Re: secure server policy

From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 07/01/04 

Date: Thu, 01 Jul 2004 17:40:55 GMT

Be very careful with ipsec policies. Ipsec policies between domain members must
exempt domain controllers based on their static IP addresses or you will
experience a lot of problems. MS does not support ipsec negotiation policy
between domain members and domain controllers because of the way machine
authentication works in ipsec. See the links below for more details. --- Steve

http://support.microsoft.com/?kbid=254949
http://tinyurl.com/3yvnl -- link to a previous thread on this topic.

>From Windows 2003 Deployment Guide :
Requiring IPSec for communication between Active Directory domain members and
domain controllers might block connections
IPSec is based on the authentication of computers on a network; therefore,
before a computer can send IPSec-protected data, it must be authenticated. The
Active Directory security domain provides this authentication using the Kerberos
protocol. Accordingly, when IKE uses Kerberos to authenticate, the Kerberos
protocol and other dependent protocols (DNS, UDP LDAP and ICMP) are used for
communication with domain controllers. Additionally, Active Directory-based
IPSec policy settings are typically applied to domain members through Group
Policy. As a result, if IPSec is required from domain members to the domain
controllers, authentication traffic will be blocked and IPSec communications
will fail. In addition, no other authenticated connections can be made using
other protocols, and no IPSec other policy settings can be applied to that
domain member through Group Policy. **For these reasons, using IPSec for
communications between domain members and domain controllers is not supported**

"new question" <new question@discussions.microsoft.com> wrote in message
news:448147CF-76FE-4C37-8853-F68C60F330FD@microsoft.com...
> hi
> I experienced a problem when I deployed default secure server ipsec policy to
all my domain. Some clients didnt join after restart. We wait for very long
time. We logged local machine. And edit local policy .Assigned secure server to
local. And then machine restarted. Client machine logged successfull.
> I want to learn that we cant apply secure server policy to all domain ?

Relevant Pages

  • Re: Securing the communication between all workstations in a domain
    ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
    (microsoft.public.win2000.security)
  • Re: authentication problem
    ... double or triple duty most traffic [authentication and AD replication] is ... laptops and I bring up ipsec as a possible solution with the caveat on ... domain controllers because many admins right away want to enable the require ... policy at the domain level which can bring their network to it's knees. ...
    (microsoft.public.win2000.security)
  • RE: authentication problem
    ... IPSec is based on the authentication of computers on a network; ... The Active Directory security domain provides this authentication using the ... are used for communication with domain controllers. ... Directory¨Cbased IPSec policy settings are typically applied to domain ...
    (microsoft.public.win2000.security)
  • Re: domain users force only local server access
    ... You can restrict computers using ipsec policies. ... complex topic and domain controllers need to be exempt from any policy to ...
    (microsoft.public.win2000.security)
  • Re: Mapping drives and Encryption
    ... I ran into problems when I first started testing ipsec. ... The reason is that the domain controllers are also the KDC and the computer ... made authentication impossible. ... So then I tried using a request ipsec policy ...
    (microsoft.public.windowsxp.security_admin)