Link to home
Start Free TrialLog in
Avatar of Luciano Patrão
Luciano PatrãoFlag for Portugal

asked on

Windows 2008 DC DNS/Replications Issues

Hi

I have a DMZ with Sharepoint 2007 and a RODC.

I need this Sharepoint to authenticate to AD users trough this RODC. But I cannot replicate this RODC to the internal DC.

I can connect with LDAP without any problem. I have use the tool Softerra LDAP Administrator to test the communication between this two servers, and no issues here.

I can telnet to and from both server RPC 135 port, but still cannot replicate this 2 DCs.

Is there any other process to replicate this 2 servers?

Never created a RODC on a DMZ so I need to understand this.

All Windows are 2008 R2

Thank You

Jail
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Mike gave you the correct documentation :)
Avatar of Luciano Patrão

ASKER

Hi

I will like to thank you both for the replys.

@mkline71 Regarding the port 135 or others, I know that replication use other ports, I only add this as an example. Because I have tested several to see if both Servers connect to each other.

And I have see that second article regarding the ports/Firewall

I will check that white paper.

The odd is that I can telnet all the ports, but still cant replicate. Both Windows have firewall disable.

@snusgubben yes I have thought of that. I have seen some articles how to implement this. But before I try or even go to IPSec I will to replicate this, or understand why this servers are not replicating.

This is one article.
http://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/5238083

Forget to mention that the RODC is in other Domain Site that we called DMZ. Don't think that this can make a difference, but just to add more info.

Thank You

Jail
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi

Since I can telnet from e trough both servers, I don't think changing the replication port will add any advantage on this issue

Jail
Have you looked at DCDIAG and NETDIAG if you can spot anything since all ports are open?

i.e. run from a RWDC:

dcdiag /v /e /c /f:dcdiag.txt

netdiag /v > netdiag.txt
Avatar of gtfiji
gtfiji

Being able to telnet to port 135 is irrelevant to what Mike and I are saying.  Active Directory replication is nothing like a file transfer.  Whatever you know about SMB file transfers and port 135, forget it.  Active Directory replication is configured to use dynamically chosen random high port numbers, as the link that Mike sent you described.  Only the procedure in the link that I sent you can change that to go over a specific port, such as 135.
Hi

@gtfiji yes you are right. My mistake sorry.
Did not find any article related to 2008 for changing that ports, I have try to change using that one from 2003, did not see any improvements.

@snusgubben Netdiag doesn't exist in 2008 R2 we can use from 2003, but for now I dont have the 64-bit version.

I have run the dcdiag, and I have attach the log file.
To understand the log
DCInternal01 is my DC1
DC-RODC01 is another DC that I have in other site and is work without any issues.
DCDMZ is the problem DC that is in the a site call DMZ

I also try to create a IPSec between this 2 DCs, and after I create the Policy in the internal DC to DMZ and from DCDMZ to DC internal, the DMZDC start to stuck and even cannot ping that server.

A question, If I remove this DMZ DC and if I create a IPSec Policy from the Sharepoint into my Internal DC will I get authentication? Maybe with this I can bypass this issues.

Thank you again for all the help

Jail
dcdiag.txt
I thought you had opened all ports from the DMZ DC to your internal network... so never mind the dcdiag. Without RPC connectivity it will fail most of the tests.

You can have a domain member in a DMZ and use IPSec for communication. I don't know your budget, but the best approch would be to move your SP to the internal network and use a ISA/TMG in DMZ publishing the sites.

Hi

And all the ports are open for testing to and from this 2 servers.

Now I move the DC into my internal network and try to replicate this server. Just change the IP and is on the Internal Network.

I will try to replicate this DC internally to see if it works. If it works inside, must work in the DMZ.

Regarding the publishing, we have other servers in the DMZ and are working without any issues.

I have seen articles(need to search again) regarding Sharepoint authentication from DMZ to internal Domain, and I think they use IPSec Policy for this.

Jail
Hi

Well after bring the server back into the network starts to replicate without any issues :(

I have when you spend 2 days(or more) trying to figured it out a problem, and you trust what the costumer as told you.

So this DMZ is not connecting to internal network.

They have a Firewall Checkpoint that is set this rules trough this networks..

Since I do now know very much the Checkpoint firewalls, I will try to search to see how this rules must be apply, and check is this is what they have on that firewall.

Will update this question soon.

Thank You all

Jail
Hi

I have pass this problem to costumer.

He needs to change is DMZ or Firewall between this 2 networks.

I will close this question.

Thank you all for the help

Jail