Re: DC Replication through ISA 2004
- From: "ZVR" <nospamever@xxxxxx>
- Date: Mon, 24 Oct 2005 23:33:19 -0400
First of all, what kind of routing relationship do you have between Internal
and Perimeter? If you have "NAT" then you configure access rules from
Internal to Perimeter and server publishing rules from Perimeter to
Internal. If you have "Route" then you can do it with access rules both
ways - probably better suited to your scenario anyway.
And, not sure what types of traffic you did allow, but here's the official
document from MS that deals with AD replication over firewalls:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
Virgil
"processendnow" <shainefisher@xxxxxxxxxxx> wrote in message
news:1130199336.058550.288930@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>I have a network (3-legged). Internal (10.0.1.0/24) and Perimeter
> (192.168.0.0/24) and the Internet.
>
> I have a server running RRAS which routes traffic and acts as the NAT.
>
> I followed this article:
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
>
> and created the IPSec policies (Configuring IPSec Transport Mode for
> DC-to-DC Communication) using machine certificates, and it works great,
> whiuch is what you would expect.
>
> I disabled RRAS and installed ISA 2004, setup the networks so that the
> 10.0.1.0 was internal, and 192.168.0.0 was the perimeter.
> I got Internet acess running and ping commands between the networks
> working, I can acess POP3 and SMTP at my ISP.
>
> I created a rule that allowed outbound traffic from internal to
> perimeter on all of the required ports, and then created exactly the
> same rule again for the traffic going outbound from perimeter to
> internal.
>
> But:
> The Knowledge Consistency Checker (KCC) has detected that successive
> attempts to replicate with the following domain controller has
> consistently failed.
>
> Attempts:
> 2
> Domain controller:
> CN=NTDS
> Settings,CN=SRV-03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain1,DC=co,DC=uk
>
> Period of time (minutes):
> 127
>
> The Connection object for this domain controller will be ignored, and a
> new temporary connection will be established to ensure that replication
> continues. Once replication with this domain controller resumes, the
> temporary connection will be removed.
>
> Additional Data
> Error value:
> 1256 The remote system is not available. For information about network
> troubleshooting, see Windows Help.
>
> This goes on for the 14 hours I left it, and replication did not take
> place at all.
>
> Please advice me as to what I may have missed.
>
> Regards
> Shaine
>
.
- Follow-Ups:
- Re: DC Replication through ISA 2004
- From: processendnow
- Re: DC Replication through ISA 2004
- References:
- DC Replication through ISA 2004
- From: processendnow
- DC Replication through ISA 2004
- Prev by Date: isa allows connections to ports 25 and 110 despite being BLOCKED
- Next by Date: Re: Block MSN Messenger in ISA Server 2004
- Previous by thread: DC Replication through ISA 2004
- Next by thread: Re: DC Replication through ISA 2004
- Index(es):
Relevant Pages
|
