none
IP Sec and Windows Server 2012

    Question

  • I have a new Windows Server 2012 box in the DMZ and have imported an IPSec policy from the old 2008R2 DMZ server that was replaced by the 2012 box mentioned before.  The IPSec policy was made so that the DMZ can communicate with my Domain Controllers.  This policy worked perfectly on the old 2008 box.  I imported this policy to the 2012 box and am now having issues logging into the new 2012 box.  After I've inputted my credentials, it takes from 3-7 minutes for me to actually login and see my desktop.  I turned on verbose logging and it seems to hang on "applying user settings", I've searched everywhere for this issue and have tried the several fixes suggested (mind you these fixes were for 2008 and below) to no avail.  After about two weeks of research and testing I now come here to ask.  

    PS if I login with the local admin, there is no login issue.  I have also placed this box in the no policy group in AD in order to not receive any policy.  Thank you

    Monday, July 01, 2013 9:52 PM

Answers

All replies

  • Hello,

    please post an unedited ipconfig /all from the server so we can verify some settings. Also from a DNS server the new machine can reach.

    Assure that following ports are open in the firewall http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, July 02, 2013 7:48 AM
  • Have you tried disabling or removing the IPSec whether you will have same issue? 

    If you remove or disable the IPSec and it will not have any issues,  then you're 100% sure IPSec is the culprit.

    If still same issue, then I guess some other problem.

    http://technet.microsoft.com/en-us/library/cc770543.aspx


    Every second counts..make use of it.

    Tuesday, July 02, 2013 8:26 AM
  • It's definitely IPsec because when I disable it, all works well.  But what is getting to me is that this same config is currently being used on the old 2008 R2 machine and there is no issue like this.  Could it be that IPsec in 2012 needs to be configured differently.  

    As far as the open ports, this is the reason why I'm using IPSec, in order to tunnel all these ports into one single port in order not to need all these open ports. 

    Tuesday, July 02, 2013 4:04 PM
  • Could it be that IPsec in 2012 needs to be configured differently.  

    You could be right, try to start the IPSec configuration from scratch, and don't import the settings from 2008 R2.

    Here's a link but I'm not sure whether it will help:

    http://technet.microsoft.com/en-us/library/hh831807.aspx


    Every second counts..make use of it.

    Thursday, July 04, 2013 5:26 AM