none
IPSEC Communication between Domain Controllers

    Question

  • Hi,

    We have a small guest network with 2 DC's which are separated using Firewalls. We have created IPsec between the DC's so that we need not to open all replication ports in Firewall. The pre-shared key is used for the same and the IPSEC is applied using Group Policy. All is working fine however we need to test changing the pre-shared key password but I have a doubt. When I change the preshared key password in policy by connecting to one DC the communication will stop immediately because of password mismatch. How the other DC will get this password when communication stops and replication is hampered.

    If I change the password in Policy using other DC also then after the replication resumes there will be conflict in policy.

    Please suggest how to do that

    Friday, October 07, 2016 7:46 AM

Answers

  • Hi,

    Thanks for your post.

    I did some research about your requirement and cannot find such a way to complete this task.

    Would you please tell us the purpose of this task? Do you want to increase the security?

    According to my research, preshared key authentication is not recommended by Microsoft because it is a relatively weak authentication method.

    A way to increase the security of a preshared key is encrypting it with a PIN. Check this:

    Including a Preshared Key:

    http://technet.microsoft.com/en-us/library/dd672872(v=WS.10).aspx

    In additon to preshared key, IPSec allows other two ways for authentication: Kerberos V5 protocol and certificate-based authentication. Kerberos version 5 authentication protocol is the default authentication technology in Windows Server 2008 R2. For more information please refer to below link:

    IPsec Authentication:

    http://technet.microsoft.com/en-us/library/cc772338.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 10, 2016 9:04 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    I did some research about your requirement and cannot find such a way to complete this task.

    Would you please tell us the purpose of this task? Do you want to increase the security?

    According to my research, preshared key authentication is not recommended by Microsoft because it is a relatively weak authentication method.

    A way to increase the security of a preshared key is encrypting it with a PIN. Check this:

    Including a Preshared Key:

    http://technet.microsoft.com/en-us/library/dd672872(v=WS.10).aspx

    In additon to preshared key, IPSec allows other two ways for authentication: Kerberos V5 protocol and certificate-based authentication. Kerberos version 5 authentication protocol is the default authentication technology in Windows Server 2008 R2. For more information please refer to below link:

    IPsec Authentication:

    http://technet.microsoft.com/en-us/library/cc772338.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 10, 2016 9:04 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 19, 2016 8:51 AM
    Moderator