Currently I am using IPsec request and required for all the servers except for DC and DHCP which are using exemption rule/policy. Is it possible to change to all to IPsec required instead? Are there any concerns?Kelvin Teang

Hi Kelvin, Thank you for the post. It's not recommended to enable IPSec policy on DC/DNS/DHCP/WINS server. IPSec cannot negotiate security for multicast and broadcast traffic. Though you could enable IPSec policy in all domain computers (servers and clients), you also need set DC/DNS/DHCP/WINS exemption to support workgroup laptop/network device to access your network. Special IPSec considerations http://technet.microsoft.com/en-us/library/cc757905(WS.10).aspx Introduction to Server and Domain Isolation http://technet.microsoft.com/en-us/library/cc725770(WS.10).aspx Server and Domain Isolation http://technet.microsoft.com/en-us/network/bb545651.aspx RegardsRick Tan TechNet Community Support

Hi Kelvin, Thank you for the post. It's not recommended to enable IPSec policy on DC/DNS/DHCP/WINS server. IPSec cannot negotiate security for multicast and broadcast traffic. Though you could enable IPSec policy in all domain computers (servers and clients), you also need set DC/DNS/DHCP/WINS exemption to support workgroup laptop/network device to access your network. Special IPSec considerations http://technet.microsoft.com/en-us/library/cc757905(WS.10).aspx Introduction to Server and Domain Isolation http://technet.microsoft.com/en-us/library/cc725770(WS.10).aspx Server and Domain Isolation http://technet.microsoft.com/en-us/network/bb545651.aspx RegardsRick Tan TechNet Community Support