Re: Using IPSec; Firewall breaks sysvol replication
- From: "Augusto Alvarez" <augusto@xxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 17 Jan 2009 17:21:56 -0200
Did you check this article?
Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx
There you can find a special topic for IPSec: Encapsulating Inside IPSec
Hope it helps
Cheers
--
augusto alvarez | it professional
MCP - MCTS - MCITP DBA
http://blog.augustoalvarez.com.ar/
"brad" <piraparana@xxxxxxxxxxxxxxxx> wrote in message news:F7461A70-0A3B-4AA8-BC8E-9C5D13F13DF6@xxxxxxxxxxxxxxxx
Greetings,
I am using an IPSec policy to enforce the use of IPSec for all network
traffic between domain controllers. The appropriate security associations are
showing up in the IPSec monitor and each domain controller can ping the other
one. Active directory synchs OK. I can add or delete or disable an account on
one DC and the changes show up right away on the others.
However, I am having trouble with Sysvol replication. Sysvol will not
replicate as long as the firewall is enabled on the DC with the PDC role. I
have the following rule in the Windows Firewall to enable IPSec traffic to
pass (using "define ports" setting in GPO):
50:ip protocol:*:enabled:IPSec ESP
51:ip protocol:*:enabled:IPSec AH
We have two root DCs and three child domain DCs. Sysvol works fine on the
child domain. Since it was not working on the root domain, I configured a
static port for FRS, as per KB319553 and enabled that port on all DCs. That
did not solve the problem. Actually, that step should not have been necessary
anyway since all traffic is between DCs is already encapsulated with IPSec.
Summary: 5 domain controllers, all using IPSec, all firewalls configured
identically, yet one server's firewall, when enabled, breaks replication of
sysvol for root domain. Sysvol replication works OK for child domain but not
for root domain.
It would seem that the problem lies with the firewall configuration on the
DC with the PDC role. However, if the firewall was misconfigured, it seems
that no traffic at all could pass between the two root DCs, since all traffic
must use IPSec.
QUestions:
(1) Am I using the syntax correct for the Windows firewall rule to allow
IPSec traffic to pass?
(2) If not, how is it that IPSec is working on all 5 DCs?
(3) On Windows 2003 Server SP2 ; does IPSec traffic bypass the firewall by
default? I do not have the "Windows Firewall:Allow authenticated IPSec
bypass" policy configured.
(4) Would the above-mentioned policy setting be the best way to get around
this problem? If so, I need some help with the SDDL string. My DCs are in an
OU but not in a group. Must I create a group for them in order to be able to
have an SID for the SDDL?
Thanks for any help you can give.
--
bb
.
- References:
- Prev by Date: File access issues on Win2k8
- Next by Date: Re: Failure Audit - Logon/Logoff - Event ID 529
- Previous by thread: Using IPSec; Firewall breaks sysvol replication
- Next by thread: Failure Audit - Logon/Logoff - Event ID 529
- Index(es):
Relevant Pages
|
Loading
