Re: LDAP/AD Problems Related to WAN?
- From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
- Date: Mon, 26 Feb 2007 08:43:46 -0000
Yeah, that's quite low. Not an issue in itself, but you need to enable ICMP
so that PMTU discovery can occur. If you don't do this, you need to change
the MTU, preferably on your network VPN device, which is using the smaller
value.
This is probably your issue. I've seen the same issue as you're having
across a VPN with a larger MTU than that. Basically, you're losing UDP
packets, which is playing hell with Kerberos and any other apps that use UDP
by default, e.g. DNS.
One way around the immediate issue (policy failure and slow logon, etc.) is
to force Kerberos to use TCP. However that's more of a bandage than a fix,
as other apps might still be having problems.
Replication and things will be fine as they use TCP, which is a
connection-oriented protocol, and is able to handle lost packets better.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
.
- References:
- Re: LDAP/AD Problems Related to WAN?
- From: Erik Cheizoo
- Re: LDAP/AD Problems Related to WAN?
- Prev by Date: Re: LDAP Search Query Question
- Next by Date: Re: LDAP/AD Problems Related to WAN?
- Previous by thread: Re: LDAP/AD Problems Related to WAN?
- Next by thread: Re: LDAP/AD Problems Related to WAN?
- Index(es):
Relevant Pages
|
