Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN connection for two Domain Controllers

I need to set up a site to site vpn connection using 2 pix 500 series firewalls to connect 2 domain controllers. Once the site to site vpn is established, do the servers automatically see each other for replication?

Thanx.

6 REPLIES
Bronze

Re: Site to Site VPN connection for two Domain Controllers

My Active Directory guy has taken a good look at a small site-to-site VPN setup that I'm having a BIG problem with, and his answer is "They're supposed to." He said that as long as DC#2 (in the remote office) has the ability to resolve DNS for DC#1 (in the primary office) then the two should automatically replicate.

I have a two-office IPSec site-to-site tunnel between two 831's running 12.4.11T (soon to be upgraded to the latest 11T or even 15T1). XP SP2 machines in the remote office have full visibility back to the shares in the central office, and pings and nmap scans work perfectly in either direction, but my newly-added DC#2 in the remote office isn't replicating back to DC#1 (the original DC for the environment). I ran a full nmap scan from the central office against DC#2, and can see all of the expected ports/services open (e.g. 389(LDAP), 445 (msds), 135, 137, 3389, etc) but I can't view shares on DC#2 (or any other PC in the remote office) from the central office. Again, DC#2 and remote office PCs have no problem seeing shares back at headquarters.

Sorry for not being more helpful - hopefully someone out there can shed more light on the topic. If not, I'm going to call it into TAC and I'll let you know.

But again, from an Active Directory perspective this should 'just work' so it seems that either the IPSec tunnel or perhaps the "ip inspect" IOS CBAC firewalls are getting in the way.

New Member

Re: Site to Site VPN connection for two Domain Controllers

What versions do you run on the Pix-firewalls?

New Member

Re: Site to Site VPN connection for two Domain Controllers

I haven't purchased the Pix firewalls yet.

I'm just making sure that when purchased, my Dcs see each other automatically through the tunnel.

Thanx.

New Member

Re: Site to Site VPN connection for two Domain Controllers

The DC:s see what you allow them to see...

If your access rule permit all IP-traffic between the networks you also have to disable the Ping-of-death protection:

ip audit signature 2150 disable

ip audit signature 2151 disable

This is because the DC:s use an 2048 bytes ICMP packet to determine the connection speed to the clients. The Pix will deny this as an ping of death which can result in not all policys being executed.

Pls rate if satisfied.

New Member

Re: Site to Site VPN connection for two Domain Controllers

Thanx, I'll keep that in mind when setting it up.

Bronze

Re: Site to Site VPN connection for two Domain Controllers

The issue I was having (see above) was for two DC's sitting on either side of an IPSec tunnel between two 871 routers. I upgraded both routers to the same IOS (12.4.11T(latest)) and the issue went away - I can do net view \\remotedc from the localDC and everything looks OK now.

So, if you're IPSec tunnels don't do any port filtering your DC's should be all set. However if there is a firewall inbetween you should take a look at the Microsoft Technet doc:

http://technet.microsoft.com/en-us/library/Bb727063.aspx

526
Views
8
Helpful
6
Replies
CreatePlease login to create content