Re: Getting Active Directory replication working over firewalls & nat

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi
*Some Key Points:
-Make sure that your Dns estructure is correctly configured.
-Make sure that you've the need FW Ports open (check the links already
provided by others).
-Some problems regarding to replication has to do with MTU size (check
routers default MTU).
-If you need Netwrok browsing or you have NetBIOS Apps, configure Wins in
both sides.
-Sites and Subnets are very important (DFS,Logon process, GC locator,etc)
-Make sure that you have in each site a GC for Fault tolerance.

-More in Detail:
*Sites are need for:
- Optimize replication for speed and bandwidth consumption between domain
controllers.
- Locate the closest domain controller for client logon, services, and
directory searches.

- Direct a Distributed File System (DFS) client to the server that is
hosting the requested data within the site.

- Replicate the system volume (SYSVOL), a collection of folders in the file
system that exists on each domain controller in a domain and is required for
implementation of Group Policy.

*FW Ports:
By default, Active Directory replication over RPC (Remote Procedure Calls)
takes place dynamically over an available port via the RPC Endpoint Mapper
(RPCSS) using port 135;
Application protocol Protocol Ports
Global Catalog Server TCP 3269
Global Catalog Server TCP 3268
LDAP Server TCP 389
LDAP Server UDP 389
LDAP SSL TCP 636
LDAP SSL UDP 636
IPsec ISAKMP UDP 500
NAT-T UDP 4500
RPC TCP 135
RPC randomly allocated high TCP ports TCP 1024 - 65536
832017 Service overview and network port requirements for the Windows
Server system
http://support.microsoft.com/default.aspx?scid=kb;EN-US;832017
224196 Restricting Active Directory replication traffic to a specific port
http://support.microsoft.com/default.aspx?scid=kb;EN-US;224196

*DNS

Assuming DNS AD Integrated Zone

-Make sure that each DNS server points to itself under NIC preferred DNS. If
the Server IP-Address is 192.168.0.1 then the preferred DNS should also be
192.168.0.1.

-When Adding Additional DCs to an existent Domain, and if you want to make
it a DNS server, Install DNS service, make sure that the server (the
additional DC) points to the existent DNS DC under NIC preferred DNS, then
run Dcpromo, wait or force replication (this can take a awhile), then check
on DNS console, and if the DNS zone is already transferred, then point the
additional DC to itself again. Also take a look at IFM (Install from media)
in MS Site.

- Clients: Make sure that the clients only use their local available DNS
server(s) on their NIC DNS configuration. Do not place the ISP DNS server or
any other DNS on the client or DNS Server NIC properties, this is a common
mistake. The clients should use their local DNS server to resolve all
queries. It's up to the local DNS server to handle the Internet resolution
as any other Zone that the DNS is not authoritative for. Check the link for
configuring DNS for Internet resolution.

Note: The DNS client does not utilize each of the DNS servers listed in
TCP/IP configuration for each query. By default, on startup the DNS client
will attempt to utilize the server in the Preferred DNS server entry. If
this server FAILS to respond for any reason, the DNS client will switch to
the server listed in the alternate DNS server entry. The DNS client will
continue to use this alternate DNS server.

Best practices for DNS client settings in Windows 2000 Server and in Windows
Server 2003

http://support.microsoft.com/kb/825036/en-us

How to configure DNS for Internet access in Windows Server 2003

http://support.microsoft.com/kb/323380/

*MTU
The Cable Guy - July 2004

http://www.microsoft.com/technet/community/columns/cableguy/cg0704.mspx

How to Troubleshoot Black Hole Router Issues

http://support.microsoft.com/kb/314825/

Diagnoses and treatment of black hole routers

http://support.microsoft.com/kb/159211/


--
I hope that the information above helps you


Good Luck
Jorge Silva
MCSA
Systems Administrator

<ca99uk@xxxxxxxxxxxxxx> wrote in message
news:1157112486.487682.78230@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,

we currently have a situation where we need to get active directory
replication working between two domain controllers that are at two
sites seperated with two firewalls and routing devices. I have read a
number of Microsoft white papers but would like to here from anyone who
has set this up and got it working and how they did it or from anyone
that could reccommend the best solution to get this working.

Thank you.

Colin.



.

Relevant Pages

  • Re: Internet Speed
    ... I think what we are trying to say is to use the DHCP from the SBS and NOT ... DNS and WINS point to the SBS. ... as the server IP address. ... it is recommend to configure all SBS client computers' IP and DNS ...
    (microsoft.public.windows.server.sbs)
  • Re: 70-294 next week
    ... to another DNS ... server for at least ... client, which then ... configuration on the client. ...
    (microsoft.public.cert.exam.mcse)
  • Re: Dual NIC vs Single NIC
    ... |> 135919 DNS Server Search Order Functionality in Windows ... Thank you for helping me to correct the misunderstand of DNS query ... Thank you again for your supplement about the client DNS cache issue. ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Dual NIC vs Single NIC
    ... I will again argue that turning off the client DNS cache (0 refresh ... 261968 Explanation of the Server List Management Feature in the Domain ... Internet when the SBS server is offline. ...
    (microsoft.public.windows.server.sbs)
  • RE: Dynamic Update of A&PTR Records - Best Practice?
    ... The DNS server does not support the DNS dynamic update protocol; ... For Windows Server 2003-based computers, the primary full computer name is ... When one of these events triggers a DNS update, the DHCP Client service, ...
    (microsoft.public.windows.server.dns)