Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (
More info?)
My point was that Kerb is an AuthN mechanism, not a transport mechanism.
AD uses RPC and encrypts the RPC's it uses.
To go further, you would use IPsec to protect DC to DC replication (which is
supported, except that Kerberos can't be used as the AuthN for the IPsec
rule, it has to be certs or PSK).
As we all know, RPC is not inherently secure (which is why there are custom
crypto things going on there).
If we had it to do all over again, we might have used IPsec for DC to DC
replication. There is no real good reason not to when you look at it for a
while...
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eN2iZpu3EHA.1452@TK2MSFTNGP11.phx.gbl...
> It is. I think he was correcting my terminology? --- Steve
>
>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbd_dns_wzwd.asp
>
> Using Active Directory Replication
> Replicating zones as part of Active Directory replication provides the
> following security benefits:
>
> a.. Active Directory replication traffic is encrypted; therefore zone
> replication traffic is encrypted automatically.
> b.. The Active Directory domain controllers that perform replication are
> mutually authenticated, and impersonation is not possible.
> c..
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> news:OA0ZzQp3EHA.404@TK2MSFTNGP10.phx.gbl...
>> Steve,
>>
>> I thought that AD replication also features some kind of encryption... At
>> least, Robert Deluca, a Microsoft expert, said so:
>>
>>
http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_102104.mspx
>>
>> --
>> Svyatoslav Pidgorny, MVP, MCSE
>> -= F1 is the key =-
>>
>> "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
>> news:OqDsyPk3EHA.1596@tk2msftngp13.phx.gbl...
>>> Kerberos isn't the transport: RPC is.
>>>
>>> You secure RPC with IPsec, not with Kerberos. Some versions of RPC are
>>> encrypted using other mechanisms in their own right (such as Exchange
>>> Server).
>>>
>>
>>
>
>