Re: DCPROMO RPC error
- From: "Betzold, Adam" <abetzold@xxxxxxxxx>
- Date: Mon, 07 Jul 2008 11:34:46 -0500
Hardware or software VPN?
Aaron Stamboulieh wrote:
Tried...no luck!.
Aaron
"Betzold, Adam" <abetzold@xxxxxxxxx> wrote in message news:48724099.60307@xxxxxxxxxxxxThis may be why, is it a T1?
Obtained from: http://www.haqthegibson.com/article/38
Promote a Domain Controller over an IPSEC VPN - Kerberos over tcp -
Over the weekend I was involved in Joining a Windows 2003 server in the US to our domain here in Sydney over an IPSEC VPN. Due to MTU limitations imposed by the T1 connection, and the additional overhead of the ipsec encryption, it seemed that machines could join the domain, but when we tried to promote a machine to a Domain Controller, it failed every time.
It seemed to be a packet size issue, due to the low MTU (1410). This article from microsoft describes the problem:
http://support.microsoft.com/?kbid=244474
I’ll quote the section which describes the issue and the fix;
By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.If you change MaxPacketSize to a value of 1, you force the client to use TCP to send Kerberos traffic through the VPN tunnel. Because TCP is connection oriented, it is a more reliable means of transport across the VPN tunnel. Even if the packets are dropped, the server will re-request the missing data packet.
You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:
1. Start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa KerberosParameters
Note If the Parameters key does not exist, create it now.
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type MaxPacketSize, and then press ENTER.
5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
6. Quit Registry Editor.
7. Restart your computer.
This was a much better solution than building the DC in Sydney, and then shipping it over!
-Jonesy
Aaron Stamboulieh wrote:I am trying to promote a domain controller on 2008 in a separate site to my domain. The only existing current DCs are in another site. The sites are connected by permanent VPN, and I know it's working because I can log on to the domain perfectly well (a bit slowly) from any computer at the remote site, as well as join the domain as a member server from the computer I am trying to promote.
When running DCPROMO, it starts the process then stops with the error:
-----
The operation failed because:
Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=ES-SERVER2,CN=SERVERS,CN=ELEMENTARY,CN=SITES,CN=CONFIGURATION,DC=stghs,DC=net on the remote AD DC hs-server2.stghs.net. Ensure the provided network credentials have sufficient permissions.
"The RPC Server is unavailable."
-----
Any ideas? Thanks for your help.
Aaron Stamboulieh - MCSA
- References:
- DCPROMO RPC error
- From: Aaron Stamboulieh
- Re: DCPROMO RPC error
- From: Betzold, Adam
- Re: DCPROMO RPC error
- From: Aaron Stamboulieh
- DCPROMO RPC error
- Prev by Date: Re: DCPROMO RPC error
- Next by Date: Re: Domain can not be found
- Previous by thread: Re: DCPROMO RPC error
- Next by thread: Re: DCPROMO RPC error
- Index(es):
Relevant Pages
|
