We are mapping drive from Windows 2000 and Windows XP workstation to
Windows 2000 server and Windows Server 2003.
Is the communication between the workstations and the servers encrypted?
What do we need to do to encrypt the traffic between the workstations and
the servers with respect to the mapped drives?

"Michael W White" <michael.wm.white@worldnet.att.net> wrote in message
news:OujAEGO2FHA.476@TK2MSFTNGP15.phx.gbl...
> We are mapping drive from Windows 2000 and Windows XP workstation to
> Windows 2000 server and Windows Server 2003.
> Is the communication between the workstations and the servers encrypted?

Not by default

> What do we need to do to encrypt the traffic between the workstations and
> the servers with respect to the mapped drives?
>
>

You need to setup IPSec. It's lots of fun :-)

http://www.microsoft.com/windows2000...c/default.mspx

http://www.microsoft.com/windowsserv...c/default.mspx

http://www.microsoft.com/downloads/d...DisplayLang=en

http://www.microsoft.com/technet/pro...d41ccf956.mspx

Kerry

You would nee to use ipsec and have an ipsec require policy on the servers
and an ipsec client/respond policy on the workstations. This is fairly easy
to set up in a domain via Group Policy but DANGER WILL ROBINSON -- ipsec
can not be used to protect traffic with ESP/AH for network traffic between
domain controllers and domain computers for any traffic involved in
authentication which would include ports/protocols used for file and print
sharing. So if these servers are domain controllers ipsec is out of the
question. If they are not them your ipsec require policy on the servers
would need to have a mirrored rule with a filter set that includes the IP
addresses of the domain controllers with a permit filter action. Never ever
assign an ipsec require policy to the domain or the domain controllers
container no matter what you read anywhere. Failure to heed such can cause
your domain to have lots of problems that would be a huge Excedrin
headache. --- Steve



"Michael W White" <michael.wm.white@worldnet.att.net> wrote in message
news:OujAEGO2FHA.476@TK2MSFTNGP15.phx.gbl...
> We are mapping drive from Windows 2000 and Windows XP workstation to
> Windows 2000 server and Windows Server 2003.
> Is the communication between the workstations and the servers encrypted?
> What do we need to do to encrypt the traffic between the workstations and
> the servers with respect to the mapped drives?
>
>

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:tZadnU7cCoG-9cDenZ2dnUVZ_sudnZ2d@comcast.com...
> You would nee to use ipsec and have an ipsec require policy on the servers
> and an ipsec client/respond policy on the workstations. This is fairly
> easy to set up in a domain via Group Policy but DANGER WILL ROBINSON --
> ipsec can not be used to protect traffic with ESP/AH for network traffic
> between domain controllers and domain computers for any traffic involved
> in authentication which would include ports/protocols used for file and
> print sharing. So if these servers are domain controllers ipsec is out of
> the question. If they are not them your ipsec require policy on the
> servers would need to have a mirrored rule with a filter set that includes
> the IP addresses of the domain controllers with a permit filter action.
> Never ever assign an ipsec require policy to the domain or the domain
> controllers container no matter what you read anywhere. Failure to heed
> such can cause your domain to have lots of problems that would be a huge
> Excedrin headache. --- Steve
>

What problems have you encountered with IPSec on domain controllers? I have
only set it up a few times in 2000 domains and didn't have any problems. I
haven't set it up in 2003 domain. Also most of the setups only had one
domain controller. In a 2000 domain with two domain controllers on one
subnet with all traffic using IPSec it worked fine. I can see with routers
and firewalls involved where it might get tricky.

Kerry

I ran into problems when I first started testing ipsec. Anytime I tried to
use ipsec where domain controllers were involved the domain user could not
logon to the domain computer after rebooting [cached logons were disabled].
The reason is that the domain controllers are also the KDC and the computer
could not authenticate with the domain controller because the domain
controller insisted on authentication before allowing communications which
made authentication impossible. So then I tried using a request ipsec policy
for the domain controller and it still would not work. Creating exemptions
for the ports/protocols used for authentication did not work and even if
they did you would make the ipsec policy almost useless for any degree of
protection by creating that many exemptions as ports 139/445 TCP are used
also during authentication. This all happened when Windows 2000 was fairly
new and there was no documentation that warned about this configuration.

That has since changed and Microsoft considers using ipsec to secure
communications between domain controllers and domain members to not being
recommended and not being supported which means they will not help you with
problems resulting with such. The links below explain more. The same
behavior has been seen in Windows 2003 even if you try to use certificate
authentication for traffic between domain members and domain controllers
though the KB article does not mention that and I see the same results
whether the ipsec policy is local configured or by Group Policy. If you can
get it to work and can confirm that ipsec is being used [ESP] for traffic
between domain computers and domain controllers without any problems
including after computer reboots with cached logons disable be sure to let
me know! --- Steve

http://tinyurl.com/7q3bz -- link to newsgroup discussion about ipsec with
domain controllers.
http://support.microsoft.com/default...;en-us;q254949

We support the use of IPSec to encrypt network traffic in end-to-end
client-to-client, client-to-server, and server-to-server implementations
when you use either Kerberos computer authentication or when you use
certificate-based computer authentication. Currently, we do not support
using IPSec to encrypt network traffic from a domain member server to a
domain controller when you apply the IPSec policies by using Group Policy or
when you use the Kerberos authentication method.

From another Microsoft Source - the Windows 2003 Servers Deployment Kit
******

IPSec is based on the authentication of computers on a network;
therefore, before a computer can send IPSec-protected data, it must be
authenticated. The Active Directory security domain provides this
authentication using the Kerberos protocol. Accordingly, when IKE uses
Kerberos to authenticate, the Kerberos protocol and other dependent
protocols (DNS, UDP LDAP and ICMP) are used for communication with domain
controllers. Additionally, Active Directory-based IPSec policy settings
are typically applied to domain members through Group Policy. As a
result, if IPSec is required from domain members to the domain
controllers, authentication traffic will be blocked and IPSec
communications will fail. In addition, no other authenticated connections
can be made using other protocols, and no IPSec other policy settings can
be applied to that domain member through Group Policy. For these reasons,
using IPSec for communications between domain members and domain
controllers is not supported.




"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:e8%23lzlQ2FHA.636@TK2MSFTNGP10.phx.gbl...
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:tZadnU7cCoG-9cDenZ2dnUVZ_sudnZ2d@comcast.com...
>> You would nee to use ipsec and have an ipsec require policy on the
>> servers and an ipsec client/respond policy on the workstations. This is
>> fairly easy to set up in a domain via Group Policy but DANGER WILL
>> ROBINSON -- ipsec can not be used to protect traffic with ESP/AH for
>> network traffic between domain controllers and domain computers for any
>> traffic involved in authentication which would include ports/protocols
>> used for file and print sharing. So if these servers are domain
>> controllers ipsec is out of the question. If they are not them your ipsec
>> require policy on the servers would need to have a mirrored rule with a
>> filter set that includes the IP addresses of the domain controllers with
>> a permit filter action. Never ever assign an ipsec require policy to the
>> domain or the domain controllers container no matter what you read
>> anywhere. Failure to heed such can cause your domain to have lots of
>> problems that would be a huge Excedrin headache. --- Steve
>>
>
> What problems have you encountered with IPSec on domain controllers? I
> have only set it up a few times in 2000 domains and didn't have any
> problems. I haven't set it up in 2003 domain. Also most of the setups only
> had one domain controller. In a 2000 domain with two domain controllers on
> one subnet with all traffic using IPSec it worked fine. I can see with
> routers and firewalls involved where it might get tricky.
>
> Kerry
>
>

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:156dnbJb78WtPsDeRVn-oA@comcast.com...
>I ran into problems when I first started testing ipsec. Anytime I tried to
>use ipsec where domain controllers were involved the domain user could not
>logon to the domain computer after rebooting [cached logons were disabled].
>The reason is that the domain controllers are also the KDC and the computer
>could not authenticate with the domain controller because the domain
>controller insisted on authentication before allowing communications which
>made authentication impossible. So then I tried using a request ipsec
>policy for the domain controller and it still would not work. Creating
>exemptions for the ports/protocols used for authentication did not work and
>even if they did you would make the ipsec policy almost useless for any
>degree of protection by creating that many exemptions as ports 139/445 TCP
>are used also during authentication. This all happened when Windows 2000
>was fairly new and there was no documentation that warned about this
>configuration.
>
> That has since changed and Microsoft considers using ipsec to secure
> communications between domain controllers and domain members to not being
> recommended and not being supported which means they will not help you
> with problems resulting with such. The links below explain more. The same
> behavior has been seen in Windows 2003 even if you try to use certificate
> authentication for traffic between domain members and domain controllers
> though the KB article does not mention that and I see the same results
> whether the ipsec policy is local configured or by Group Policy. If you
> can get it to work and can confirm that ipsec is being used [ESP] for
> traffic between domain computers and domain controllers without any
> problems including after computer reboots with cached logons disable be
> sure to let me know! --- Steve
>

It was several years ago. While taking some MCSE courses to upgrade to 2000
we set up IPSec in the classroom between about a dozen domain controllers
and verified that replication was taking place. A few weeks later I had to
do it in the real world and the only problem I remember was getting the
certificate server setup right.

As I read the MS link you posted the only unsupported configuration I can
see is a member server to a domain controller:

" We support the use of IPSec to encrypt network traffic in end-to-end
client-to-client, client-to-server, and server-to-server implementations
when you use either Kerberos computer authentication or when you use
certificate-based computer authentication. Currently, we do not support
using IPSec to encrypt network traffic from a domain member server to a
domain controller when you apply the IPSec policies by using Group Policy or
when you use the Kerberos authentication method. "

Later it also specifically says that dc to dc and gc to gc replication are
supported.

I read through the other link you provided as well. I haven't used IPSec for
a long time so much of it was beyond me but I don't see anything in there to
preclude using IPSec for normal domain traffic. I'll have to take your word
for it as I don't currently have time to test it for myself :-)

Kerry

I don't know why the KB specifies servers when it really means domain
computers and is clarified in the info from the Windows 2003 Deployment kit
as shown below. This has also been a topic of discussion on the Microsoft
ipsec newsgroup involving those on the ipsec team at MS being asked if this
will be remedied in the future. Ipsec is supported for domain controller to
domain controller traffic. Global catalog servers are also domain
controllers. --- Steve

"As a
result, if IPSec is required from domain members to the domain
controllers, authentication traffic will be blocked and IPSec
communications will fail. In addition, no other authenticated connections"



"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:uJI$RpR2FHA.2216@TK2MSFTNGP15.phx.gbl...
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:156dnbJb78WtPsDeRVn-oA@comcast.com...
>>I ran into problems when I first started testing ipsec. Anytime I tried to
>>use ipsec where domain controllers were involved the domain user could not
>>logon to the domain computer after rebooting [cached logons were
>>disabled]. The reason is that the domain controllers are also the KDC and
>>the computer could not authenticate with the domain controller because the
>>domain controller insisted on authentication before allowing
>>communications which made authentication impossible. So then I tried using
>>a request ipsec policy for the domain controller and it still would not
>>work. Creating exemptions for the ports/protocols used for authentication
>>did not work and even if they did you would make the ipsec policy almost
>>useless for any degree of protection by creating that many exemptions as
>>ports 139/445 TCP are used also during authentication. This all happened
>>when Windows 2000 was fairly new and there was no documentation that
>>warned about this configuration.
>>
>> That has since changed and Microsoft considers using ipsec to secure
>> communications between domain controllers and domain members to not being
>> recommended and not being supported which means they will not help you
>> with problems resulting with such. The links below explain more. The
>> same behavior has been seen in Windows 2003 even if you try to use
>> certificate authentication for traffic between domain members and domain
>> controllers though the KB article does not mention that and I see the
>> same results whether the ipsec policy is local configured or by Group
>> Policy. If you can get it to work and can confirm that ipsec is being
>> used [ESP] for traffic between domain computers and domain controllers
>> without any problems including after computer reboots with cached logons
>> disable be sure to let me know! --- Steve
>>
>
> It was several years ago. While taking some MCSE courses to upgrade to
> 2000 we set up IPSec in the classroom between about a dozen domain
> controllers and verified that replication was taking place. A few weeks
> later I had to do it in the real world and the only problem I remember was
> getting the certificate server setup right.
>
> As I read the MS link you posted the only unsupported configuration I can
> see is a member server to a domain controller:
>
> " We support the use of IPSec to encrypt network traffic in end-to-end
> client-to-client, client-to-server, and server-to-server implementations
> when you use either Kerberos computer authentication or when you use
> certificate-based computer authentication. Currently, we do not support
> using IPSec to encrypt network traffic from a domain member server to a
> domain controller when you apply the IPSec policies by using Group Policy
> or when you use the Kerberos authentication method. "
>
> Later it also specifically says that dc to dc and gc to gc replication are
> supported.
>
> I read through the other link you provided as well. I haven't used IPSec
> for a long time so much of it was beyond me but I don't see anything in
> there to preclude using IPSec for normal domain traffic. I'll have to take
> your word for it as I don't currently have time to test it for myself :-)
>
> Kerry
>
>