Re: AD Replication over SonicWall site-to-site VPN
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Thu, 3 Aug 2006 18:51:54 +0100
- As Anthony said generally broadcast traffic isn't allowed between routers
(unless you have relay agents, some switching/routers tha allow this,etc).
- The MTU can be an Issue:
Test your MTU from the problem server by pinging the gateway of your router:
ping -f <router gateway IP> -l 1472
You will get one of three responses;
the ping will return, "Packet needs to be fragmented but DF set." or it will
timeout.
If the ping timeout, that means a downstream router has a mismatched MTU,
and is the probable reason for your connectivity issue. Incrementally reduce
the 1472 until the ping returns.
If you get the packet needs to be fragmented but DF set, at a low number of
less than 1400, see if you can increase the MTU without a timeout. Ideally
you would really like a number as close to 1500 as you can get.Carefull MTU
to a much too low of a number and it would affect your network performance.
Check the MTU max size on your router.
Also check:
Installing security update MS05-019 or Windows Server 2003 Service Pack 1
may cause network connectivity between clients and servers to fail
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060
I also though about UDP fragmentation, do you see any kerberos errors on
your event viewer?
By default, Kerberos authentication uses User Datagram Protocol (UDP) to
transmit its data,UDP provides no guarantee that a packet sent along the
network will reach its destination intact. Thus, in environments with a high
amount of network congestion it is common for packets to get lost or
fragmented on the way to their destination, because the only way to decrease
the likelihood of UDP fragmentation occurring is to reduce network traffic,
a usually impractical solution, it is almost always better to configure the
Kerberos authentication service to use TCP instead of UDP. TCP provides a
guarantee that a packet that is sent will reach its destination intact and
can therefore be used in any network environment. In order to force Kerberos
authentication to use TCP, see
http://support.microsoft.com/kb/244474
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Anthony" <anthony.spam@xxxxxxxxxxxxxx> wrote in message
news:O0eH5jwtGHA.5076@xxxxxxxxxxxxxxxxxxxxxxx
The normal problem here is MTU's. The VPN tunnel reduces the MTU size but
forgets to tell the servers. Packets fragment and replication fails. I
can't tell you the right solution for your network but you can experiment
using the knowledgebase stuff about defining MTU size on the servers. Its
fairly harmless to experiment as reducing the MTU size just affects
efficiency. I don't like manually setting the server MTU size as a
solution though.
Anthony
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:OC96s9vtGHA.5056@xxxxxxxxxxxxxxxxxxxxxxx
Inline
Is it safe to infer that, by virtue of the VPN to VPN connection, no
ports
would be blocked? As I said, I have seen the firewall rules and know
that
there are no explicit prohibitions on any of the ports required.
This depends of some FWs, we have some firewalls that we can restrict VPN
traffic.
to have sure run this:
Description of the Portqry.exe command-line utility
http://support.microsoft.com/kb/310099/
If everything Ok, then make sure that the Servers have the correct
gateway, that the network is fully routed, and that the DNS is setup
correctly
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Markb1118" <Markb1118@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C76A63F7-DA97-42F1-8FCF-AE102D612470@xxxxxxxxxxxxxxxx
Thank you for the reply Jorge.
All of the servers can ping one another back and forth. I have
previously
reviewed the articles you mentioned and have applied any and all
knowlege/fixes/etc. to no avail.
Is it safe to infer that, by virtue of the VPN to VPN connection, no
ports
would be blocked? As I said, I have seen the firewall rules and know
that
there are no explicit prohibitions on any of the ports required.
FWIW, I have a ticket open with the firewall vendor. Thanks again to
any
and all who reply.
MB
"Jorge Silva" wrote:
Hi
Can you ping the server
By default, Active Directory replication over RPC (Remote Procedure
Calls)
takes place dynamically over an available port via the RPC Endpoint
Mapper
(RPCSS) using port 135;
Application protocol Protocol Ports
Global Catalog Server TCP 3269
Global Catalog Server TCP 3268
LDAP Server TCP 389
LDAP Server UDP 389
LDAP SSL TCP 636
LDAP SSL UDP 636
IPsec ISAKMP UDP 500
NAT-T UDP 4500
RPC TCP 135
RPC randomly allocated high TCP ports TCP 1024 - 65536
832017 Service overview and network port requirements for the Windows
Server system
http://support.microsoft.com/default.aspx?scid=kb;EN-US;832017
224196 Restricting Active Directory replication traffic to a specific
port
http://support.microsoft.com/default.aspx?scid=kb;EN-US;224196
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Markb1118" <Markb1118@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FFC24485-6D01-405F-91FF-3C4A8A6CB3F9@xxxxxxxxxxxxxxxx
Boy did I get in a hurry. The most frequent reference is to the RPC
Server
being unavailable.
"Markb1118" wrote:
Had a working multi-site Windows 2003 domain. Replication was
happening
cleanly and on schedule. In June, implemented a SonicWall 2040 at
the
home
office and SonicWall TZ-170s at the remote offices and connected via
site-to-site VPN. Now, the domain controllers will not replicate.
The
most
frequent reference is to I have been through all of the available
troubleshooting steps and nothing has resolved the problem.
I did not do the firewall configuration but it seems pretty straight
forward. I have seen for myself that there are no rules in place
restricting
any traffic on VPN to VPN connections.
Any advice, help, even the smallest tid-bit would be appreciated.
Thanks
in
advance.
.
- References:
- Re: AD Replication over SonicWall site-to-site VPN
- From: Jorge Silva
- Re: AD Replication over SonicWall site-to-site VPN
- From: Markb1118
- Re: AD Replication over SonicWall site-to-site VPN
- From: Jorge Silva
- Re: AD Replication over SonicWall site-to-site VPN
- From: Anthony
- Re: AD Replication over SonicWall site-to-site VPN
- Prev by Date: Re: Oh.... I'm just wondering who's seen this stumper...
- Next by Date: Re: Suggestions for multiple domains vs UPN suffixes vs other solution
- Previous by thread: Re: AD Replication over SonicWall site-to-site VPN
- Next by thread: Re: Reinstalling a domain controller
- Index(es):
Relevant Pages
|
