A Windows 2003 server is in a remote office connecting over a separate Cisco hardware based VPN on a PIX through an ADSL circuit. After working fine for months, all of the sudden the server has communication problems in finding the domain across the WAN and authenticating. The result is that it cannot connect to any device outside of the local subnet and in turn, this server cannot be accessed remotely in any way outside of the local subnet (ping, RD, file share, etc). It is possible to login locally to the server , but domain based login is not possible. Rebooting has no effect and repowering other devices has no effect. This server can communicate with other devices at the remote office on the same LAN and other devices at the remote office can communicate successfully with either this local server, to the internet or or across the vpn without a problem and there are no errors logged on the ipsec VPN. It appears as if policies have locked down the server from anything outside of its 192.168.91.0 subnet because it can't connect to the domain.
I've looked at this ms kb:
Cannot connect to domain controller and cannot apply Group Policy with Gigabit Ethernet devices
but this is a 10/100 switch and NIC and shouldn't have anything to do with a Gigabit Ethernet device.
This kb has more promise, How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000
but why would this occur all of the sudden? I may be be able to adjust the vpn settings not to fragment instead.
this is the event id:
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5719
Time: 12:29:31 PM
This computer was not able to set up a secure session with a domain controller in domain CORP due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
0000: 5e 00 00 c0