Solved

Windows 2008 DC DNS/Replications Issues

Posted on 2011-02-15
13
849 Views
Last Modified: 2012-05-11
Hi

I have a DMZ with Sharepoint 2007 and a RODC.

I need this Sharepoint to authenticate to AD users trough this RODC. But I cannot replicate this RODC to the internal DC.

I can connect with LDAP without any problem. I have use the tool Softerra LDAP Administrator to test the communication between this two servers, and no issues here.

I can telnet to and from both server RPC 135 port, but still cannot replicate this 2 DCs.

Is there any other process to replicate this 2 servers?

Never created a RODC on a DMZ so I need to understand this.

All Windows are 2008 R2

Thank You

Jail
0
Comment
Question by:Luciano Patrão
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 175 total points
ID: 34898652
Full disclosure  >> we have no RODCs in our DMZ so I haven't done this in production.

Did you see the white paper on this  
http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=c1d0fd00-bf31-4b20-95c6-279a4ce7c2b4
Active Directory Domain Services in the Perimeter Network (Windows Server 2008)

You need more than port 135 (endpoint mapper) for AD replication   http://technet.microsoft.com/en-us/library/bb727063.aspx

Thanks

Mike

0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 175 total points
ID: 34898686
Replication is done over random RPC ports, along with the initial RPC end-point mapper (TCP 135).

If you want to avoid opening TCP 1024-65xxx you could enable IPSec on both ends.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34898700
Mike gave you the correct documentation :)
0
 
LVL 22

Author Comment

by:Luciano Patrão
ID: 34900602
Hi

I will like to thank you both for the replys.

@mkline71 Regarding the port 135 or others, I know that replication use other ports, I only add this as an example. Because I have tested several to see if both Servers connect to each other.

And I have see that second article regarding the ports/Firewall

I will check that white paper.

The odd is that I can telnet all the ports, but still cant replicate. Both Windows have firewall disable.

@snusgubben yes I have thought of that. I have seen some articles how to implement this. But before I try or even go to IPSec I will to replicate this, or understand why this servers are not replicating.

This is one article.
http://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/5238083

Forget to mention that the RODC is in other Domain Site that we called DMZ. Don't think that this can make a difference, but just to add more info.

Thank You

Jail
0
 
LVL 2

Assisted Solution

by:gtfiji
gtfiji earned 150 total points
ID: 34903150
It was possible in Windows Server 2003 to force domain controllers to replicate over a specific port, as indicated here:

http://support.microsoft.com/kb/555381

I can't find any reference to doing the same thing with Server 2008.  Also, I seem to remember configuring AD replication to run over a certain port was an unsupported solution, although I couldn't find any reference to that in looking for it online just now.  I think the IPSec traffic referred to above is the most elegant solution.
0
 
LVL 22

Author Comment

by:Luciano Patrão
ID: 34906989
Hi

Since I can telnet from e trough both servers, I don't think changing the replication port will add any advantage on this issue

Jail
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34907019
Have you looked at DCDIAG and NETDIAG if you can spot anything since all ports are open?

i.e. run from a RWDC:

dcdiag /v /e /c /f:dcdiag.txt

netdiag /v > netdiag.txt
0
 
LVL 2

Expert Comment

by:gtfiji
ID: 34907568
Being able to telnet to port 135 is irrelevant to what Mike and I are saying.  Active Directory replication is nothing like a file transfer.  Whatever you know about SMB file transfers and port 135, forget it.  Active Directory replication is configured to use dynamically chosen random high port numbers, as the link that Mike sent you described.  Only the procedure in the link that I sent you can change that to go over a specific port, such as 135.
0
 
LVL 22

Author Comment

by:Luciano Patrão
ID: 34908595
Hi

@gtfiji yes you are right. My mistake sorry.
Did not find any article related to 2008 for changing that ports, I have try to change using that one from 2003, did not see any improvements.

@snusgubben Netdiag doesn't exist in 2008 R2 we can use from 2003, but for now I dont have the 64-bit version.

I have run the dcdiag, and I have attach the log file.
To understand the log
DCInternal01 is my DC1
DC-RODC01 is another DC that I have in other site and is work without any issues.
DCDMZ is the problem DC that is in the a site call DMZ

I also try to create a IPSec between this 2 DCs, and after I create the Policy in the internal DC to DMZ and from DCDMZ to DC internal, the DMZDC start to stuck and even cannot ping that server.

A question, If I remove this DMZ DC and if I create a IPSec Policy from the Sharepoint into my Internal DC will I get authentication? Maybe with this I can bypass this issues.

Thank you again for all the help

Jail
dcdiag.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34908893
I thought you had opened all ports from the DMZ DC to your internal network... so never mind the dcdiag. Without RPC connectivity it will fail most of the tests.

You can have a domain member in a DMZ and use IPSec for communication. I don't know your budget, but the best approch would be to move your SP to the internal network and use a ISA/TMG in DMZ publishing the sites.

0
 
LVL 22

Author Comment

by:Luciano Patrão
ID: 34909043
Hi

And all the ports are open for testing to and from this 2 servers.

Now I move the DC into my internal network and try to replicate this server. Just change the IP and is on the Internal Network.

I will try to replicate this DC internally to see if it works. If it works inside, must work in the DMZ.

Regarding the publishing, we have other servers in the DMZ and are working without any issues.

I have seen articles(need to search again) regarding Sharepoint authentication from DMZ to internal Domain, and I think they use IPSec Policy for this.

Jail
0
 
LVL 22

Author Comment

by:Luciano Patrão
ID: 34917029
Hi

Well after bring the server back into the network starts to replicate without any issues :(

I have when you spend 2 days(or more) trying to figured it out a problem, and you trust what the costumer as told you.

So this DMZ is not connecting to internal network.

They have a Firewall Checkpoint that is set this rules trough this networks..

Since I do now know very much the Checkpoint firewalls, I will try to search to see how this rules must be apply, and check is this is what they have on that firewall.

Will update this question soon.

Thank You all

Jail
0
 
LVL 22

Author Closing Comment

by:Luciano Patrão
ID: 34941692
Hi

I have pass this problem to costumer.

He needs to change is DMZ or Firewall between this 2 networks.

I will close this question.

Thank you all for the help

Jail
0

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now