Re: AD Through Firewall & Trusts

You can specify the machines that comunicate with IPSec. If I enforce IPSec to be used only between 2 machines that doesn't mean that all others must also use IPSec. Of course you can still force all comunications to use IPSec if you want.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
"Tim Chin" <donotemail> wrote in message news:%23TZFWOFqHHA.1144@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the reply Jorge. I'm still kind of confused though. IPsec or not, if the new DC will be a part of an existing domain with trusts to other domains, does the new DC need to be able to communicate with the other domain's domain controllers (the new DC will be configured to communicate with the other DCs in the domain that the new DC is a part of).

In other words, if I join a Windows XP computer to the same firewalled subnet as the new DC, can I login to the Windows XP computer with credentials from a trusted domain? Or will I need to enable communication from the new DC to the trusted domains on the other side of the firewall in addition to the DCs in the domain that the new DC is a part of.

My goal is to limit the number of rules to be added to the firewall for security and simplicity of administration. However, I'm willing to create whatever I need for this to work. And I'm not in a position to test this setup, yet, thus my asking in this newsgroup.

Any help is appreciated.
Tim

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message news:%23X26%2308pHHA.3948@xxxxxxxxxxxxxxxxxxxxxxx
Hi
You can enforce IPSec for communications only between these 2 DCs.
http://support.microsoft.com/kb/254949
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services



.

Relevant Pages

  • Re: Deny access
    ... You can require all machines to communicate with IPSec. ... Is it posible to deny access to a domain if the PC isn´t in the Domain? ... authenticate against servers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Through Firewall & Trusts
    ... Thanks for the reply Jorge. ... domain's domain controllers (the new DC will be configured to communicate ... My goal is to limit the number of rules to be added to the firewall for ... You can enforce IPSec for communications only between these 2 DCs. ...
    (microsoft.public.windows.server.active_directory)
  • Re: IPSEC on Windows 2000 - Help
    ... shouldn't they still be able to communicate? ... It's exempted once the involved computers have negotiated an SA and IPsec is ... > member to the domain controller is currently not supported ... domain authentication to take place to allow communication, ...
    (microsoft.public.win2000.security)
  • Re: Stop computers connecting to other domains and networks
    ... I have thought about deploying IPSec but I cringed at the idea of installing ... log parser and it works great to list all my DHCP IP/Computer names. ... it means that those unauthorized devices ... > will not be able to communicate with them. ...
    (microsoft.public.win2000.group_policy)
  • Re: AD Through Firewall & Trusts
    ... If some other client or server tries to comunicate with the server, and the server is configured to use IPSec ONLY between itself and some other DC, that means that the server WON'T use IPSec to comunicate with that client. ...
    (microsoft.public.windows.server.active_directory)