Hi,
First, I would like to let you know that our understanding is correct.
Please let me explain this for you. By default, Windows first queries the
closest DC in Site 1. Once this DC doesn't contain enough information, it
will query other DC. That's the root cause of this issue.
In this scenario, please let me know why there is a firewall appliance
between two domains. As you know, it will cause many problems when
replicating AD. e.g. Once you have created a new domain user in another
site, there is no information in site 1 if the replication is failed due to
the issue.
If you use router to connect the two sites, please create a VPN connection
and open all ports in the VPN tunnel. Again, I recommend you refer to this
article 179442 How to Configure a Firewall for Domains and Trusts --
http://support.microsoft.com/?id=179442
Alternatively, please let me know the detailed of the physical network
topology. Hope this information helps.
Have a nice day!
Best regards,
Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer
Get Secure! - <
www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
60Content-Class: urn:content-classes:message
60From: <
[email protected]>
60Sender: <
[email protected]>
60References: <
[email protected]>
<
[email protected]>
60Subject: RE: Limit W2K Queries.
60Date: Mon, 8 Mar 2004 06:50:46 -0800
60Lines: 128
60Message-ID: <
[email protected]>
60MIME-Version: 1.0
60Content-Type: text/plain;
60 charset="iso-8859-1"
60Content-Transfer-Encoding: quoted-printable
60X-Newsreader: Microsoft CDO for Windows 2000
60X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
60Thread-Index: AcQFHL1n8I2TW4+pRuqHGIVFGWO5qg==
60Newsgroups: microsoft.public.win2000.networking
60Path: cpmsftngxa06.phx.gbl
60Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.networking:57521
60NNTP-Posting-Host: tk2msftngxa08.phx.gbl 10.40.1.160
60X-Tomcat-NG: microsoft.public.win2000.networking
60
60Hi,
60I'm not sure if the question is understood right. Please
60read the question again and replay.
60Best Regards //Jörgen
60>-----Original Message-----
60>Hi,
60>
60>I am sorry to say that we are unable to do this. If the
60firewall appliance
60>is a firewall between two internal subnets, I suggest
60you open the
60>necessary ports listed in this Knowledge Base article:
60>
60>179442 How to Configure a Firewall for Domains and Trusts
60>
http://support.microsoft.com/?id=179442
60>
60>If the firewall appliance is between the internal
60network and the external,
60>we need to disable the 389 port too. Instead, create a
60VPN connection
60>between these DCs. Or external clients can use port 389
60to keep on
60>attacking the server.
60>
60>For your reference: 277650 How to Determine the Site in
60Which a Domain
60>Controller Is Located --
http://support.microsoft.com/?
60id=277650
60>
60>Best regards,
60>
60>Terry Liu
60>MCSE 2K MCSA MCDBA CCNA
60>Microsoft Online Support Engineer
60>
60>Get Secure! - <
www.microsoft.com/security>
60>=====================================================
60>When responding to posts, please "Reply to Group" via
60your newsreader so
60>that others may learn and benefit from your issue.
60>=====================================================
60>This posting is provided "AS IS" with no warranties, and
60confers no rights.
60>
60>--------------------
60>60Content-Class: urn:content-classes:message
60>60From: "Skarlund" <
[email protected]>
60>60Sender: "Skarlund" <
[email protected]>
60>60Subject: Limit W2K Queries.
60>60Date: Sun, 7 Mar 2004 23:16:07 -0800
60>60Lines: 43
60>60Message-ID: <
[email protected]>
60>60MIME-Version: 1.0
60>60Content-Type: text/plain;
60>60 charset="iso-8859-1"
60>60Content-Transfer-Encoding: 7bit
60>60X-Newsreader: Microsoft CDO for Windows 2000
60>60X-MimeOLE: Produced By Microsoft MimeOLE
60V5.50.4910.0300
60>60Thread-Index: AcQE3TmkVAQTP1xdSSSnx84QERECJQ==
60>60Newsgroups: microsoft.public.win2000.networking
60>60Path: cpmsftngxa06.phx.gbl
60>60Xref: cpmsftngxa06.phx.gbl
60microsoft.public.win2000.networking:57497
60>60NNTP-Posting-Host: tk2msftngxa14.phx.gbl 10.40.1.166
60>60X-Tomcat-NG: microsoft.public.win2000.networking
60>60
60>60Hi,
60>60
60>60we would like to have help with the following problem.
60>60
60>60senario:
60>60
60>60One stand alone Windows 2000 server (an e-Gap Remote
60>60Access Appliance) that shall communicate with two
60>60specified AD servers (Windows 2003) with Global
60>60Directory. They are part of site 1 as is the subnet of
60>60the Windows 2000 server.
60>60
60>60Information flow:
60>60
60>60Win2k server sends DNS and LDAP queries to the AD
60servers
60>60to authenticate user credentials.It also sends LDAP
60>60queries to check for user rights (check if user is in
60a
60>60specific group).
60>60
60>60A firewall is located between the Win2k server and the
60AD
60>60servers. It only allows traffic on DNS UDP port 53 and
60>60LDAP UDP/TCP port 389.
60>60
60>60Problem:
60>60
60>60Sometimes the Win2k server tries to send LDAP queries
60to
60>60other AD servers in the same target domain. This is
60>60stopped by the firewall and causes time out situations
60in
60>60the e-Gap firewall Appliance application. We also see
60>60that the Win2k server tries to send Kerberos packets
60to
60>60the AD server just before it starts sending queries to
60>60the other AD servers. The Kerberos packets are stopped
60by
60>60the firewall.
60>60
60>60Question:
60>60
60>60How do we limit the Win2k server to only send it's
60>60queries to the two AD servers at site 1, and not any
60>60others.
60>60
60>60Best Regards
60>60
60>60
60>60
60>
60>.
60>
60
