Re: AD in Remote site not responding when VPN tunnel is down

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi,
Site to Site VPN links to connect DCs are not meant to be temporary connections.
All DCs in a Domain or Forest depend on each other to some degree. Some of your FSMO role holders are probably in your main site and you'll have all kinds of problems if you shut down the VPN link.

Regards,

Austin
"spacemancw" <spacemancw@xxxxxxxxx> wrote in message news:1193922905.418707.282210@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have a main site with AD, a few Global Catalogs, Cisco ASA to the
internet.
A remote site, with also a Cisco ASA to internet.

I built a site to site VPN tunnel between the two ASAs.
Then promoted two servers at the remote site to ADs, rAD01 and rAD02.
With the tunnel in place they were able to find the domain and dcpromo
worked successfully.
DNS was installed on these two servers, and populated automatically
Both were made Global Catalogs.

A file server and some citrix servers were build and successfully
joined to the domain.

All servers have the TCP/IP DNS settings pointing to rAD01 as primary
and mAD01 (main site) as secondary
except for rAD02, which uses itself and then mAD01.

When I break the tunnel I would expect the remote site to work using
just the two local DCs

However, everything freezes up. On all servers I try to go to Start >
any program, and the screen just freezes on whatever selection I make.
5 - 10 minutes later, the screen responds and whatever window I was
trying to open, opens.

I try to logon to the servers as the domain admin and it takes up to
10 minutes.

While I'm waiting for all these things to respond, I bring back the
tunnel and everything springs into action, everything works.

I don't know what it takes to make the remote servers look to the
rAD01 first, rAD02 second and the main environment last. But it seems
they are looking at the main site first.

In Sites and Services replication is shown as follows
rAD01
From rAD02
From mAD01 (main site)

rAD02
From rAD01

So I need the AD environment on the remote site to work independently
of production, with the tunnel down.


any idea?


.

Relevant Pages

  • AD in Remote site not responding when VPN tunnel is down
    ... Then promoted two servers at the remote site to ADs, rAD01 and rAD02. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Reverse SSH tunelling
    ... > servers will be in private network space behind firewalls. ... > tunnel open so that I can access that console, ... > some sort of encrypted tunnel, hence the thought of ssh, but I don't ... port 5000, any connections made to that port forward to host 127.0.0.1 ...
    (Focus-Linux)
  • Re: Reverse SSH tunelling
    ... I've done a lot ssh-tunneling (back an forth, ... the the needed ports is better than to allow all ports, ... Furthermore to implement a persistent server-to-server tunnel, ... >>servers will be in private network space behind firewalls. ...
    (Focus-Linux)
  • Re: AD in Remote site not responding when VPN tunnel is down
    ... All DCs in a Domain or Forest depend on each other to some degree. ... > I built a site to site VPN tunnel between the two ASAs. ... > Then promoted two servers at the remote site to ADs, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unable to connect to UNC or IP addresses by name but able to ping
    ... to site A. The client machines and servers use ... and we could replicate DNS etc client pcs could browse files on both ... our tunnel is up and connected and we can pint by name and ...
    (microsoft.public.win2000.general)