Solved

IPSEC with Kerberos

Posted on 2011-09-14
6
430 Views
Last Modified: 2012-08-14
I have a task to enable IPSEC for computer/server communications. However, there are TONS of systems, 8500 Desktops and boat loads of servers.  They are all nicely placed into OU's based on department. Both Server/Workstations are nested in an OU IE

Root
 Department A
   Servers
   Desktops
   Users
 Department B

I was considering creating a single GPO linked to the Department OU that configures "Secure Server"  since it will initiate encryption to the target if supported. This way all traffice for that OU will be secured and I wont have to make TONS of filters to allow for other systems.  The clinets not only communicate with the OU servers but other servers in other OUs. Same with the Servers.  They need to be able to respond to non ipsec based systems.  The objective is to secure all communications WITHIN the OU.  

In the future they may required servers to be required, in that event filters will be needed.

Also, there is a mix of WIndows 7/Vista/XP for desktops 2003/2008 for servers.  

As far as filtering the GPO I was just going to link it the OU and leave security filtering to "Authenticated Users"   Edit my ipsec policy and assign it.

If I am not doing this correct please help me out.
0
Comment
Question by:Grady-Vogt
  • 3
  • 3
6 Comments
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 36540936
You are correct,but  I would recommed to test the policy in the test OU first and then go for it if you dont find  any issue with the policy.
0
 

Author Comment

by:Grady-Vogt
ID: 36543546
Correct on testing,  We are choosing pilot servers and desktops now.

I also believe this requires a reboot of the PC once the GPO is applied..

I know this sounds dumb but how do you know if the policy is in effect and functioning? I looked into netsh/ipsec and could not find a STATUS if you willl. I just need to verity the policy IS in fact operational on the server/client.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36546917
Once the policy is applied you need to reboot the worksation PC.Ran gpresult to see if the policy is applied on the PC or you can also ran rsop.msc to check if the policy is applied.
Also check the application log event id 1704 should occur if the policy is applied sucessfully.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:Grady-Vogt
ID: 36547038
Do I only reboot the workstations?   Servers?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36547065
Reboot only workstation after the policy is applied.
0
 

Author Comment

by:Grady-Vogt
ID: 36561755
Everything appears to be working ONLY if I add the computer object to the security filter of the GPO.  

I had removed the authenticated users and pult in my AD Group that contained 10 test servers/destktops.  
They wont apply the policy unless I enter them in manually to the security filtering.  

Why are they not pulling from the defined AD Security group? I have tried Global/Universal
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Need to replace W2003 server with Win2008R2. 3 31
Cannot Change Local DNS 9 61
Enterprise Mode 4 46
How to set IPSec under Server 2008 R2 and Server 2012 R2 3 42
Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question