Re: sysvol replication breaks when IPSec running between DCs & fir

---

• From: brad <piraparana@xxxxxxxxxxxxxxxx>
• Date: Fri, 16 Jan 2009 11:49:04 -0800

---

Miles,

thank you very much for your responses. I'm sorry but I still do not have a
full grasp of what needs to be done so I am writing to clarify my needs and
to ask more questions.

I am trying to implement the "encapsulate domain controller traffic inside
IPSec" as per as per Steve Riley

http://technet.microsoft.com/en-us/library/bb727063.aspx

Riley says" For IPSec replication and IPSec or PPTP promotion, configure
your firewall to permit the following."

IPSec ESP, encapsulated security payload
IP protocol 50

IPSec AH, authenticated header
IP protocol 51


The problem is, I do not know the syntax for allowing exceptions for IP
protocols. Since IP Protocols use a protocol ID number instead of port
numbers, I do not know how to write a firewall rule to ensure that IP
Protocols 50 and 51 are allowed through the firewall. I need to know how to
define a port exception in a group policy for these two IP Protocols. I know
how to write the rules for TCP and UDP but not for IP Protocol. Can you
please spell out for me exactly how to write the necessary firewall rules?

Not to confuse things, but Riley seems to contradict what you say about
IPSec ESP and AH protocols not being seen by the firewall. Are you saying
that I do not need to worry about creating the rules because these bypass the
firewall anyway?

Riley says you can "Encapsulate domain controller (DC-to-DC) traffic inside
IP Security Protocol (IPSec) and open the firewall for that", so that is what
I would like to do. However, if I can't get IPSec to work through the
firewall, I would be quite happy to configure it to bypass the firewall, but
I am also running into an issue with that.

I don't know what the SID of the domain controllers group is. Our domain
controllers are not in a GROUP, they are in an OU, so how can I find out what
the domain controller group SID is? Must I create a group and put the domain
controllers in it? If I do that, what are the potential repercussions of
placing domain controllers in a group?

I appreciate your comment about not recommending IPSec for DCs but I think I
am getting it close, it is working for some of the DCs so I don't want to
have to back out now.

Thanks for your help!
--
bb


"Miles Li [MSFT]" wrote:

Hello,

Thank you for posting here.

According to your description, I understand that:

The FRS replication between DCs blocks when you enable the IPSec to encrypt
network traffic between DCs.

If I have misunderstood the problem, please don't hesitate to let me know.

Suggestions:
========================
(1) DO I have the syntax correct for the Windows firewall rule to allow
IPSec traffic to pass?
(2) If not, how is it that IPSec is working on all 5 DCs?
(3) On Windows 2003 Server SP2 ; does IPSec traffic bypass the firewall by
default? I do not have the "Windows Firewall:Allow authenticated IPSec
bypass" policy configured.

Answer: From my knowledge, the IPsec exists underneath the Windows Firewall
(IPnat.sys). IPsec is in the network layer below ICF or Windows Firewall.
IKE is layered above ICF or Windows Firewall. Because of this, ICF or
Windows Firewall should statically permit IKE (UDP port 500) inbound, and
will not see IPsec AH or ESP protocols, but the TCP or UDP traffic after
IPsec has decapsulated it in the receive processing. If IPsec blocks
traffic, the ICF or Windows Firewall dropped packet log will not contain
the packets that IPsec discarded.

811832 IPsec default exemptions can be used to bypass IPsec protection
in Some Scenarios
http://support.microsoft.com/default.aspx?scid=kb;EN-US;811832



(4) Would the above-mentioned policy setting be the best way to get around
this problem? If so, I need some help with the SDDL string. My DCs are in
an OU but not in a group. Must I create a group for them in order to be
able to have an SID for the SDDL?

Answer: To isolate the issue to verify whether the issue is related to
IPSec or Windows Firewall, you may try to temporarily disable the Windows
Firewall on all DCs to check how it work. If the issue is related to the
Windows Firewall, you may configure the "Windows Firewall:Allow
authenticated IPSec bypass" policy to bypass the IPsec traffic for Domain
Controller group. You can input the SDDL string such as:

O:DDG:DDD:(A;;RCGW;;;S-1-5-<yourname_ID>-516)

Please replace the S-1-5-<yourname_ID>-516 with the SID of the domain
controllers group in your domain. A SID with RID 516 is the well known SID
for domain controller group in the domain.

For more SDDL Syntax information, you may refer to:

SDDL Syntax
http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html

Please understand that in Windows Server 2003 DC IPsec between DCs are not
recommended. It will result in lots of unexpected errors. Moreover, if you
want to enable the Window firewall on the DC, you may have to configure AD
and FRS to use a specific port on the RPC traffic. For more detailed
information, you may refer to:

555381 How to configure Windows Server 2003 SP1 firewall
for a Domain Controller
http://support.microsoft.com/kb/555381

Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.




Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

---

• Follow-Ups:
  • Re: sysvol replication breaks when IPSec running between DCs & fir
    • From: Miles Li [MSFT]

• References:
  • sysvol replication breaks when IPSec running between DCs & firewal
    • From: brad
  • Re: sysvol replication breaks when IPSec running between DCs & firewal
    • From: Meinolf Weber [MVP-DS]
  • Re: sysvol replication breaks when IPSec running between DCs & firewal
    • From: Miles Li [MSFT]

• Prev by Date: Re: Trust Requirements -- PDC to PDC Only?
• Next by Date: Re: Preventing logon to local accounts
• Previous by thread: Re: sysvol replication breaks when IPSec running between DCs & firewal
• Next by thread: Re: sysvol replication breaks when IPSec running between DCs & fir
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: sysvol replication breaks when IPSec running between DCs & fir ... to allow the IPSec traffic ports and protocols for IPSec should be ... The "Firewall" mentioned in the TechNet ... IPSec to encrypt the traffic instead of the Windows Firewall. ... Microsoft Online Partner Support ... (microsoft.public.windows.server.active_directory) Re: IPSEC between Member Server and Domain Controller - How? ... I am specifically trying to get Domain Member Domain Controller traffic ... to go via IPSEC when the IPSEC policy is applied using a GPO. ... > You can use the firewall log as a diagnostic tool: ... (microsoft.public.win2000.security) Re: IPSEC through firewall for DC replication ... It's the definitive guide for configuring domain controller replication ... across a firewall. ... > I am trying to use IPSEC to send Domain Controller ... > port for IPSECis port 0. ... (microsoft.public.win2000.security) IPSEC through firewall for DC replication ... I am trying to use IPSEC to send Domain Controller ... packet dropped keeps occuring at the firewall because the ... port for IPSECis port 0. ... (microsoft.public.win2000.security) AD Replication through IPSEC ... I am trying to use IPSEC to send Domain Controller ... packet dropped keeps occuring at the firewall because the ... port for IPSECis port 0. ... (microsoft.public.win2000.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)