On a recent internal discussion alias, a question came up about using IPsec to securely connect Active Directories that are separated by firewalls.  This happens to be a very common scenario for IPsec: securely replicating domain controllers on opposite sides of a firewall (or multiple firewalls).

This is a great use for IPsec, leveraging its ability to not only authenticate connections between hosts (like in Server and Domain Isolation), but also the network tunneling and encryption capabilities.  This helps reduce the number of ports you need to open in your firewalls between sites to enable AD replication and helps protect that critical traffic along the way.

Here's a bit of prescriptive guidance we have published to the IPsec site on TechNet:

Active Directory in Networks Segmented by Firewalls

Granted, it's focused on Windows 2000, but the same techniques can be applied to Windows Server 2003 and will be even easier to deploy with Windows Server "Longhorn" (thanks to all those great new networking features!).