We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Active Directory Replication over hardware VPN

Guy_Adams asked
Medium Priority
Last Modified: 2010-04-18
We have 2 servers in two different sites. The sites are connected via a hardware VPN which as available all the time.

Both servers have two NIC's, WAN and LAN.

I want to replicate active directory over this VPN but the problem is the servers will be communicating via their WAN NIC's. i.e;

- WAN - 192.168.110.x
- LAN - 192.168.0.x

- WAN - 192.168.120.x
- LAN - 192.168.0.x

Both servers are 2003 standard and both use have the basic firewall enabled. The WAN of each server connected to a hardware firewall/vpn device which connects them to the internet. These devices also maintain the VPN.

Firstly, is it possible to replicate over such a network via the servers WAN cards?
Secondly, any advice on configuration or documentation that relates to my situation would be much appreciated.

I have another question which relates to this subject which you also may be interested in answering. Both questions are worth 500 points each.




Watch Question

First multihomed DCs are never a good idea

Here is something that may help you work around that
Active Directory communication fails on multihomed domain controllers

For SRV records
How to enable or disable DNS updates in Windows 2000 and in Windows Server 2003


Thank you for the excellent documentation.

Given the configuration of our network, with hardware VPN/firewall devices do you think it would be wise to remove the second network adaptor from each of the servers?

Would this aid the situation or would it just leave the network vulnerable to attack?




Just to add to my initial question,

my first thoughts were to simply forward the following ports in RRAS from WAN to LAN on each server:

udp 389
tcp 389
udp 636
tcp 636
udp 88
tcp 88
udp 53
tcp 53
SMB over IP
udp 445
tcp 445
Global Catalog Server
tcp 3269
tcp 3268

are you running RRAS on the DCs also? Not recommended on a DC

You said hardware VPN, I'm thinking Cisco devices etc. How does RRAS play into this?


Well originally it was a SBS 2003 server but we purchased the transition pack to convert it to standard Windows 2003. So it hosts everything, its the dns server and gateway for the network, exchange server and WSUS server. There are only 35 users at anyone time.

RRAS has never been disabled I suppose, it was originally put in place to govern remote users and for an added layer of security against external attack.

I now realise the issue with replication and multihomed. The DNS address for OURSERVER.LOCAL is the internal network adaptor.

What do you suggest with only a hardware firewall/vpn device as protection? I'm open to all suggestions as this is still a young network.

Thank you so much for your help so far.

Kind Regards


a firewall on each side of the wan that supports building a VPN tunnel between sites is an option

then configure the network routing/DNS so one DC can find the other and visa versa.

once you can resolve DNS through the tunnel replication should work just disable the extra NICs you don't need


Ok so single NIC either side of the VPN.

What firewall do you recommend? I fancy ISA but its expensive, my company has a limited budget hence only one DC per site.

In a ideal world what would you suggest for this setup;

Site 1, 35 WinXP clients, exchange, WSUS, file & application server.

Site 2, 5 WinXP clients, WSUS, file & application server.

To be honest i'm used to administering SBS servers, one server looks after all! but is not great when trying to connect multiple sites.

We actually have 12 sites, all of which eventually will need to replicate.

Kind regards,


like you said it depends on your budget

cisco pix firewalls would be good, but then you have to learn the IOS then

if the budget is really tight, look at Netgear they make some that you can configure the ports you need to open for email
and you can set up a VPN tunnel between the two devices at each site also
and they are not too expensive


Do you think a business class hardware firewall is enough protection?

We use all Netgear products for the hardware VPN.

FVS338 & FVS318's



So to summerise, ditch RRAS and second NIC in both servers?

With the setup of active directory sites and services, do you have to setup both DC's in order to replicate?

Thank you again for your help so far.


If you want to avoid replication issues brought on by
multiple NICs and RRAS, yes ditch them

if both DCs are in the same site it will replicate based on time or changes
5 minutes is the default time--DON'T change it
IN  ADSS create two sites A and B
put a DC in each site and create a site link between them
set the replication interval to a value that matches your bandwidth

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


OK I will try this on Tuesday.

One last question if you dont mind, is there any special DNS setup for either of the DC's?

I presume once ADSS have the sites setup with the subnets, DNS will be ok?

You've been a fantastic help itforall.

Thank you


are these machines already domain controllers?

if so, point them both to the same DNS server, preferably one of these two machines running DNS and AD
run the following to reregister all SRV records
net stop netlogon
ipconfig /flushdns
net start netlogon
ipconfig /registerdns

go to ADSS and try to force a replication


Well the current 2003 server is a DC, the new one going in will be too.

Will pointing the new DC to the current one for DNS over a slow WAN connection slow down DNS requests for the remote clients?

The WAN connection runs at a max 256 Kbps but the real world throughput figure is actually more like 128 Kbps.

You've actually answered another question i have here:


Post a response and I will accept your answer.




I would just like to say,

Thank you very much.

I disabled the WAN adaptor and RRAS, setup a 2000 server and pointed the DNS to the Global Catalog. Replication worked perfectly and fully automatically.

I configured the sites and move the server into the site and still replication is working perfectly.

I have accepted your answer. If you would like the points from the other question please post a response as you have also answered that one too. If not I will request a delete and refund next week.

Thanks again.

Kind Regards


I posted to the other question too.

Now that it is working correctly. Point each DC to itself for DNS to avoid saturating the WAN.
Have each DC/DNS server handle the clients in each respective site. IN ADSS configure subnets for each site

Since these are both 2003, DNS islanding issue is not a problem like 2000 was

If name resolution ever becomes an issue or replication stops, drop back to one DNS to troubleshoot.
and run the steps to reregister the SRV and A records
ipconfig /flushdns
net stop netlogon
net start netlogon
ipconfig /registerdns

good luck


Fantastic, I will remember that.

You've been a massive help itforall.

When I first started investigating replication I thought it looked like a minefield, now ive been through a few things with you I have the confidence to administer a complex replica setup.

Thanks again, its much appreciated.


Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.