Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Windows 2008 DC DNS/Replications Issues

Posted on 2011-02-15
13
Medium Priority
?
858 Views
Last Modified: 2012-05-11
Hi

I have a DMZ with Sharepoint 2007 and a RODC.

I need this Sharepoint to authenticate to AD users trough this RODC. But I cannot replicate this RODC to the internal DC.

I can connect with LDAP without any problem. I have use the tool Softerra LDAP Administrator to test the communication between this two servers, and no issues here.

I can telnet to and from both server RPC 135 port, but still cannot replicate this 2 DCs.

Is there any other process to replicate this 2 servers?

Never created a RODC on a DMZ so I need to understand this.

All Windows are 2008 R2

Thank You

Jail
0
Comment
Question by:Luciano Patrão
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 700 total points
ID: 34898652
Full disclosure  >> we have no RODCs in our DMZ so I haven't done this in production.

Did you see the white paper on this  
http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=c1d0fd00-bf31-4b20-95c6-279a4ce7c2b4
Active Directory Domain Services in the Perimeter Network (Windows Server 2008)

You need more than port 135 (endpoint mapper) for AD replication   http://technet.microsoft.com/en-us/library/bb727063.aspx

Thanks

Mike

0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 700 total points
ID: 34898686
Replication is done over random RPC ports, along with the initial RPC end-point mapper (TCP 135).

If you want to avoid opening TCP 1024-65xxx you could enable IPSec on both ends.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34898700
Mike gave you the correct documentation :)
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 24

Author Comment

by:Luciano Patrão
ID: 34900602
Hi

I will like to thank you both for the replys.

@mkline71 Regarding the port 135 or others, I know that replication use other ports, I only add this as an example. Because I have tested several to see if both Servers connect to each other.

And I have see that second article regarding the ports/Firewall

I will check that white paper.

The odd is that I can telnet all the ports, but still cant replicate. Both Windows have firewall disable.

@snusgubben yes I have thought of that. I have seen some articles how to implement this. But before I try or even go to IPSec I will to replicate this, or understand why this servers are not replicating.

This is one article.
http://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/5238083

Forget to mention that the RODC is in other Domain Site that we called DMZ. Don't think that this can make a difference, but just to add more info.

Thank You

Jail
0
 
LVL 2

Assisted Solution

by:gtfiji
gtfiji earned 600 total points
ID: 34903150
It was possible in Windows Server 2003 to force domain controllers to replicate over a specific port, as indicated here:

http://support.microsoft.com/kb/555381

I can't find any reference to doing the same thing with Server 2008.  Also, I seem to remember configuring AD replication to run over a certain port was an unsupported solution, although I couldn't find any reference to that in looking for it online just now.  I think the IPSec traffic referred to above is the most elegant solution.
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 34906989
Hi

Since I can telnet from e trough both servers, I don't think changing the replication port will add any advantage on this issue

Jail
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34907019
Have you looked at DCDIAG and NETDIAG if you can spot anything since all ports are open?

i.e. run from a RWDC:

dcdiag /v /e /c /f:dcdiag.txt

netdiag /v > netdiag.txt
0
 
LVL 2

Expert Comment

by:gtfiji
ID: 34907568
Being able to telnet to port 135 is irrelevant to what Mike and I are saying.  Active Directory replication is nothing like a file transfer.  Whatever you know about SMB file transfers and port 135, forget it.  Active Directory replication is configured to use dynamically chosen random high port numbers, as the link that Mike sent you described.  Only the procedure in the link that I sent you can change that to go over a specific port, such as 135.
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 34908595
Hi

@gtfiji yes you are right. My mistake sorry.
Did not find any article related to 2008 for changing that ports, I have try to change using that one from 2003, did not see any improvements.

@snusgubben Netdiag doesn't exist in 2008 R2 we can use from 2003, but for now I dont have the 64-bit version.

I have run the dcdiag, and I have attach the log file.
To understand the log
DCInternal01 is my DC1
DC-RODC01 is another DC that I have in other site and is work without any issues.
DCDMZ is the problem DC that is in the a site call DMZ

I also try to create a IPSec between this 2 DCs, and after I create the Policy in the internal DC to DMZ and from DCDMZ to DC internal, the DMZDC start to stuck and even cannot ping that server.

A question, If I remove this DMZ DC and if I create a IPSec Policy from the Sharepoint into my Internal DC will I get authentication? Maybe with this I can bypass this issues.

Thank you again for all the help

Jail
dcdiag.txt
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34908893
I thought you had opened all ports from the DMZ DC to your internal network... so never mind the dcdiag. Without RPC connectivity it will fail most of the tests.

You can have a domain member in a DMZ and use IPSec for communication. I don't know your budget, but the best approch would be to move your SP to the internal network and use a ISA/TMG in DMZ publishing the sites.

0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 34909043
Hi

And all the ports are open for testing to and from this 2 servers.

Now I move the DC into my internal network and try to replicate this server. Just change the IP and is on the Internal Network.

I will try to replicate this DC internally to see if it works. If it works inside, must work in the DMZ.

Regarding the publishing, we have other servers in the DMZ and are working without any issues.

I have seen articles(need to search again) regarding Sharepoint authentication from DMZ to internal Domain, and I think they use IPSec Policy for this.

Jail
0
 
LVL 24

Author Comment

by:Luciano Patrão
ID: 34917029
Hi

Well after bring the server back into the network starts to replicate without any issues :(

I have when you spend 2 days(or more) trying to figured it out a problem, and you trust what the costumer as told you.

So this DMZ is not connecting to internal network.

They have a Firewall Checkpoint that is set this rules trough this networks..

Since I do now know very much the Checkpoint firewalls, I will try to search to see how this rules must be apply, and check is this is what they have on that firewall.

Will update this question soon.

Thank You all

Jail
0
 
LVL 24

Author Closing Comment

by:Luciano Patrão
ID: 34941692
Hi

I have pass this problem to costumer.

He needs to change is DMZ or Firewall between this 2 networks.

I will close this question.

Thank you all for the help

Jail
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question