markr1963

Got a client that has a couple of w2k3 DCs at their main site and another at their DR site. They have ISA2004 at both ends of the WAN. Replication works fine from the main site to DR but not the other way. I have a site visit planned but before I go can anyone give me a heads up as to what to look for?

TIA

Mark

David_Wallis

Check subnets are configured correctly in AD.
Check the eventlog on both DC's
DCDIAG
NETDIAG

Check RPC traffic can pass in both directions.

David

Jeff Wiltshire

Check that both ISA 2004 boxes are on the same SP. It's more than likely the rulebase on the remote site isn't allowing the traffic back down the VPN (I'm assuming there is a VPN tunnel). It might be a VPN SA mis-match.

Kieran_Burns

iTrader: (1)

The VPN tunnel wouldn't be created at all if there was a config issue.

The point about the reciprocated rules seems to be the best bet - you need to ensure all the Domain traffic is allowed through in both directions. Check your protocol list, your allowed nodes in both directions (remember that the rule used is session based, so whichever Server initiates the replication needs to be accomodated)

I hate to say this, but kick off a monitor session and look at all traffic inbound from that remote network, you should be able to see all traffic that is rejected. Don't forget to turn the monitoring off as it doesn't half hammer the server

markr1963

Many thanks, guys

Jeff Wiltshire

It's possible to have a VPN tunnel up but only passing traffic in one direction.

olliecampbell

iTrader: (3)

rpcping