|
Posted by Steven L Umbach on July 7, 2005, 2:25 am
Please log in for more thread options
Note that I warned that special considerations needed to be taken into
account for domain controllers and ipsec policies should be tested first as
per below.
"Ipsec policies take quite a bit of planning and testing and
domain controllers require special consideration with exempting them for
traffic that involves authentication and Active Directory with domain
computers. The links below will explain more and the ipsec white paper on
domain isolation [last link] would be something you may want to strongly
consider. --- Steve"
What "might " work is to use netsh to unassign the domain ipsec policy and
then reboot the computer. I don't know for sure as I have never tried such.
See the link below for more details. --- Steve
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4f05f853-2eed-4ff8-b16f-e6228c050a6b.mspx
You can manage Active Directory-based policy by using the IP Security Policy
Management console or by using the netsh ipsec static set store
location=domain command. IPSec policies that are configured and assigned for
the domain take precedence over the local, active IPSec policy on a
computer, when that computer is a member of the domain. Active
Directory-based policy overrides any local IPSec policy that is assigned,
and it adds to the persistent IPSec policy that has already been applied by
the IPSec Policy Agent, if a persistent policy has been configured
> Hello people,
>
> I was willing to try and use IPSec, and I started by first enabling a
> default rule
> called: "Secure Server (Require Security)" As domain policy on a BDC
> (Backup Domain Controller)
> with Windows Server 2003 SP1.
> After a minute, every connection to the BDC and the PDC stopped from the
> clients and from even
> the servers.
> Seeing this, I wanted to deactivate the IPSec policy from where I
> activated
> it (the BDC)
> but I couldnt open the Snap-In, it kept erroring that I dont have
> sufficent
> permissions.
> So I moved to the PDC that also hosts all the 5 domain roles and that
> worked
> to open the Snap-in
> for domain security, and from there I deactivated the IPSec policy.
>
> My biggest problem now, Is how can I revert back this IPSec policy to the
> BDC if the system
> doesnt allow me to open the snap-in for configuration.
>
> I tried also from 'netsh ipsec' the CLI interface for editing IPSec
> policies
>
>
> Please if any of you have any clue or advice that could help me, post it.
>
>
> My very thanks in advance.
| 
XML Sitemap