Cant access active directory on remote site when VPN is down.

Active directory not accessible on remote site Domain Controller.

We have 2 x DC's in different locations, connected by an IPSEC VPN - which is not functioning correctly. (Keeps disconnecting but that is a separate issue)

My problem is that on the remote site (site 2), when the VPN is down users cannot authenticate as AD is not accessible. I thought that once AD is sync'd between sites then it would cache AD information on the local server. Have we configured something wrong?

DNS is OK - when the VPN tunnel is operational everything works great and AD is in sync.

Site 1 - Server 2012 R2 - has all the FSMO roles
Site 2 - Server 2016 - is as additional Domain Controller

Any help appreciated.
Who is Participating?
TrentSlaterConnect With a Mentor Author Commented:
Thanks for the suggestions. The VPN is now active and stable - (issues with watchguard firewalls)
I have cleared the error logs and rebooted DC2 - AD is now in sync and no errors in EVENTVWR relating to DNS or Replication

Now when I disconnect the VPN, I can still access AD on DC2 - go figure.
I think there must have been some issue initially and AD had not fully replicated before the VPN issues.

Thanks for the assistance - I will try and assign points as fairly as possible.
Rob WilliamsCommented:
Have you set the server as a "global catalogue server" ?
Cliff GaliherCommented:
I know you said DNS is okay, but if the local clients are trying to use the wrong DC for DNS, then the VPN bring down would break DNS and thus break AD.  Verify your client DNS settings.

Also verify replication. Event logs are good here.

Finally, make sure you're sites are defined in AD. That's how clients find the "closest" DC.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Brian McDonaldIT ManagerCommented:
Is the 2016 DC a global catalog server? It sounds like it is not, If it is not a global catalog it won't know about resources and permissions, etc. I'd check that out and make the change if it is not. Then try it out once it replicates.

I'd also run a DCDIAG on it an see what it says, might located an issue there.
Kashinath KhodaySenior EngineerCommented:
If DC in site 2 is a GC server, then i don't find a reason for AD user authentication issues.
TrentSlaterAuthor Commented:
DC in site 2 is definitely a GC Server.

Clients in site 2 get DC2 as their primary DNS

Replication is failing as the VPN is down, but if I have successfully sync'd at least once, shouldnt DC2 let me access AD Users and Computers with its local copy? When I open dsa.msc on DC2 with VPN down it times out with RPC error.
TrentSlaterAuthor Commented:
Ok getting error 4015 in DNS

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

I will investigate that an respond back
Cliff GaliherCommented:
If replication was healthy at the time the VPN went down, yes. But you have used the term "synced" several times and mentioned syncing "at least once." which isn't how AD works.  It makes me think you were never fully replicated and so the DC is not advertising itself. Again  event logs would describe this condition in detail.
TrentSlaterAuthor Commented:
Thanks Cliff - "sync" should be "replicated."

When I promoted DC2 to a domain controller it replicated a copy of AD no problems and the subnets and sites are created correctly in AD Sites and Services.

To prove this I have just created a Windows VPN client and connected from DC2 to DC1 and now I can open AD Users+ Computers and and can force a replication from DC1. As soon as I disconnect the PPTP VPN client I cant access AD on DC2

I am still trawling through log files, but obviously I am getting lots of DFS and DNS errors becuase the VPN is down
Cliff GaliherConnect With a Mentor Commented:
To prove this I have just created a Windows VPN client and connected from DC2 to DC1 and now I can open AD Users+ Computers and and can force a replication from DC1

Unless there are steps you left out, that doesn't really prove that DC2 was healthy while the VPN was up. As a multimaster technology, as lignin a *a* DC is reachable, the clients and tools will be quite resilient in falling back to healthy DCs.  Just opening ADUC doesn't prove that DC5 specifically was healthy in that moment.  DCDiag or event logs stating that it is advertising itself is the proof you need to seek. Even if things replicate, it l won't advertise until issues like journal wrap (which doesn't prevent replication) or similar errors are resolved. Thus the need to actually verify health of the DC.
TrentSlaterAuthor Commented:
It appears that AD was not fully replicated before the VPN went down. Checking event logs and AD Sites and Services probably proved that. Once the VPN was connected again, both sites replicated fully.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.