Replication over firewall...

  • Thread starter Thread starter Anne Robynn
  • Start date Start date
A

Anne Robynn

I have one domain split by 500 miles. We have set up replication to
occur over IPSec, but are first doing the DCPromo through PPTP, as per
MS article:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

My problem is that I can't get the DCPromo to happen. The only port we
didn't open was 53 (DNS). We are going through a PIX firewall, and
although we configure the conduit to open 53, and it doesn't error, it
just doesn't open it.

This may not even be the problem.

We start the VPN connection, I can see that it's connected to the RRAS
server, but I can't ping the new IP address of the server that was
assigned by the RRAS server.

Yet if I look in DNS on the domain controller, I see an entry for the
domain controller with the new IP address assigned by the RRAS server.

In DCPromo, it says, Can't connect to domain.

Any ideas? Any white papers that might help me?

Thanks so much,
Anne
 
If the servers are connected by a PPTP connection, the port settings on
the firewall shouldn't have any effect on the traffic. All traffic should be
going through the "tunnel". It will be passing through the firewall as the
encrypted payload of GRE packets and will not be seen by the firewall
filters. I suspect the traffic is trying to go directly through the
Internet, because your VPN is not working.

If you can't ping the server by its "virtual" IP, there is something
badly wrong with your PPTP connection. The virtual or received IP is just
the other end of the point-to-point connection. If you can't ping that, your
VPN connection doesn't really exist! When it sets up, the PPTP link is just
a pipe - what goes in one end must come out the other.

Check that your firewalls are not blocking GRE. PPTP requires GRE in
both directions.

You won't be able to run dcpromo until you get routing and name
resolution working, so that the server can find a DC by its AD name.
 
I can now use PPTPCLNT and PPTP SRV and ping the other side... but I
get errors 10048 and 10060. But it says the GRE was accepted.

Should I be able to ping directly without pptpclnt/srv?

I have GRE enabled on both sides, coming in and going out.

Any ideas on what else I should Try?
 
These messages usually mean that there is a problem setting up a tcp/ip
connection (port busy or unavailable).

On re-reading your original post I noticed something that I missed
originally. You say that you can see the server's RRAS IP registerd in DNS.
This shouldn't happen!

If a server registers more than one IP in WINS or DNS you get all sorts
of odd problems. This has been around since NT. (You will find lots of old
KB articles about multihomed PDCs and multihomed browsers). The fix with
WINS and Netbios names is to disable Netbios over TCP/IP or all but one
interface, so that only one IP binds to the Netbios name.

With dynamic DNS, you can get a similar problem with DNS names. This is
a particular problem if the machine is a DC. You need to ensure that it only
registers one IP for each machine. Usually you can get this working by
configuring DNS to only listen on the LAN IP.

There are a few KB articles which discuss this problem. KB 292822 has a
discussion of the problem, and ways to fix the various problems. I would
recommend that you at least disable Netbt on the RRAS interface and set DNS
to only listen on the LAN interface, then see it you need to do any of the
additional things.
 
Back
Top