DC replication and ISA2004
#1
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: Perth, Western Australia
Posts: 1,866
Likes: 0
Received 0 Likes
on
0 Posts
DC replication and ISA2004
Got a client that has a couple of w2k3 DCs at their main site and another at their DR site. They have ISA2004 at both ends of the WAN. Replication works fine from the main site to DR but not the other way. I have a site visit planned but before I go can anyone give me a heads up as to what to look for?
TIA
Mark
TIA
Mark
#2
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
Check subnets are configured correctly in AD.
Check the eventlog on both DC's
DCDIAG
NETDIAG
Check RPC traffic can pass in both directions.
David
Check the eventlog on both DC's
DCDIAG
NETDIAG
Check RPC traffic can pass in both directions.
David
#3
Scooby Regular
Check that both ISA 2004 boxes are on the same SP. It's more than likely the rulebase on the remote site isn't allowing the traffic back down the VPN (I'm assuming there is a VPN tunnel). It might be a VPN SA mis-match.
#4
Scooby Regular
iTrader: (1)
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes
on
0 Posts
The VPN tunnel wouldn't be created at all if there was a config issue.
The point about the reciprocated rules seems to be the best bet - you need to ensure all the Domain traffic is allowed through in both directions. Check your protocol list, your allowed nodes in both directions (remember that the rule used is session based, so whichever Server initiates the replication needs to be accomodated)
I hate to say this, but kick off a monitor session and look at all traffic inbound from that remote network, you should be able to see all traffic that is rejected. Don't forget to turn the monitoring off as it doesn't half hammer the server
The point about the reciprocated rules seems to be the best bet - you need to ensure all the Domain traffic is allowed through in both directions. Check your protocol list, your allowed nodes in both directions (remember that the rule used is session based, so whichever Server initiates the replication needs to be accomodated)
I hate to say this, but kick off a monitor session and look at all traffic inbound from that remote network, you should be able to see all traffic that is rejected. Don't forget to turn the monitoring off as it doesn't half hammer the server
Thread
Thread Starter
Forum
Replies
Last Post
IanW
Computer & Technology Related
3
02 September 2003 03:55 PM
ChristianR
Computer & Technology Related
4
28 February 2003 12:45 PM