locked
RODC replication error over VPN RRS feed

  • Question

  • Hello there,

    I'm attempting to replicate my local AD over VPN to a remote machine.

    My local AD is on a windows server 2008 R1 sp2

    Remote machine is a windows server 2008 R2 sp1 and has a public IP

    I'm using a windows PPTP vpn connection.

     

    The two machines seem to be communicating well, I start the dcpromo and fill every bit of information, replication starts, and always fails at the same step "The Operation failed because : While promoting Read-Only Domain Controller, failed to replicate the secrets from the helper AD DC. The RPC server is unavailable".

     

    I used to have the rpc error thing from the very start because i did not tell the remote machine to use the local AD as prefered DNS.

    I have tested the replication with a local machine and everything went ok,

    edit : at first this looks very much like a dns error, but, then i edited the hosts file on remote and local machines and added the vpn addresses  (10.0.0.0) so that there would be no mistakes, and i still get that error at the same step.

    Thanks for your help.


    Monday, July 25, 2011 9:42 AM

Answers

  • Using a DC behind a NAT device is not supported for replication. Please use a site to site VPN tunnel.

    Also, check that all mentioned ports are opened.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Monday, July 25, 2011 3:42 PM
  • Hi,

    You can use ISA and routing from both side this will resolve the problem

    dont forget to add access rules with original ip address


    Dhafer HAMMAMI
    Monday, July 25, 2011 5:33 PM

All replies

  • Hello,

    for VPN, make sure that is it site to site VPN and your other server is not behind a NAT device.

    Also, check that needed ports for AD replication are opened: http://technet.microsoft.com/en-us/library/bb727063.aspx

    Use PortQry v2 for check.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Monday, July 25, 2011 1:22 PM
  • Hello and thanks for our answers

     

    I'm using the basic pptp vpn found in windows.

    Since remote machine is directly connected to the internet with a public ip, it serves as the vpn server.

    My local machine is behind a nat, but using a vpn bypasses it as every packet is routed through the tunnel right?

    PortQry says port 135 (rpc) is in listening mode

     

    Monday, July 25, 2011 3:20 PM
  • Using a DC behind a NAT device is not supported for replication. Please use a site to site VPN tunnel.

    Also, check that all mentioned ports are opened.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Monday, July 25, 2011 3:42 PM
  • Hi,

    You can use ISA and routing from both side this will resolve the problem

    dont forget to add access rules with original ip address


    Dhafer HAMMAMI
    Monday, July 25, 2011 5:33 PM
  • Hi all, and thanks for your answers, in the end i opted for OpenVPN and all is working swell :)
    Friday, August 5, 2011 3:55 PM
  • Hi, I'm trying to do the same as you but both are DC and are behind NAT. How did you configure OpenVPN to allow the replication to work? Oh, and one is a 2003 server and the other is 2008 server.
    • Edited by 2Pr0 Friday, September 13, 2013 8:37 PM
    Friday, September 13, 2013 8:36 PM