IPsec and DCs

J

jamestulloch

Hi All,

Another request from my cleint is to start a move toward Domain
Isolation by using IPsec to encrypt all traffic between DCs. This
wouldnot include UDP and TCP 53 as all DCs are DNS servers.

Any thoughts? From what I can gather, in domain isolation DC to DC
communication is excepted. But maybe I misread.

Thanks for your input.

James
 
J

jamestulloch

Further to the above. It seems that if Kerberos is used as the
authentication mathod then you need to exempt fromthe IPsec rule any
Kerberos traffic and any LDAP traffic.

If so then why encrypt anything else between the DCs?
 
R

Roger Abell [MVP]

jamestulloch said:
Hello?

Its all eerily quiet out there.
Click to expand...

Your client is pushing you out into territory few explore, and
from which most likely retreat after a couple experiments.

For one thing, it is probably still true that if you have problems
and try MS support, they will off the top say it is not a supported
config and want to back you out.
 
J

jamestulloch

Roger,

Thanks for that comment, what I might try is going through our MS
account manager to see what they will and will not support.

Cheers

James
 
R

Roger Abell [MVP]

First try a post over in the newsgroup
microsoft.public.windows.server.active_directory
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

IPSec on webserver 3
IPSec Filtering 1
IpSec filtering 4
ipsec and encryption in mixed environment 2
IPSec and TCP/IP filtering 3
IPSec without encryption between intranet and standalone 7
"There are 0 filters" using IPSec via GPO 4
TCP/IP Filtering Problem 2

Top