Options
IPSec for DC?
I've got a test environment that consists of a Server 2003 Domain Controller and an XP Pro machine using Virtual PC. It logged onto the domain fine and was working flawlessly...until I decided to try get IPSec going for all traffic. I now had difficulty logging a new XP machine onto the domain and DNS seemed to be really messed up even though all the records were there and I tried restarting the netlogon Service and even a whole reboot.
The way I applied the IPSec was as follows....
'Require Security' was added to the default domain policy
'Respond only' was applied to a GPO in an OU called 'Client PCs'
After I did this, nothing worked. I could ping by IP but not hostnames. I removed these policies from Active Directory on my DC but still, nothing worked.
Now i've read somewhere on the net that you shouldn't apply IPSec to any of your Domain Controllers. Do you simply have to tick 'block inheritance' on your Domain Controller OUs GPO, or is there a proper way to enable IPSec for all traffic without affecting the Domain Controllers? In my case, I only have one Server and it is the DC.
Cheers
The way I applied the IPSec was as follows....
'Require Security' was added to the default domain policy
'Respond only' was applied to a GPO in an OU called 'Client PCs'
After I did this, nothing worked. I could ping by IP but not hostnames. I removed these policies from Active Directory on my DC but still, nothing worked.
Now i've read somewhere on the net that you shouldn't apply IPSec to any of your Domain Controllers. Do you simply have to tick 'block inheritance' on your Domain Controller OUs GPO, or is there a proper way to enable IPSec for all traffic without affecting the Domain Controllers? In my case, I only have one Server and it is the DC.
Cheers
Comments
-
Options
down77
Member Posts: 1,009
Remember that IPsec requires one of 3 methods of authenication before communication can proceed: Pre-Shared Keys, Kerberos, or a Certificate. The default method for IPSec is Kerberos, and in the scenario you presented it would make authentication difficult since you can't have IPSec without Kerberos, and Kerberos would not be able to properly authenticate because you are requiring IPSec... potentially using pre-shared keys or certificates may have helped (but add additional concerns).
Before implementing such a policy make sure to define and detail your functional and technical requirements. Why are you using IPsec? What types of traffic patterns or protocols need to be secured by IPsec? Do you have a fallback mechanism incase of a communication failure (or service outage) related to the IPsec policies?
Also, as a proof of concept try by first implementing a DC to DC ipsec transport. See the KB listed below for more information on setting this up.
http://support.microsoft.com/kb/254949
RegardsCCIE Sec: Starting Nov 11 -
Optionsmr2nut
Member Posts: 269
That would explain it then
I'm basically just wanting IPSec all traffic between a Server and my test XP client. What i'm doing now, is setting up a Server 2003 standard purely as a file server without promoting it to a domain controller, putting that computer account into it's own GPO and ticking enforced so that it can't inherit any other policies, then applying require security to the GPO that applies to the file server OU, then client respond only to my client PCs OU. This would work fine wouldnt it? Then I can use netmon to see if everything is encrypted, right?