Cant access active directory on remote site when VPN is down.

Active directory not accessible on remote site Domain Controller.

We have 2 x DC's in different locations, connected by an IPSEC VPN - which is not functioning correctly. (Keeps disconnecting but that is a separate issue)

My problem is that on the remote site (site 2), when the VPN is down users cannot authenticate as AD is not accessible. I thought that once AD is sync'd between sites then it would cache AD information on the local server. Have we configured something wrong?

DNS is OK - when the VPN tunnel is operational everything works great and AD is in sync.

Site 1 - Server 2012 R2 - has all the FSMO roles
Site 2 - Server 2016 - is as additional Domain Controller

Any help appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
Have you set the server as a "global catalogue server" ?
Cliff GaliherCommented:
I know you said DNS is okay, but if the local clients are trying to use the wrong DC for DNS, then the VPN bring down would break DNS and thus break AD.  Verify your client DNS settings.

Also verify replication. Event logs are good here.

Finally, make sure you're sites are defined in AD. That's how clients find the "closest" DC.
Brian McDonaldIT ManagerCommented:
Is the 2016 DC a global catalog server? It sounds like it is not, If it is not a global catalog it won't know about resources and permissions, etc. I'd check that out and make the change if it is not. Then try it out once it replicates.

I'd also run a DCDIAG on it an see what it says, might located an issue there.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Kashinath KhodaySenior EngineerCommented:
If DC in site 2 is a GC server, then i don't find a reason for AD user authentication issues.
TrentSlaterAuthor Commented:
DC in site 2 is definitely a GC Server.

Clients in site 2 get DC2 as their primary DNS

Replication is failing as the VPN is down, but if I have successfully sync'd at least once, shouldnt DC2 let me access AD Users and Computers with its local copy? When I open dsa.msc on DC2 with VPN down it times out with RPC error.
TrentSlaterAuthor Commented:
Ok getting error 4015 in DNS

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

I will investigate that an respond back
Cliff GaliherCommented:
If replication was healthy at the time the VPN went down, yes. But you have used the term "synced" several times and mentioned syncing "at least once." which isn't how AD works.  It makes me think you were never fully replicated and so the DC is not advertising itself. Again  event logs would describe this condition in detail.
TrentSlaterAuthor Commented:
Thanks Cliff - "sync" should be "replicated."

When I promoted DC2 to a domain controller it replicated a copy of AD no problems and the subnets and sites are created correctly in AD Sites and Services.

To prove this I have just created a Windows VPN client and connected from DC2 to DC1 and now I can open AD Users+ Computers and and can force a replication from DC1. As soon as I disconnect the PPTP VPN client I cant access AD on DC2

I am still trawling through log files, but obviously I am getting lots of DFS and DNS errors becuase the VPN is down
Cliff GaliherCommented:
To prove this I have just created a Windows VPN client and connected from DC2 to DC1 and now I can open AD Users+ Computers and and can force a replication from DC1

Unless there are steps you left out, that doesn't really prove that DC2 was healthy while the VPN was up. As a multimaster technology, as lignin a *a* DC is reachable, the clients and tools will be quite resilient in falling back to healthy DCs.  Just opening ADUC doesn't prove that DC5 specifically was healthy in that moment.  DCDiag or event logs stating that it is advertising itself is the proof you need to seek. Even if things replicate, it l won't advertise until issues like journal wrap (which doesn't prevent replication) or similar errors are resolved. Thus the need to actually verify health of the DC.
TrentSlaterAuthor Commented:
Thanks for the suggestions. The VPN is now active and stable - (issues with watchguard firewalls)
I have cleared the error logs and rebooted DC2 - AD is now in sync and no errors in EVENTVWR relating to DNS or Replication

Now when I disconnect the VPN, I can still access AD on DC2 - go figure.
I think there must have been some issue initially and AD had not fully replicated before the VPN issues.

Thanks for the assistance - I will try and assign points as fairly as possible.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TrentSlaterAuthor Commented:
It appears that AD was not fully replicated before the VPN went down. Checking event logs and AD Sites and Services probably proved that. Once the VPN was connected again, both sites replicated fully.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.