AD Replication and RPC

[barnski]

I have a problem with AD replication. The scenario is as
follows: a single domain with two sites:

SITE A
2x AD DC's:
DC1 = First DC, 5x FSMO roles, DNS, WINS, DHCP, Exchange 2k
DC2 = DNS, GC

SITE B
1x AD DC
DC3 = DNS, DHCP, WINS

The sites are connected via VPN, each site has a 1Mb
connection.

Replication from DC1 to DC3 is fine - changes are
replicated down.

Replication from DC3 to DC1 does not work.

Directory Services Event Log gives no clues at either end.

If I try a forced Replication from AD Sites & Services
running on DC1, trying to get DC3 to replicate from DC1
(i.e. under NTDS settings for DC3), I get an "RPC Server is
unavailable" message.

If I run
dcdiag /test:connectivity /e /q
on DC1, I get:
[DC3] DsBind() failed with error 1722,
Win32 Error 1722.
......................... DC3 failed test Connectivity

I have checked DNS rigorously, and name and SRV resolution
is fine.

I have also tried using DTCPing to do RPC pings between the
servers. DC3 to DC1 is fine, but DC1 to DC3 fails, again
with RPC Server is unavailable.

All event logs on DC3 are clean; NetLogon, Server and RPC
are all running as expected.

I know RPC is poor over links with bad latency, but have
successfully opened perfmon on DC1 and watched the CPU
stats on DC3 in real-time (this used to be a test of RPC in
NT4 days, I believe).

Any ideas gratefully received - this is driving me insane.
Please reply to e-mail address as well as group.

Many Thanks,

Barnski.

 

[Matjaz Ladava [MVP]]

use nslookup to verify nameresolution in both directions. If those DC's are
separated by routers check, that your RPC port (135 and ports > 1024) are
opened. Is there a NAT between your DC's ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Guest]

Thanks for the prompt response.

nslookup works fine in both directions.

The VPN is a tunnel between the UNIX firewalls at the two
sites. This is a normal, routed connection as far as the
DC's are concerned - there is no NAT to consider. As far as
I can ascertain, there is no port or protocol filtering
through the VPN tunnel - everything is open in both
directions.

Any other ideas gratefully received.

Barnski.

(PS. Forgot to specify that DC3 is also a GC).

-----Original Message-----
use nslookup to verify nameresolution in both directions. If those DC's are
separated by routers check, that your RPC port (135 and ports > 1024) are
opened. Is there a NAT between your DC's ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

I have a problem with AD replication. The scenario is as
follows: a single domain with two sites:

SITE A
2x AD DC's:
DC1 = First DC, 5x FSMO roles, DNS, WINS, DHCP, Exchange 2k
DC2 = DNS, GC

SITE B
1x AD DC
DC3 = DNS, DHCP, WINS

The sites are connected via VPN, each site has a 1Mb
connection.

Replication from DC1 to DC3 is fine - changes are
replicated down.

Replication from DC3 to DC1 does not work.

Directory Services Event Log gives no clues at either end.

If I try a forced Replication from AD Sites & Services
running on DC1, trying to get DC3 to replicate from DC1
(i.e. under NTDS settings for DC3), I get an "RPC Server is
unavailable" message.

If I run
dcdiag /test:connectivity /e /q
on DC1, I get:
[DC3] DsBind() failed with error 1722,
Win32 Error 1722.
......................... DC3 failed test Connectivity

I have checked DNS rigorously, and name and SRV resolution
is fine.

I have also tried using DTCPing to do RPC pings between the
servers. DC3 to DC1 is fine, but DC1 to DC3 fails, again
with RPC Server is unavailable.

All event logs on DC3 are clean; NetLogon, Server and RPC
are all running as expected.

I know RPC is poor over links with bad latency, but have
successfully opened perfmon on DC1 and watched the CPU
stats on DC3 in real-time (this used to be a test of RPC in
NT4 days, I believe).

Any ideas gratefully received - this is driving me insane.
Please reply to e-mail address as well as group.

Many Thanks,

Barnski.

.

 

[barnski]

By way of an update:

Further investigation points at the VPN implementation being a cause
as:

1 - DC3 was brought back to site and a router placed between it and
the other DC's. The subnet containing DC3 was then configured as
another site in AD Sites & Services, and replication was fine both
ways across the router. This would indicate that AD configuration is
fine. The VPN tunnel should be just another routed connection as far
as AD is concerned.

2 - Other new VPN's were set up between site 2 and a third site using
the Inty firewalls (this is what they're using - it's FreeBSD based,
and actually a good product, aside from this issue!). Different types
of VPN were established (IPSEC, INT) and the RPC traffic did not
travel through in either direction at any point, although as before,
all ICMP and other traffic was fine.

3 - A completely separate lab environment was set up using a
SmoothWall VPN tunnel (SmoothWall is a Linux-based firewall and there
is a free GPL version available - the best firewall for commodity PC
hardware IMHO - see www.smoothwall.org). Two test DC's were set up,
one at either end, with AD sites and services and DNS properly
configured and replication was fine through the SmoothWall VPN tunnel.

4 - Network monitoring shows the RPC packets leaving DC1 bound for
DC3, and correctly being routed to the VPN endpoint. The packets do
not seem to be spat back out at the other end of the tunnel.

Inty are "looking into the problem", but say that they have other
sites where AD replication is fine over their VPN's. However, in those
cases, all sites are using some kind of "AD integration" for user
accounts on the Inty boxes, which we do not have (Inty also performs
user-authenticated web filtering and other services - the integration
provides synchronisation between the Inty user accounts and the AD
user accounts; a service is installed on the DC's to achieve this).
Other than that, no explanation can be given.

As a workaround, I have used a VPN within the VPN tunnel, by
establishing a Windows 2000 Server RRAS VPN between DC's 1 and 3.
Replication seems to be OK now, but it's not a very elegant solution,
and doesn't provide for replication topology changes that the KCC
might make if DC1 fails.

I will post again if I get any further.

Barnski.

Thanks for the prompt response.

nslookup works fine in both directions.

The VPN is a tunnel between the UNIX firewalls at the two
sites. This is a normal, routed connection as far as the
DC's are concerned - there is no NAT to consider. As far as
I can ascertain, there is no port or protocol filtering
through the VPN tunnel - everything is open in both
directions.

Any other ideas gratefully received.

Barnski.

(PS. Forgot to specify that DC3 is also a GC).

-----Original Message-----
use nslookup to verify nameresolution in both directions. If those DC's are
separated by routers check, that your RPC port (135 and ports > 1024) are
opened. Is there a NAT between your DC's ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

I have a problem with AD replication. The scenario is as
follows: a single domain with two sites:

SITE A
2x AD DC's:
DC1 = First DC, 5x FSMO roles, DNS, WINS, DHCP, Exchange 2k
DC2 = DNS, GC

SITE B
1x AD DC
DC3 = DNS, DHCP, WINS

The sites are connected via VPN, each site has a 1Mb
connection.

Replication from DC1 to DC3 is fine - changes are
replicated down.

Replication from DC3 to DC1 does not work.

Directory Services Event Log gives no clues at either end.

If I try a forced Replication from AD Sites & Services
running on DC1, trying to get DC3 to replicate from DC1
(i.e. under NTDS settings for DC3), I get an "RPC Server is
unavailable" message.

If I run
dcdiag /test:connectivity /e /q
on DC1, I get:
[DC3] DsBind() failed with error 1722,
Win32 Error 1722.
......................... DC3 failed test Connectivity

I have checked DNS rigorously, and name and SRV resolution
is fine.

I have also tried using DTCPing to do RPC pings between the
servers. DC3 to DC1 is fine, but DC1 to DC3 fails, again
with RPC Server is unavailable.

All event logs on DC3 are clean; NetLogon, Server and RPC
are all running as expected.

I know RPC is poor over links with bad latency, but have
successfully opened perfmon on DC1 and watched the CPU
stats on DC3 in real-time (this used to be a test of RPC in
NT4 days, I believe).

Any ideas gratefully received - this is driving me insane.
Please reply to e-mail address as well as group.

Many Thanks,

Barnski.

.