Wednesday, February 27, 2013 1:44 PM
I'v got two site connected through ipsec VPN. On the main site I have a 2008r2 core DC. On the remote site I have a new windows 2012 server installed. They can succesfully ping eachother through ipsec VPN. I have made the windows 2012 server domain member through the vpn succesfully.
Now i want the 2012 server to be an addtional domain controller. When the 2012 server starts with the prerequisities check, it fails with "adprep could not retrieve data from the server "dc1.domain.com" through WMI. exception: The rpc service is unavailable.
There are a few solution to this. but none of them helped:
1. disable all firewall's. I've done that. I can telnet to port 135 from both server and it connects to a daemon.
2. no a/v software
3. network service has no "log on as a service" right. I've check the local security police on the core dc. And network service has got the "logon as a service" right.
4. wmimgmt.msc started on a management machine on de dc's site. I can succesfulle connect. BUT when starting wmimgmt.msc from the 2012 machine and connect to the dc on the remote site, I also get the rpc service is unavailable.
Any ideas on this? It seems that the the VPN does something but like I mentioned I can connect to the ports using telnet. Dcdiag runned from the 2012 against the dc on the remote site shows all succesfull, except the last part:
Starting test: DNS
Test results for domain controllers:
TEST: Authentication (AUth)
Authentication test: Succesfully completed
TEST: Basic (Basc)
Error: No WMI connectivity
[Error details: 0x8007706ba (Tyoe: HRESULT - Facility: Win32, Description: The RPC server is unavailable.)
No host records (A or AAAA) were found for this DC
Running the same dcdiag commandlet local on the DC gives no errors.
Wednesday, February 27, 2013 2:20 PM
5 minutes after posting I have found the solution.
The site to site VPN is between Forefron edge and a zywall.
The forefront edge created a firewall rule for the VPN for all outbound traffic. Edit the filtering on the rule and remove the selected Enforce strict RPC compliance.
That explains why I could telnet, since that is not DCOM traffic.
- Marked As Answer by Ruud Boersma Wednesday, February 27, 2013 2:20 PM
Friday, March 01, 2013 4:55 AMModeratorThanks for sharing your experience and solution.