Step 5: Creating Exemption Rules for Computers that are Not Domain Members

  • Article

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

In this step, you add a rule to your domain isolation GPO to exempt all DNS servers on the network from the domain isolation authentication requirements.

Note

DNS is used here to serve as a simple example. If the computers on the network are all running Windows Vista or later versions of Windows, or if they can run the Simple Policy Update for Windows Server 2003 and Windows XP (https://go.microsoft.com/fwlink/?LinkID=94767), then you typically do not need to add DNS exemption rules as illustrated here in a production environment. Fewer exemption rules means less complexity for your connection security and firewall rule GPOs. Create exemption rules only for those services that need them.

To modify your domain isolation GPO to exempt DNS servers

  1. On MBRSVR1, switch to the Group Policy Management Editor that has the Domain Isolation GPO open.

  2. In the navigation pane, navigate to and expand Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com, right-click Connection Security Rules, and then click New rule.

  3. On the Rule Type page, click Authentication exemption, and then click Next.

  4. On the Exempt Computers page, click Add.

  5. In the IP Address dialog box, click Predefined set of computers.

  6. Click the list to expand it, select DNS servers, and then click OK.

Note

As implemented on the client computer that receives this GPO, DNS Servers is interpreted to mean the DNS servers that are currently configured on the client computer.

  1. Back on the Exempt Computers page, click Next.

  2. On the Profile page, clear the Private and Public check boxes, and then click Next.

  3. On the Name page, type Exempt DNS servers from domain isolation, and then click Finish.

    The new rule appears in your GPO.

Note

You can use a network traffic analyzer such as Microsoft Network Monitor to see the network packets before and after you apply this rule to confirm that IPsec attempts are not made to the DNS server after the exemption rule is applied. To download Network Monitor, see Microsoft Network Monitor at https://go.microsoft.com/fwlink/?LinkID=94770. Look for the download links in the left-hand column.

Next topic: Isolating a Server by Requiring Encryption and Group Membership