2003 DC issuse over VPN
Posted on 2009-05-09
I have a small network with several branch offices.
- Main office has the FSMO w/another DC and four branch offices all have DC's with DNS local.
- Branch office has 5 pc's each with a local SQL server.
- The branch offices were connected via RRAS VPN.
- That RRAS server died. (long story)
- The powers that be decided to do Router to Router VPN's via Astaro 120's with IPSEC at 128 and auto filter. The VPN is wide open and no packet filtering.
- The branch offices were offline for 5 months
- Reconnected the DC's from branch office to main office.
- Some replication is occuring like accounts
- The branch office can not access the main office resources such as shares and SQL.
- Remote desktop works from branch to main office.
- All Antivirus has been removed from the servers at main FSMO, and Branches DC's.
- All ports are open across the VPN and no port or packet filtering is taking place. It is wide open.
- No local firewall software is running on any of the servers
- All Anit-spyware software has been removed
- All Servers and routers are current with security updates
- DNS is resolving both by IP and Name both FQDN and by netbios names at all sites
- All devices are pingable by IP and Name on both sides of the VPN
- Active Directory Replication is occuring but with issues
- Devices from Main office CAN access ALL shared resources on the branch DC's and network via the VPN
- All netdiag tests PASSed on both ends of the VPN at each site
- All routing is routing correctly
- The local branch sites have the kerberos tickets for the Main office servers
- Branches cannot access shared resources by Name at Main office in GUI or command line has System 5 error, BUT they can access all resources by IP address
- Branches Errors are occurring with kerberos with authentication is attempted
- Branches Errors are occurring when SQL authentication is attempted and return error is SSPI
- Branches is stating replication errors in Active Directory
- Main Office server(s) appear to be missing the kerberos tickets for authentication for the remote sites
- Kerberos error in log at Main Office all fields are blank in log event.
What I do not know:
- Is the VPN not forwarding the kerberos tickets for authentication
- Does Active Directory has some sort of unknown issue with Kerberos
- Is SQL Security not binding correctly with Active Directory
Somehow I feel the delay in getting the branch office back online has caused something to get out of sync.
Pulling out my hair, would like some direction on a resolution and what logs I need to post here.