AD Replication across Site to Site



  • Hi All
    I have set up an OpenVPN Site to Site connection across the internet. Servers can ping each other across it. Utilities such as Remote Desktop Connection work. DNS resolves work, also WINS. My only issue is that Active Directory Replication will not work. I can set up a new DC and the initial replication works. It just won't work after.

    When I run a manual replication, I get 1722 (0x6ba): The rpc server is unavailable. Is there anything I can do to figure out why this is happening?



  • no clue what this error is about except this: http://technet.microsoft.com/en-us/library/replication-error-1722-the-rpc-server-is-unavailable%28v=ws.10%29.aspx
    the error indicates that a replication-test failed.

    When dealing with AD, the most common problem you can have is DNS.
    is your dns working properly? by that i mean if you lookup dc1.youdomain.lan does it correspond to the correct ip?  Is it correct on both ends? (If AD replication fails, does DNS replication also fail?)
    have you done anything special in "sites & services" (did you setup something there to limit replication because its a remote site ?) http://technet.microsoft.com/en-us/library/cc731907.aspx

    Final possible problem i can think of:
    Are you NAT'ing your openvpn ? If you are, stop doing that … it'll cause serious mayhem on your AD infrastructure ;)
    pfSense might automagically add NAT rules for your openVPN, especially be wary if you assign an interface to your openvpn service. (you could try disabling the automatic NAT and craft your own rules, and make sure NOT TO NAT THE OPENVPN)

    enjoy



  • That's a good suggestion. NAT is turned on. Is there a way to disable NAT for just the OpenVPN site to site? The box also serves as the public firewall so I want to keep it on for the WAN interface.

    Thanks for your help.



  • yes … you just have to turn it to Manual Outbound NAT rule generation  (AON - Advanced Outbound NAT).

    you'd have to make sure you keep the rules for WAN, but remove the ones for openvpn



  • I did that and I noticed that on the Firewall => NAT => Outbound tab, in the "NAT address" column, there are only entries for WAN address and LAN address, but nothing for the OpenVPN interface.

    I added a NO NAT rule for the OpenVPN interface. I then ran a manual replication again but I still get the same error. I will keep retying to see what I can find out but if you have any other suggestions, I would be grateful.



  • you can run this from command prompt on one of the DC's:

    dcdiag /v /e /c
    

    should provide you with lots of stuff, hopefully something useful will come out



  • Hi Guys
    Here is how I got it working.

    1. Disable Automatic NAT as you suggested. I created a NO NAT rule for the OpenVPN interface.
    2. Created a static mapping in the local WINS database for the remote Domain Controller.
    3. Go to Sites and Services on the remote DC and make sure there is a connector set for the local DC in the NTDS settings.
    4. Go to Sites and Services on the local DC and make sure there is a connector set for the remote DC in the NTDS settings.

    Thanks for the help.



  • @petros:

    Hi Guys
    Here is how I got it working.

    1. Disable Automatic NAT as you suggested. I created a NO NAT rule for the OpenVPN interface.
    2. Created a static mapping in the local WINS database for the remote Domain Controller.
    3. Go to Sites and Services on the remote DC and make sure there is a connector set for the local DC in the NTDS settings.
    4. Go to Sites and Services on the local DC and make sure there is a connector set for the remote DC in the NTDS settings.

    Thanks for the help.

    How dose your NO NAT rule look?



  • @claes_hellgren:

    @petros:

    Hi Guys
    Here is how I got it working.

    1. Disable Automatic NAT as you suggested. I created a NO NAT rule for the OpenVPN interface.
    2. Created a static mapping in the local WINS database for the remote Domain Controller.
    3. Go to Sites and Services on the remote DC and make sure there is a connector set for the local DC in the NTDS settings.
    4. Go to Sites and Services on the local DC and make sure there is a connector set for the remote DC in the NTDS settings.

    Thanks for the help.

    How dose your NO NAT rule look?

    The topic is old but it does help me for the same situation. I just disable Automatic NAT as suggested and change to Manual Outbound NAT rule generation  (AON - Advanced Outbound NAT). A NO NAT rule may not needed but if you want just select the option "Do not NAT Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules". I just try with or without NO NAT rule, both DC replicated without issue.