We help IT Professionals succeed at work.

Windows Server 2003 IPSEC Policy

Hello,
I'm working on implementing IPSec in a Windows 2003 domain.  I want my DCs to require security (securedc), my servers to request (secureserver).  Clients should respond only.

Do I need a Certificate Server also in this setup?  

I was having problems joining test PCs to the test domain.  
Comment
Watch Question

yes u have to do that also..

To set up a certificate authority (CA)

   1.      Select a Windows 2000 Server or Windows Server 2003 machine to host the CA.
   2.      From the CA host, open Control Panel.
   3.      Double click Add/Remove Programs.
   4.      Click Add/RemoveWindows Components.
   5.      Check Certificate Services and then click Next.
   6.      On the Certification Authority Types page of the wizard, select Stand-alone root CA. Also check the Advanced options box, and then click Next.
   7.      On the Public and Private Key Pair page, highlight "Microsoft Enhanced Cryptographic Provider v1.0". You might want to set "1024" as the value in the Key length drop-down box. Click Next.
   8.      On the CA Identifying Information page, fill out the blanks as appropriate. Click Next.
   9.      On the Data Storage Location page, use the default locations. Click Next.
  10.     Click Finish.
jsctechyInfrastructure Team Lead

Author

Commented:
Thanks arul4_1983.  I will give this a shot.  Will I need a recovery agent, or is that just for EFS?

Any reason to choose stand-alone root as opposed to enterprise root?
if u need recovery agent means you can do that.. c this link
http://img529.imageshack.us/img529/1231/222rg.jpg
Enterprise root CA
      

An enterprise root CA is a top-level CA in a certification hierarchy. An enterprise root CA requires the Active Directory directory service. It self-signs its own CA certificate and uses Group Policy to publish that certificate to the Trusted Root Certification Authorities store of all servers and workstations in the domain. Normally, an enterprise root CA does not directly provide resources for user and computer certificates, but is the foundation for a certificate hierarchy. For more information, see Enterprise certification authorities

Enterprise subordinate CA
      

An enterprise subordinate CA must obtain its CA certificate from another CA. An enterprise subordinate CA requires Active Directory. You use enterprise subordinate CAs when you want to take advantage of Active Directory, certificate templates, and smart card logon to Windows XP and computers running Windows Server 2003 family operating systems

Stand-alone root CA
      

A stand-alone root CA is a top-level CA in a certification hierarchy. The stand-alone root CA may or may not be a member of a domain and, therefore, does not require Active Directory. However, it will use Active Directory if it exists for publishing certificates and certificate revocation lists. Since a stand-alone root CA does not require Active Directory, it can easily be disconnected from the network and placed in a secure area, which is useful when creating a secure offline root CA. For more information, see Stand-alone certification authorities

Stand-alone subordinate CA
      

A stand-alone subordinate CA must obtain its CA certificate from another CA. The stand-alone subordinate CA may or may not be a member of a domain and, therefore, does not require Active Directory. However, it will use Active Directory if it exists for publishing certificates and certificate revocation lists. It must obtain its CA certificate from another CA.