1)In my experience, yes all dc's. 2)None that I can think of. Might want to do this to clients that are having to authenticate over VPN conn. 3)In my case, when the Kerberos was allowed over UDP it caused many issues. When it was forced over TCP all problems were resolved. 4)Yes, IPSEC over WAN connections. 5)Haven't heard any complains.
Read the following article by Joe, it makes some good points about it - http://www.mail-archive.com/[email protected]/msg40624.html -Sergio -----Original Message----- From: Danny [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 1:44 PM To: [email protected] Subject: Re: [ActiveDir] Forcing Kerberos to use TCP instead of UDP On 4/26/06, Olivarez, Sergio J Mr CTNOSC/GD-NS wrote: > Many times! What is your concern? 1) Does this change need to be made to all DC's? 2) What changes need to be made to clients and/or GPO's? 3) Will this have a short (or long) term negative impact to operations? 4) Has this been a solution for you with broken AD trusts between site to site VPN connections? 5) Is there any affect on over network traffic? Thanks, ...D List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
