he_who_dares
asked on
Active Directory Child Domain over VPN site link issue
Hi,
One of our sites in Europe has just moved location and lost their leased line and are now working over a SDSL 20MB line using a Checkpoint VPN device.
Their domain is a child domain (AD 2000 mixed mode) and we are experiencing all kinds of latency problems now.
The ping response between their DC and the parent DC in london averages out at 30ms, infact all ping responses are good.
There are a few issues ive found already:
1) When i try and manage the child domain from ADUC on my machine in London it takes forever to connect to the domain and usually fails and tells me that the RPC timed out, so i have to VNC/RDP onto the domain controller in the VPN site inorder to admin the users there.
2) We have a ISA proxy server in London which all sites connect through to gain access to the Internet and whenever users in this VPN site try and connect now it takes quite a long time (few mins) and will then eventually popup with an authentication box (as though win authentication is screwed) and if they put their credentials in it seems to work. Ping response from the users machine to the proxy is 30ms.
3) Outlook on their machines is very slow (connects to an exchange server in london), to try and alleviate this i am now running cached mode & downloading headers only, which seems to have helped a bit, but can sometimes hang.
Im pretty sure this is all down to the fact they are now running over the public internet and obviously there are some dropped packets here and there.
I have done a dcdiag anf netdiag on the DC in the VPN site which is below:
- - - - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - -
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator.NL-
DC Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial non skippeable tests
Testing server: Default-First-Site-Name\PR
Starting test: Connectivity
......................... PRNLALW2DPR1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PR
Starting test: Replications
[PREULOW2DPR1] DsBind() failed with error 1727,
The remote procedure call failed and did not execute..
......................... PRNLALW2DPR1 passed test Replications
Starting test: NCSecDesc
......................... PRNLALW2DPR1 passed test NCSecDesc
Starting test: NetLogons
......................... PRNLALW2DPR1 passed test NetLogons
Starting test: Advertising
......................... PRNLALW2DPR1 passed test Advertising
Starting test: KnowsOfRoleHolders
Warning: PREULOW2DPR1 is the Schema Owner, but is not responding to DS
RPC Bind.
Warning: PREULOW2DPR1 is the Domain Owner, but is not responding to DS
RPC Bind.
......................... PRNLALW2DPR1 failed test KnowsOfRoleHolders
Starting test: RidManager
......................... PRNLALW2DPR1 passed test RidManager
Starting test: MachineAccount
......................... PRNLALW2DPR1 passed test MachineAccount
Starting test: Services
......................... PRNLALW2DPR1 passed test Services
Starting test: ObjectsReplicated
......................... PRNLALW2DPR1 passed test ObjectsReplicated
Starting test: frssysvol
......................... PRNLALW2DPR1 passed test frssysvol
Starting test: kccevent
An Warning Event occured. EventID: 0x800004D0
Time Generated: 08/08/2007 15:05:26
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00004A4
Time Generated: 08/08/2007 15:05:26
(Event String could not be retrieved)
......................... PRNLALW2DPR1 failed test kccevent
Starting test: systemlog
......................... PRNLALW2DPR1 passed test systemlog
Running enterprise tests on : eu.primus
Starting test: Intersite
......................... eu.primus passed test Intersite
Starting test: FsmoCheck
[PRSCGLW2DPR1] LDAP bind failed with error 1053,
The service did not respond to the start or control request in a timely
fashion..
......................... eu.primus passed test FsmoCheck
C:\Documents and Settings\Administrator.NL-
- - - - - - - - - - - -- - - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator.NL-
..........................
Computer Name: PRNLALW2DPR1
DNS Host Name: prnlalw2dpr1.nl.eu.primus
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 11 Stepping 1, GenuineIntel
List of installed hotfixes :
KB329115
KB823182
KB823559
KB824105
KB824141
KB824146
KB825119
KB826232
KB828028
KB828035
KB828741
KB828749
KB830352
KB835732
KB837001
KB839643
KB839645
KB840315
KB841872
KB841873
KB842526
Q147222
Q828026
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : nl.eu.primus
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : prnlalw2dpr1
IP Address . . . . . . . . : 172.18.5.10
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 172.18.5.1
Primary WINS Server. . . . : 172.18.5.10
Secondary WINS Server. . . : 172.18.5.11
Dns Servers. . . . . . . . : 172.18.5.10
172.18.5.11
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{E58E8500-6619
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '172.18.5.10'
and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server '172.18.5.11'
and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{E58E8500-6619
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{E58E8500-6619
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'prnlalw2dpr2.nl.eu.primus
.
[WARNING] Failed to query SPN registration on DC 'prnlalw2dpr1.nl.eu.primus
.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
C:\Documents and Settings\Administrator.NL-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Can anyone advise what we can do to try and improve the situation?
Thanks.
One of our sites in Europe has just moved location and lost their leased line and are now working over a SDSL 20MB line using a Checkpoint VPN device.
Their domain is a child domain (AD 2000 mixed mode) and we are experiencing all kinds of latency problems now.
The ping response between their DC and the parent DC in london averages out at 30ms, infact all ping responses are good.
There are a few issues ive found already:
1) When i try and manage the child domain from ADUC on my machine in London it takes forever to connect to the domain and usually fails and tells me that the RPC timed out, so i have to VNC/RDP onto the domain controller in the VPN site inorder to admin the users there.
2) We have a ISA proxy server in London which all sites connect through to gain access to the Internet and whenever users in this VPN site try and connect now it takes quite a long time (few mins) and will then eventually popup with an authentication box (as though win authentication is screwed) and if they put their credentials in it seems to work. Ping response from the users machine to the proxy is 30ms.
3) Outlook on their machines is very slow (connects to an exchange server in london), to try and alleviate this i am now running cached mode & downloading headers only, which seems to have helped a bit, but can sometimes hang.
Im pretty sure this is all down to the fact they are now running over the public internet and obviously there are some dropped packets here and there.
I have done a dcdiag anf netdiag on the DC in the VPN site which is below:
- - - - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - -
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator.NL-
DC Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial non skippeable tests
Testing server: Default-First-Site-Name\PR
Starting test: Connectivity
......................... PRNLALW2DPR1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PR
Starting test: Replications
[PREULOW2DPR1] DsBind() failed with error 1727,
The remote procedure call failed and did not execute..
......................... PRNLALW2DPR1 passed test Replications
Starting test: NCSecDesc
......................... PRNLALW2DPR1 passed test NCSecDesc
Starting test: NetLogons
......................... PRNLALW2DPR1 passed test NetLogons
Starting test: Advertising
......................... PRNLALW2DPR1 passed test Advertising
Starting test: KnowsOfRoleHolders
Warning: PREULOW2DPR1 is the Schema Owner, but is not responding to DS
RPC Bind.
Warning: PREULOW2DPR1 is the Domain Owner, but is not responding to DS
RPC Bind.
......................... PRNLALW2DPR1 failed test KnowsOfRoleHolders
Starting test: RidManager
......................... PRNLALW2DPR1 passed test RidManager
Starting test: MachineAccount
......................... PRNLALW2DPR1 passed test MachineAccount
Starting test: Services
......................... PRNLALW2DPR1 passed test Services
Starting test: ObjectsReplicated
......................... PRNLALW2DPR1 passed test ObjectsReplicated
Starting test: frssysvol
......................... PRNLALW2DPR1 passed test frssysvol
Starting test: kccevent
An Warning Event occured. EventID: 0x800004D0
Time Generated: 08/08/2007 15:05:26
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC00004A4
Time Generated: 08/08/2007 15:05:26
(Event String could not be retrieved)
......................... PRNLALW2DPR1 failed test kccevent
Starting test: systemlog
......................... PRNLALW2DPR1 passed test systemlog
Running enterprise tests on : eu.primus
Starting test: Intersite
......................... eu.primus passed test Intersite
Starting test: FsmoCheck
[PRSCGLW2DPR1] LDAP bind failed with error 1053,
The service did not respond to the start or control request in a timely
fashion..
......................... eu.primus passed test FsmoCheck
C:\Documents and Settings\Administrator.NL-
- - - - - - - - - - - -- - - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator.NL-
..........................
Computer Name: PRNLALW2DPR1
DNS Host Name: prnlalw2dpr1.nl.eu.primus
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 11 Stepping 1, GenuineIntel
List of installed hotfixes :
KB329115
KB823182
KB823559
KB824105
KB824141
KB824146
KB825119
KB826232
KB828028
KB828035
KB828741
KB828749
KB830352
KB835732
KB837001
KB839643
KB839645
KB840315
KB841872
KB841873
KB842526
Q147222
Q828026
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : nl.eu.primus
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : prnlalw2dpr1
IP Address . . . . . . . . : 172.18.5.10
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 172.18.5.1
Primary WINS Server. . . . : 172.18.5.10
Secondary WINS Server. . . : 172.18.5.11
Dns Servers. . . . . . . . : 172.18.5.10
172.18.5.11
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{E58E8500-6619
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '172.18.5.10'
and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server '172.18.5.11'
and other DCs also have some of the names registered.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{E58E8500-6619
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{E58E8500-6619
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'prnlalw2dpr2.nl.eu.primus
.
[WARNING] Failed to query SPN registration on DC 'prnlalw2dpr1.nl.eu.primus
.
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
C:\Documents and Settings\Administrator.NL-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Can anyone advise what we can do to try and improve the situation?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am having somewhat of a similar issue. i have some users from the parent domain now sitting in the office of the child domain. all is ok when in the office but when they vpn into the child domain through an asa5510 and try to access shared folders that work no problem when in office they get messages that the credentials have already been used to login and they cannot successfully connect to the shares.
Ideas?
Ideas?
ASKER
Splitting points though as still good advice.,
Cheers Guys.