?
Solved

Windows 2008 DC DNS/Replications Issues

Posted on 2011-02-15
13
Medium Priority
?
857 Views
Last Modified: 2012-05-11
Hi

I have a DMZ with Sharepoint 2007 and a RODC.

I need this Sharepoint to authenticate to AD users trough this RODC. But I cannot replicate this RODC to the internal DC.

I can connect with LDAP without any problem. I have use the tool Softerra LDAP Administrator to test the communication between this two servers, and no issues here.

I can telnet to and from both server RPC 135 port, but still cannot replicate this 2 DCs.

Is there any other process to replicate this 2 servers?

Never created a RODC on a DMZ so I need to understand this.

All Windows are 2008 R2

Thank You

Jail
0
Comment
Question by:Luciano Patrão
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 700 total points
ID: 34898652
Full disclosure  >> we have no RODCs in our DMZ so I haven't done this in production.

Did you see the white paper on this  
http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=c1d0fd00-bf31-4b20-95c6-279a4ce7c2b4
Active Directory Domain Services in the Perimeter Network (Windows Server 2008)

You need more than port 135 (endpoint mapper) for AD replication   http://technet.microsoft.com/en-us/library/bb727063.aspx

Thanks

Mike

0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 700 total points
ID: 34898686
Replication is done over random RPC ports, along with the initial RPC end-point mapper (TCP 135).

If you want to avoid opening TCP 1024-65xxx you could enable IPSec on both ends.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34898700
Mike gave you the correct documentation :)
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 24

Author Comment

by:Luciano Patrão
ID: 34900602
Hi

I will like to thank you both for the replys.

@mkline71 Regarding the port 135 or others, I know that replication use other ports, I only add this as an example. Because I have tested several to see if both Servers connect to each other.

And I have see that second article regarding the ports/Firewall

I will check that white paper.

The odd is that I can telnet all the ports, but still cant replicate. Both Windows have firewall disable.

@snusgubben yes I have thought of that. I have seen some articles how to implement this. But before I try or even go to IPSec I will to replicate this, or understand why this servers are not replicating.

This is one article.
http://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/5238083

Forget to mention that the RODC is in other Domain Site that we called DMZ. Don't think that this can make a difference, but just to add more info.

Thank You

Jail
0
 
LVL 2

Assisted Solution

by:gtfiji
gtfiji earned 600 total points
ID: 34903150
It was possible in Windows Server 2003 to force domain controllers to replicate over a specific port, as indicated here:

http://support.microsoft.com/kb/555381

I can't find any reference to doing the same thing with Server 2008.  Also, I seem to remember configuring AD replication to run over a certain port was an unsupported solution, although I couldn't find any reference to that in looking for it online just now.  I think the IPSec traffic referred to above is the most elegant solution.
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 34906989
Hi

Since I can telnet from e trough both servers, I don't think changing the replication port will add any advantage on this issue

Jail
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34907019
Have you looked at DCDIAG and NETDIAG if you can spot anything since all ports are open?

i.e. run from a RWDC:

dcdiag /v /e /c /f:dcdiag.txt

netdiag /v > netdiag.txt
0
 
LVL 2

Expert Comment

by:gtfiji
ID: 34907568
Being able to telnet to port 135 is irrelevant to what Mike and I are saying.  Active Directory replication is nothing like a file transfer.  Whatever you know about SMB file transfers and port 135, forget it.  Active Directory replication is configured to use dynamically chosen random high port numbers, as the link that Mike sent you described.  Only the procedure in the link that I sent you can change that to go over a specific port, such as 135.
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 34908595
Hi

@gtfiji yes you are right. My mistake sorry.
Did not find any article related to 2008 for changing that ports, I have try to change using that one from 2003, did not see any improvements.

@snusgubben Netdiag doesn't exist in 2008 R2 we can use from 2003, but for now I dont have the 64-bit version.

I have run the dcdiag, and I have attach the log file.
To understand the log
DCInternal01 is my DC1
DC-RODC01 is another DC that I have in other site and is work without any issues.
DCDMZ is the problem DC that is in the a site call DMZ

I also try to create a IPSec between this 2 DCs, and after I create the Policy in the internal DC to DMZ and from DCDMZ to DC internal, the DMZDC start to stuck and even cannot ping that server.

A question, If I remove this DMZ DC and if I create a IPSec Policy from the Sharepoint into my Internal DC will I get authentication? Maybe with this I can bypass this issues.

Thank you again for all the help

Jail
dcdiag.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34908893
I thought you had opened all ports from the DMZ DC to your internal network... so never mind the dcdiag. Without RPC connectivity it will fail most of the tests.

You can have a domain member in a DMZ and use IPSec for communication. I don't know your budget, but the best approch would be to move your SP to the internal network and use a ISA/TMG in DMZ publishing the sites.

0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 34909043
Hi

And all the ports are open for testing to and from this 2 servers.

Now I move the DC into my internal network and try to replicate this server. Just change the IP and is on the Internal Network.

I will try to replicate this DC internally to see if it works. If it works inside, must work in the DMZ.

Regarding the publishing, we have other servers in the DMZ and are working without any issues.

I have seen articles(need to search again) regarding Sharepoint authentication from DMZ to internal Domain, and I think they use IPSec Policy for this.

Jail
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 34917029
Hi

Well after bring the server back into the network starts to replicate without any issues :(

I have when you spend 2 days(or more) trying to figured it out a problem, and you trust what the costumer as told you.

So this DMZ is not connecting to internal network.

They have a Firewall Checkpoint that is set this rules trough this networks..

Since I do now know very much the Checkpoint firewalls, I will try to search to see how this rules must be apply, and check is this is what they have on that firewall.

Will update this question soon.

Thank You all

Jail
0
 
LVL 24

Author Closing Comment

by:Luciano Patrão
ID: 34941692
Hi

I have pass this problem to costumer.

He needs to change is DMZ or Firewall between this 2 networks.

I will close this question.

Thank you all for the help

Jail
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question