Thanks to all for the responses. This (isolating via ipsec) is probably the right direction for me. We're a single site, single domain at a single physical location, but the idea of building another site isn't appealing from a "keep it simple" perspective.
Are there any technical reasons why a separate site would be better than isolation through IPSec? Will I cause clients/apps, who initially don't know they are denied, delays when they try to access the ipsec isolated DC? Bryan Lucas Server Administrator Texas Christian University -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Eaton-Lee Sent: Wednesday, September 13, 2006 5:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Isolating a DC Akomolafe, Deji wrote: > I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 > > Then, as a fall-back option, look for the isolation using IPSec > whitepapers on Microsoft site. I can't find them now, but I know that > they exist. They show you how to restrict communication with a specific > server or network using IPSec. > I think what you're referring to is the excellent "Server and Domain Isolation using IPSec" content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/i psec/default.mspx If all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little more concisely, such as this presentation from the Virginia Tech Windows Users Group: http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips ec%20as%20a%20firewall%22 And also "Using IPSec to Lock Down a Server" from technet.. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.ms px Hope that helps! - James. -- James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix) sites: https://www.bsrf.org.uk ~ http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx