I have an environment where I need to have DC's in seperate "burbs"
segmented off from the rest of the network by firewalls. We are
investigating using IPSec to make DC to DC communication operate. I
have read several posts and articles on this, but cannot determine
whether I need to build IPSec between 2 DC's (one in burb and one in
production) or whether I need to build IPSec between ALL DC's??? It
appears in testing that it must be all DC's, or we start getting 1864
errors in event logs of DC's and when researching by doing DCDiags, I
see that I am getting REPLICATION RECEIVED LATENCY WARNINGS related to
the DC's in the "burb" which do not have connectivity built in via
IPSec.

any help would be appreciated

thanks

have you seen:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"allenj" <allen.jenkins@sycomtech.com> wrote in message
news:1159379699.953318.98210@i3g2000cwc.googlegroups.com...
>I have an environment where I need to have DC's in seperate "burbs"
> segmented off from the rest of the network by firewalls. We are
> investigating using IPSec to make DC to DC communication operate. I
> have read several posts and articles on this, but cannot determine
> whether I need to build IPSec between 2 DC's (one in burb and one in
> production) or whether I need to build IPSec between ALL DC's??? It
> appears in testing that it must be all DC's, or we start getting 1864
> errors in event logs of DC's and when researching by doing DCDiags, I
> see that I am getting REPLICATION RECEIVED LATENCY WARNINGS related to
> the DC's in the "burb" which do not have connectivity built in via
> IPSec.
>
> any help would be appreciated
>
> thanks
>

Hello,
Here is a few good articles as well to start with, Hope it helps.
Active Directory in Networks Segmented by Firewalls:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en

Restricting Active Directory Replication Traffic to a Specific Port:
http://support.microsoft.com/default.aspx?scid=kb;en-us;224196

How to Configure a Global Catalog Server to Use a Specific Port When
Servicing MAPI Clients:
http://support.microsoft.com/default.aspx?scid=kb;en-us;298369


How to Restrict FRS Replication Traffic to a Specific Static Port:
http://support.microsoft.com/default.aspx?scid=kb;en-us;319553

How to Configure a Firewall for Domains and Trusts:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q179/4/42.asp&NoWebContent=1

--
Regards
Christoffer Andersson, TrueSec
Executive Consultant
Microsoft MVP - Directory Services
----------------------------------------------------------------
http://www.chrisse.se - Active Directory Resources

"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
news:eHfgAOm4GHA.4560@TK2MSFTNGP03.phx.gbl...
> have you seen:
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test before implementing!
> ------------------------------------------------------------------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------------------------------------
> "allenj" <allen.jenkins@sycomtech.com> wrote in message
> news:1159379699.953318.98210@i3g2000cwc.googlegroups.com...
>>I have an environment where I need to have DC's in seperate "burbs"
>> segmented off from the rest of the network by firewalls. We are
>> investigating using IPSec to make DC to DC communication operate. I
>> have read several posts and articles on this, but cannot determine
>> whether I need to build IPSec between 2 DC's (one in burb and one in
>> production) or whether I need to build IPSec between ALL DC's??? It
>> appears in testing that it must be all DC's, or we start getting 1864
>> errors in event logs of DC's and when researching by doing DCDiags, I
>> see that I am getting REPLICATION RECEIVED LATENCY WARNINGS related to
>> the DC's in the "burb" which do not have connectivity built in via
>> IPSec.
>>
>> any help would be appreciated
>>
>> thanks
>>
>
>

If I'm not mistaken, if you require your dc's to perform IPSec and you
aren't multi-homed ALL (Clients too) communications will need to be IPSec.
Multi-homed is not recommended for DC's.

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"allenj" <allen.jenkins@sycomtech.com> wrote in message
news:1159379699.953318.98210@i3g2000cwc.googlegroups.com...
>I have an environment where I need to have DC's in seperate "burbs"
> segmented off from the rest of the network by firewalls. We are
> investigating using IPSec to make DC to DC communication operate. I
> have read several posts and articles on this, but cannot determine
> whether I need to build IPSec between 2 DC's (one in burb and one in
> production) or whether I need to build IPSec between ALL DC's??? It
> appears in testing that it must be all DC's, or we start getting 1864
> errors in event logs of DC's and when researching by doing DCDiags, I
> see that I am getting REPLICATION RECEIVED LATENCY WARNINGS related to
> the DC's in the "burb" which do not have connectivity built in via
> IPSec.
>
> any help would be appreciated
>
> thanks
>