• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 864
  • Last Modified:

Active Directory Child Domain over VPN site link issue

Hi,

One of our sites in Europe has just moved location and lost their leased line and are now working over a SDSL 20MB line using a Checkpoint VPN device.

Their domain is a child domain (AD 2000 mixed mode) and we are experiencing all kinds of latency problems now.

The ping response between their DC and the parent DC in london averages out at 30ms, infact all ping responses are good.

There are a few issues ive found already:

1) When i try and manage the child domain from ADUC on my machine in London it takes forever to connect to the domain and usually fails and tells me that the RPC timed out, so i have to VNC/RDP onto the domain controller in the VPN site inorder to admin the users there.

2) We have a ISA proxy server in London which all sites connect through to gain access to the Internet and whenever users in this VPN site try and connect now it takes quite a long time (few mins) and will then eventually popup with an authentication box (as though win authentication is screwed) and if they put their credentials in it seems to work. Ping response from the users machine to the proxy is 30ms.

3) Outlook on their machines is very slow (connects to an exchange server in london), to try and alleviate this i am now running cached mode & downloading headers only, which seems to have helped a bit, but can sometimes hang.


Im pretty sure this is all down to the fact they are now running over the public internet and obviously there are some dropped packets here and there.

I have done a dcdiag anf netdiag on the DC in the VPN site which is below:

- - - - - - -  - - - - - - - - - - - - - -  -- - - - - - - - - - - - - - - - - -

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator.NL-EU-PRIMUS>dcdiag

DC Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial non skippeable tests

   Testing server: Default-First-Site-Name\PRNLALW2DPR1
      Starting test: Connectivity
         ......................... PRNLALW2DPR1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\PRNLALW2DPR1
      Starting test: Replications
         [PREULOW2DPR1] DsBind() failed with error 1727,
         The remote procedure call failed and did not execute..
         ......................... PRNLALW2DPR1 passed test Replications
      Starting test: NCSecDesc
         ......................... PRNLALW2DPR1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... PRNLALW2DPR1 passed test NetLogons
      Starting test: Advertising
         ......................... PRNLALW2DPR1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Warning: PREULOW2DPR1 is the Schema Owner, but is not responding to DS
RPC Bind.
         Warning: PREULOW2DPR1 is the Domain Owner, but is not responding to DS
RPC Bind.
         ......................... PRNLALW2DPR1 failed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... PRNLALW2DPR1 passed test RidManager
      Starting test: MachineAccount
         ......................... PRNLALW2DPR1 passed test MachineAccount
      Starting test: Services
         ......................... PRNLALW2DPR1 passed test Services
      Starting test: ObjectsReplicated
         ......................... PRNLALW2DPR1 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... PRNLALW2DPR1 passed test frssysvol
      Starting test: kccevent
         An Warning Event occured.  EventID: 0x800004D0
            Time Generated: 08/08/2007   15:05:26
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC00004A4
            Time Generated: 08/08/2007   15:05:26
            (Event String could not be retrieved)
         ......................... PRNLALW2DPR1 failed test kccevent
      Starting test: systemlog
         ......................... PRNLALW2DPR1 passed test systemlog

   Running enterprise tests on : eu.primus
      Starting test: Intersite
         ......................... eu.primus passed test Intersite
      Starting test: FsmoCheck
         [PRSCGLW2DPR1] LDAP bind failed with error 1053,
         The service did not respond to the start or control request in a timely
 fashion..
         ......................... eu.primus passed test FsmoCheck

C:\Documents and Settings\Administrator.NL-EU-PRIMUS>

 - - - - - - - - -  - - -- - -  -- - - - - - - - -  - - - - - - - - - - - - - - - - - - -  -



Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator.NL-EU-PRIMUS>netdiag

.........................................

    Computer Name: PRNLALW2DPR1
    DNS Host Name: prnlalw2dpr1.nl.eu.primus
    System info : Windows 2000 Server (Build 2195)
    Processor : x86 Family 6 Model 11 Stepping 1, GenuineIntel
    List of installed hotfixes :
        KB329115
        KB823182
        KB823559
        KB824105
        KB824141
        KB824146
        KB825119
        KB826232
        KB828028
        KB828035
        KB828741
        KB828749
        KB830352
        KB835732
        KB837001
        KB839643
        KB839645
        KB840315
        KB841872
        KB841873
        KB842526
        Q147222
        Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : nl.eu.primus

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : prnlalw2dpr1
        IP Address . . . . . . . . : 172.18.5.10
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 172.18.5.1
        Primary WINS Server. . . . : 172.18.5.10
        Secondary WINS Server. . . : 172.18.5.11
        Dns Servers. . . . . . . . : 172.18.5.10
                                     172.18.5.11


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed

        WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{E58E8500-6619-48B3-B625-011C51E614B9}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '172.18.5.10'
 and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '172.18.5.11'
 and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{E58E8500-6619-48B3-B625-011C51E614B9}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{E58E8500-6619-48B3-B625-011C51E614B9}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] Failed to query SPN registration on DC 'prnlalw2dpr2.nl.eu.primus'
.
    [WARNING] Failed to query SPN registration on DC 'prnlalw2dpr1.nl.eu.primus'
.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
    IPSec policy service is active, but no policy is assigned.


The command completed successfully

C:\Documents and Settings\Administrator.NL-EU-PRIMUS>


 - - - - - -  - - - - - - - - - - - - - - - -  - - - - - - - - - - -


Can anyone advise what we can do to try and improve the situation?

Thanks.
0
he_who_dares
Asked:
he_who_dares
2 Solutions
 
sredmondCommented:
Have you verified that any and all Routing switches have been updated for the new location?

if all your routing switches and VPN boxes have correct configs, try increasing the size of the ping packets to see when the latency starts.
ping -l # (example ping google.com -l 50 or ping google.com -l 100)

Then try tracert to see if you can see where the bottle neck is.

have you verified that you have the sdsl line you ordered? is it truly a 20 mb line?



0
 
ChiefITCommented:
What about win32 time. Maybe you are out of sync and therefore recieving latency problems.
0
 
he_who_daresAuthor Commented:
We eventually found there was an issue with the line itself.

Splitting points though as still good advice.,

Cheers Guys.
0
 
MikeP_NJCommented:
I am having somewhat of a similar issue. i have some users from the parent domain now sitting in the office of the child domain. all is ok when in the office but when they vpn into the child domain through an asa5510 and try to access shared folders that work no problem when in office they get messages that the credentials have already been used to login and they cannot successfully connect to the shares.

Ideas?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now