Re: sysvol replication breaks when IPSec running between DCs & firewal

Hello bRad,

Also have a look here about UDP port 500:

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!

Theoretically, when all traffic between DCs is IPSec, you only have to
open the firewall for ports required by IPSec, and everything will
work . However, I am having trouble with Sysvol replication. Sysvol
will not replicate as long as the firewall is enabled on the DC with
the PDC role. I have the following rule in the Windows Firewall to
enable IPSec traffic to pass:

50:ip protocol:*:enabled:IPSec ESP
51:ip protocol:*:enabled:IPSec AH
We have two root DCs and three child domain DCs. Sysvol works fine on
the child domain. Since it was not working on the root domain, I
configured a static port for FRS, as per KB319553 and enabled that
port on all DCs. That did not solve the problem. Actually, that step
should not have been necessary anyway since all traffic is between DCs
is already encapsulated with IPSec.

Summary: 5 domain controllers, all using IPSec, all firewalls
configured identically, yet one server's firewall, when enabled,
breaks replication of sysvol for root domain. Sysvol replication works
OK for child domain but not for root domain.

It would seem that the problem lies with the firewall configuration on
the DC with the PDC role. However, if the firewall was misconfigured,
it seems that no traffic at all could pass between the two root DCs,
since all traffic must use IPSec.

(1) DO I have the syntax correct for the Windows firewall rule to
IPSec traffic to pass?
(2) If not, how is it that IPSec is working on all 5 DCs?
(3) On Windows 2003 Server SP2 ; does IPSec traffic bypass the
firewall by
default? I do not have the "Windows Firewall:Allow authenticated IPSec
bypass" policy configured.
(4) Would the above-mentioned policy setting be the best way to get
this problem? If so, I need some help with the SDDL string. My DCs
are in an
OU but not in a group. Must I create a group for them in order to be
able to
have an SID for the SDDL?