NetAdSubs
asked on
enabling AD replication via IPsec on existing domain controllers
I have an existing AD domain with numerous sites. Currently, we are allowing AD replication through the firewalls with the "swiss cheese" method, allowing RPC, etc. To trim this down, we would like to start using IPsec encapsulation for AD replication between DCs. I'm currently following this article:
http://technet.microsoft.com/en-us/library/bb727063.aspx
There is one discrepancy in that article that is troubling me, however. It says that I need to go to:
Start | Programs | Administrative Tools | Local Security Policy
However, this is not available on a domain controller. I only have 'Domain Security Policy' and 'Domain Controller Security Policy'. If I start defining ipsec policies using the 'Domain Controller Security Policy' link instead of 'Local Security Policy', won't those policies get replicated to all DCs? Will that be an issue?
Ideally, I'd like to enable ipsec on certain DCs as a test, and roll it out to other DCs as I verify it's working. I don't want to do a global ipsec configuration and activate it on every DC simultaneously.
http://technet.microsoft.com/en-us/library/bb727063.aspx
There is one discrepancy in that article that is troubling me, however. It says that I need to go to:
Start | Programs | Administrative Tools | Local Security Policy
However, this is not available on a domain controller. I only have 'Domain Security Policy' and 'Domain Controller Security Policy'. If I start defining ipsec policies using the 'Domain Controller Security Policy' link instead of 'Local Security Policy', won't those policies get replicated to all DCs? Will that be an issue?
Ideally, I'd like to enable ipsec on certain DCs as a test, and roll it out to other DCs as I verify it's working. I don't want to do a global ipsec configuration and activate it on every DC simultaneously.
ASKER
I apologize; I meant to include that info. We are running Windows 2003 DCs in all sites.
I was indeed considering setting up a test domain, but we are limited on resources and time, so I was hoping to get some answers from the experts here first. For what it's worth, we do already have a test domain up and running for a different project, but it's running Windows 2008R2 DCs. I could certainly set up ipsec between those DCs, but I'm not sure how Windows 2003's ipsec functionality compares to 2008R2's.
Regarding the article you linked, that looks like it involves setting up an ipsec tunnel. It was my understanding that with AD replication via ipsec (as discussed in the article I linked), you're not actually creating a tunnel, but rather just encapsulating your replication traffic inside of ipsec packets.
I was indeed considering setting up a test domain, but we are limited on resources and time, so I was hoping to get some answers from the experts here first. For what it's worth, we do already have a test domain up and running for a different project, but it's running Windows 2008R2 DCs. I could certainly set up ipsec between those DCs, but I'm not sure how Windows 2003's ipsec functionality compares to 2008R2's.
Regarding the article you linked, that looks like it involves setting up an ipsec tunnel. It was my understanding that with AD replication via ipsec (as discussed in the article I linked), you're not actually creating a tunnel, but rather just encapsulating your replication traffic inside of ipsec packets.
I was point out the secpol.msc tool, rather than how to set up a tunnel.
If you follow your original article, you shoul dbe fine. just be aware that as soon as you set up ipsec for replication to test, the other domain controllers will not be able to replicate to those DCs until you either diable IPSEC encapsulation or enable it everywhere
Hope this helps
If you follow your original article, you shoul dbe fine. just be aware that as soon as you set up ipsec for replication to test, the other domain controllers will not be able to replicate to those DCs until you either diable IPSEC encapsulation or enable it everywhere
Hope this helps
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much for the info. The file secpol.msc is what I was looking for. That pulls up the "Local Security Settings," which is exactly what I'm after. I was wary of applying this via a group policy for the reasons you both mentioned. Being able to apply it to one machine at a time is much preferable. I wasn't aware that secpol.msc was still available on a DC, since the shortcut gets removed from the Administrative Tools menu when you promote a machine to a DC. I had always just assumed that was something you just couldn't do on a DC.
Any idea why the shortcut gets removed? Seems like there are still valid uses for it, even on a DC.
Any idea why the shortcut gets removed? Seems like there are still valid uses for it, even on a DC.
I would strongly recommend that you create a test domain with domain controllers on different sites to test this, rather than on your production domain
Hope this helps