As we said, the traffic between the client and the DA server is encrypted using IPSec, and using two distinct tunnels. One tunnel is referred to as the infrastructure tunnel (also known as the "computer" tunnel), and it is established by Windows as soon as it detects the need to enable DA, even before a user has logged on to the computer. This tunnel can be used to access domain resources and management servers. For example, it can be used to resolve DNS queries, update group policy, download Antivirus or Windows updates from an internal WSUS server. The second tunnel is referred to as the Intranet tunnel (also known as the "user" tunnel). This is the tunnel that actually lets the user connect to the rest of the organizational network.
From a user's perspective, this is not visible, but it's important to understand for two reasons. First, it is up to you to choose whether you want to allow full intranet access, or just remote management. Full intranet access will establish...