:53:38 GMT

      Hi Charles. Kerberos authentication is forest wide. Try using the request policy to see if that works and tweak from there, using ipsecmon to see what is happening. This link may be of some help. --- Steve

http://support.microsoft.com/?kbid=254949

"Charles Kerekes" <ckerekes.nospam@att.net> wrote in message news:04cd01c2e73f$1c4ba2b0$3401280a@phx.gbl...
> Hello,
>
> I have been testing with the Secure Server policy in a
> lab where I have three domains within a single AD forest.
> I tweaked the Secure Server policy to allow DNS and WINS
> packets through without encryption - this works fine.
>
> I applied the Secure Server policy to one DC/GC within a
> site. To all other DC/GC's within the forest I applied
> the Client IPsec policy. The server that has the Secure
> Server policy applied to is, has two AD replication
> connects, one to a DC in its own domain and another to a
> DC in another domain in the forest. When the policy is
> applied, it is no longer able to replicate to the DC in
> the other domain. Replmon gives the following reason:
>
> Replication Failure: The reason is: The RPC server is
> unavailable.
>
>
> I would have expected all servers in the forest (where
> there is transitive trusts to all domains) to work
> seamlessly. I even tried to add a manual trust between
> these two domains with the same results.
>
> Am I missing something, or is IPsec with Kerberos limited
> to a single domain?
>
> Charlie
>

• Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: "Messanger Service" pop-ups"
• Previous message: Vishal Agarwal[MSFT]: "Re: Certificate Enrollment Error #80095005"
• In reply to: Charles Kerekes: "Does IPsec only work within domain with Kerberos?"
• Next in thread: David Beder: "Re: Does IPsec only work within domain with Kerberos?"
• Reply: David Beder: "Re: Does IPsec only work within domain with Kerberos?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Does IPsec only work within domain with Kerberos? ... lab where I have three domains within a single AD forest. ... I tweaked the Secure Server policy to allow DNS and WINS ... Replication Failure: The reason is: The RPC server is ... there is transitive trusts to all domains) to work ... (microsoft.public.win2000.security) Re: Does IPsec only work within domain with Kerberos? -- SOLVED ... > lab where I have three domains within a single AD forest. ... > I tweaked the Secure Server policy to allow DNS and WINS ... > the Client IPsec policy. ... Charlie ... (microsoft.public.win2000.security) Re: the truth of replicate? ... That will depend on whether or not they are part of the same forest. ... they are domains in a forest, or even trees in a forest, then replication ... > so can i conclude that if the root domain failed, the other domain also> wont work, althought they have replicate each other before? ... >> yes there can be transitive trusts. ... (microsoft.public.win2000.active_directory)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint