Site to Site VPN connection for two Domain Controllers

Unanswered Question
Nov 6th, 2007
User Badges:

I need to set up a site to site vpn connection using 2 pix 500 series firewalls to connect 2 domain controllers. Once the site to site vpn is established, do the servers automatically see each other for replication?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.7 (3 ratings)
clausonna Mon, 11/12/2007 - 17:36
User Badges:
  • Bronze, 100 points or more

My Active Directory guy has taken a good look at a small site-to-site VPN setup that I'm having a BIG problem with, and his answer is "They're supposed to." He said that as long as DC#2 (in the remote office) has the ability to resolve DNS for DC#1 (in the primary office) then the two should automatically replicate.

I have a two-office IPSec site-to-site tunnel between two 831's running 12.4.11T (soon to be upgraded to the latest 11T or even 15T1). XP SP2 machines in the remote office have full visibility back to the shares in the central office, and pings and nmap scans work perfectly in either direction, but my newly-added DC#2 in the remote office isn't replicating back to DC#1 (the original DC for the environment). I ran a full nmap scan from the central office against DC#2, and can see all of the expected ports/services open (e.g. 389(LDAP), 445 (msds), 135, 137, 3389, etc) but I can't view shares on DC#2 (or any other PC in the remote office) from the central office. Again, DC#2 and remote office PCs have no problem seeing shares back at headquarters.

Sorry for not being more helpful - hopefully someone out there can shed more light on the topic. If not, I'm going to call it into TAC and I'll let you know.

But again, from an Active Directory perspective this should 'just work' so it seems that either the IPSec tunnel or perhaps the "ip inspect" IOS CBAC firewalls are getting in the way.

thult Mon, 11/12/2007 - 23:57
User Badges:

What versions do you run on the Pix-firewalls?

s.dickervitz Wed, 11/14/2007 - 05:52
User Badges:

I haven't purchased the Pix firewalls yet.

I'm just making sure that when purchased, my Dcs see each other automatically through the tunnel.


thult Wed, 11/14/2007 - 06:18
User Badges:

The DC:s see what you allow them to see...

If your access rule permit all IP-traffic between the networks you also have to disable the Ping-of-death protection:

ip audit signature 2150 disable

ip audit signature 2151 disable

This is because the DC:s use an 2048 bytes ICMP packet to determine the connection speed to the clients. The Pix will deny this as an ping of death which can result in not all policys being executed.

Pls rate if satisfied.

clausonna Wed, 11/14/2007 - 09:55
User Badges:
  • Bronze, 100 points or more

The issue I was having (see above) was for two DC's sitting on either side of an IPSec tunnel between two 871 routers. I upgraded both routers to the same IOS (12.4.11T(latest)) and the issue went away - I can do net view \\remotedc from the localDC and everything looks OK now.

So, if you're IPSec tunnels don't do any port filtering your DC's should be all set. However if there is a firewall inbetween you should take a look at the Microsoft Technet doc:


This Discussion