i tried to create a domain based ipsec isolation policy. as soon as i created GPO with IPSec definition, the DC was requirering ipsec channel thus resulting in strange fact: the GPO was not even replicated among other DCs, because they could not contact with PDC where GPO was created. in effect i could not create any working ipsec isolation policy. is there any document presenting step-by-step instructions about ipsec or at least any technical references? am interested in creating a scenario with 3 diffent security level zones accessible by all clients, 'trusted clients' and'hisec servers'. i hoped to easly create such scenario using GPO with IPsec isolation but don't now how to create 'security boundaries' and distribute GPOs

You will have to exempt your infraestructure servers from your prolicies; I presume you are using Any-Any filters or a subnet filter that includes the IP of your DC; you will have to exempt the DC ip addr by including a DCSpecific IP <-> Any filter with action "permit" in your policy.

The best place to start for technical HOWTOs for Server and Domain Isolation is our TechNet site: http://www.microsoft.com/sdisolation There is a very extensive guide that outlines the step-by-step to planning, deploying and troubleshooting a Server and Domain Isolation deployment: http://www.microsoft.com/technet/security/guidance/architectureanddesign/ipsec/default.mspx

those documents are providing nice theory but describing w2k3. what i wish to accuire is to use new FWwAS featureto createdomain isolation. i have found out exemption helpful, but the rest am working on. the question is how to use new w2k8 features to rapid deployment of ipsecin advanced network environments. NAP is nice, but imho many SMB or even ENT companies would be glad to simply use use IPSec features without NAP implemented - that why i think ipsec isolation is very important toshow on trainings

Got it. If you go into the Windows Firewall with Advanced Security MMC, you should be able to link to the document tree that covers the topics relevant to Windows Vista and Windows Server 2008. With the new MMC, you can create a base domain isolation policy by using the Connection Security rule wizard. As far as deploying IPsec rules, you can do that using the Windows Firewall with Advanced Security Group Policy. Please let me know if you'd like some more insights! Happy to see you're interested in Server and Domain Isolation!! - Ian