Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

enabling AD replication via IPsec on existing domain controllers

Posted on 2010-08-19
6
Medium Priority
?
2,512 Views
Last Modified: 2012-05-10
I have an existing AD domain with numerous sites.  Currently, we are allowing AD replication through the firewalls with the "swiss cheese" method, allowing RPC, etc.  To trim this down, we would like to start using IPsec encapsulation for AD replication between DCs.  I'm currently following this article:

http://technet.microsoft.com/en-us/library/bb727063.aspx

There is one discrepancy in that article that is troubling me, however.  It says that I need to go to:
Start | Programs | Administrative Tools | Local Security Policy

However, this is not available on a domain controller.  I only have 'Domain Security Policy' and 'Domain Controller Security Policy'.  If I start defining ipsec policies using the 'Domain Controller Security Policy' link instead of 'Local Security Policy', won't those policies get replicated to all DCs?  Will that be an issue?

Ideally, I'd like to enable ipsec on certain DCs as a test, and roll it out to other DCs as I verify it's working.  I don't want to do a global ipsec configuration and activate it on every DC simultaneously.
0
Comment
Question by:NetAdSubs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:craig_j_Lawrence
ID: 33481273
A little more information please, what OS are you running on your domain controllers? The article listed applies to Windows 2000, I would use this article as well http://support.microsoft.com/kb/816514 if running windows 2003.

I would strongly recommend that you create a test domain with domain controllers on different sites to test this, rather than on your production domain

Hope this helps
0
 

Author Comment

by:NetAdSubs
ID: 33481471
I apologize; I meant to include that info.  We are running Windows 2003 DCs in all sites.

I was indeed considering setting up a test domain, but we are limited on resources and time, so I was hoping to get some answers from the experts here first.  For what it's worth, we do already have a test domain up and running for a different project, but it's running Windows 2008R2 DCs.  I could certainly set up ipsec between those DCs, but I'm not sure how Windows 2003's ipsec functionality compares to 2008R2's.

Regarding the article you linked, that looks like it involves setting up an ipsec tunnel.  It was my understanding that with AD replication via ipsec (as discussed in the article I linked), you're not actually creating a tunnel, but rather just encapsulating your replication traffic inside of ipsec packets.
0
 
LVL 6

Expert Comment

by:craig_j_Lawrence
ID: 33481568
I was point out the secpol.msc tool, rather than how to set up a tunnel.

If you follow your original article, you shoul dbe fine. just be aware that as soon as you set up ipsec for replication to test, the other domain controllers will not be able to replicate to those DCs until you either diable IPSEC encapsulation or enable it everywhere

Hope this helps
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 7

Assisted Solution

by:CGretski
CGretski earned 400 total points
ID: 33483465
Just a word of warning setting IPSEC on DC communication via policy.

If you set group policy on one DC that it needs IPSEC for all communications with other DCs all communication between DCs will stop until they start using the same IPSEC settings

Because there's no communication replication won't work, so the other DCs will never get the new policy telling them to use IPSEC.

Your domain is now broken.

A possible work around is forcibly disabling the IPSEC service on windows, which will cause them to ignore IPSEC, talk clear-text until replication is complete,  then re-enable the service

Alternatively create the IPSEC policy so it only applies to certain source/destination IPs, to only 1 pair of domain controllers at a time.  That way (assuming you have more than 2 DCs) the policy could replicate indirectly via the non-IPSEC DCs
0
 
LVL 6

Accepted Solution

by:
craig_j_Lawrence earned 600 total points
ID: 33483497
Thanks for your input, I agree that applying ipsec settings via group policy is not a good idea, as you stated. I would definitely apply settings to 2 domain controllers via secpol.msc and ensure that the configuration is filtered via ip address
0
 

Author Comment

by:NetAdSubs
ID: 33487721
Thank you very much for the info.  The file secpol.msc is what I was looking for.  That pulls up the "Local Security Settings," which is exactly what I'm after.  I was wary of applying this via a group policy for the reasons you both mentioned.  Being able to apply it to one machine at a time is much preferable.  I wasn't aware that secpol.msc was still available on a DC, since the shortcut gets removed from the Administrative Tools menu when you promote a machine to a DC.  I had always just assumed that was something you just couldn't do on a DC.

Any idea why the shortcut gets removed?  Seems like there are still valid uses for it, even on a DC.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question