Re: DCPROMO RPC error
- From: "Aaron Stamboulieh" <aaron@xxxxxxxxxxxxxxx>
- Date: Mon, 7 Jul 2008 12:26:54 -0400
Tried...no luck!
Aaron
"Betzold, Adam" <abetzold@xxxxxxxxx> wrote in message
news:48724099.60307@xxxxxxxxxxxx
This may be why, is it a T1?
Obtained from: http://www.haqthegibson.com/article/38
Promote a Domain Controller over an IPSEC VPN - Kerberos over tcp -
Over the weekend I was involved in Joining a Windows 2003 server in the US
to our domain here in Sydney over an IPSEC VPN. Due to MTU limitations
imposed by the T1 connection, and the additional overhead of the ipsec
encryption, it seemed that machines could join the domain, but when we
tried to promote a machine to a Domain Controller, it failed every time.
It seemed to be a packet size issue, due to the low MTU (1410). This
article from microsoft describes the problem:
http://support.microsoft.com/?kbid=244474
I?ll quote the section which describes the issue and the fix;
By default, Kerberos uses connectionless UDP datagram packets. Depending
on a variety of factors including security identifier (SID) history and
group membership, some accounts will have larger Kerberos authentication
packet sizes. Depending on the virtual private network (VPN) hardware
configuration, these larger packets have to be fragmented when going
through a VPN. The problem is caused by fragmentation of these large UDP
Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP
packets will be dropped if they arrive at the destination out of order.If
you change MaxPacketSize to a value of 1, you force the client to use TCP
to send Kerberos traffic through the VPN tunnel. Because TCP is connection
oriented, it is a more reliable means of transport across the VPN tunnel.
Even if the packets are dropped, the server will re-request the missing
data packet.
You can change MaxPacketSize to 1 to force the clients to use Kerberos
traffic over TCP. To do this, follow these steps:
1. Start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa KerberosParameters
Note If the Parameters key does not exist, create it now.
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type MaxPacketSize, and then press ENTER.
5. Double-click MaxPacketSize, type 1 in the Value data box, click to
select the Decimal option, and then click OK.
6. Quit Registry Editor.
7. Restart your computer.
This was a much better solution than building the DC in Sydney, and then
shipping it over!
-Jonesy
Aaron Stamboulieh wrote:
I am trying to promote a domain controller on 2008 in a separate site to
my domain. The only existing current DCs are in another site. The sites
are connected by permanent VPN, and I know it's working because I can log
on to the domain perfectly well (a bit slowly) from any computer at the
remote site, as well as join the domain as a member server from the
computer I am trying to promote.
When running DCPROMO, it starts the process then stops with the error:
-----
The operation failed because:
Active Directory Domain Services could not create the NTDS Settings
object for this Active Directory Domain Controller CN=NTDS
Settings,CN=ES-SERVER2,CN=SERVERS,CN=ELEMENTARY,CN=SITES,CN=CONFIGURATION,DC=stghs,DC=net
on the remote AD DC hs-server2.stghs.net. Ensure the provided network
credentials have sufficient permissions.
"The RPC Server is unavailable."
-----
Any ideas? Thanks for your help.
Aaron Stamboulieh - MCSA
.
- Follow-Ups:
- Re: DCPROMO RPC error
- From: Betzold, Adam
- Re: DCPROMO RPC error
- References:
- DCPROMO RPC error
- From: Aaron Stamboulieh
- Re: DCPROMO RPC error
- From: Betzold, Adam
- DCPROMO RPC error
- Prev by Date: lsass.exe terminated - restart of computer
- Next by Date: Re: DCPROMO RPC error
- Previous by thread: Re: DCPROMO RPC error
- Next by thread: Re: DCPROMO RPC error
- Index(es):
Relevant Pages
|
