DC Replication through ISA 2004

---

• From: "processendnow" <shainefisher@xxxxxxxxxxx>
• Date: 24 Oct 2005 17:15:36 -0700

---

I have a network (3-legged). Internal (10.0.1.0/24) and Perimeter
(192.168.0.0/24) and the Internet.

I have a server running RRAS which routes traffic and acts as the NAT.

I followed this article:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx

and created the IPSec policies (Configuring IPSec Transport Mode for
DC-to-DC Communication) using machine certificates, and it works great,
whiuch is what you would expect.

I disabled RRAS and installed ISA 2004, setup the networks so that the
10.0.1.0 was internal, and 192.168.0.0 was the perimeter.
I got Internet acess running and ping commands between the networks
working, I can acess POP3 and SMTP at my ISP.

I created a rule that allowed outbound traffic from internal to
perimeter on all of the required ports, and then created exactly the
same rule again for the traffic going outbound from perimeter to
internal.

But:
The Knowledge Consistency Checker (KCC) has detected that successive
attempts to replicate with the following domain controller has
consistently failed.

Attempts:
2
Domain controller:
CN=NTDS
Settings,CN=SRV-03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain1,DC=co,DC=uk

Period of time (minutes):
127

The Connection object for this domain controller will be ignored, and a
new temporary connection will be established to ensure that replication
continues. Once replication with this domain controller resumes, the
temporary connection will be removed.

Additional Data
Error value:
1256 The remote system is not available. For information about network
troubleshooting, see Windows Help.

This goes on for the 14 hours I left it, and replication did not take
place at all.

Please advice me as to what I may have missed.

Regards
Shaine

.

---

• Follow-Ups:
  • Re: DC Replication through ISA 2004
    • From: ZVR

• Prev by Date: Re: Branch networks: Denied Connection with no rule in logs
• Next by Date: Re: Proxy Chain Loop error 12206
• Previous by thread: Proxy Chain Loop error 12206
• Next by thread: Re: DC Replication through ISA 2004
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Looking for feedback on public website security config ... Let's assume that your network config is without mistake ... The vendor has a web application that they want to publish on the internet ... on their domain controller, ... (microsoft.public.security) Re: Looking for feedback on public website security config ... it should not run an application server (ie. IIS). ... Let's assume that your network config is without mistake ... The vendor has a web application that they want to publish on the internet ... on their domain controller, ... (microsoft.public.security) Re: Best practice when creating "Networks" - ISA 2004 ... I added a NIC to the ISA 2004 EE firewall. ... I created a route relationship between perimeter and internal. ... Internal network is defined on another NIC. ... > network Edge for internet access. ... (microsoft.public.isa) Re: ISA 3-Leg Config Question ... Networks network set. ... d.)All outbound traffic is allowed from VPN clients to the Internal ... a)Source: Internal, Perimeter ... Microsoft Internet Security & Acceleration Server: ... (microsoft.public.isa.configuration) Re: DC Replication through ISA 2004 ... Internal to Perimeter and server publishing rules from Perimeter to ... > and the Internet. ... > attempts to replicate with the following domain controller has ... > new temporary connection will be established to ensure that replication ... (microsoft.public.isa)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)