| Author |
 Topic  |
|
|
OutThere
Welcome Newcomer
13 Posts
Status: offline |
 Posted - 04/19/2004 : 10:56:44 AM
|
Hi,
I have a new two site domain using 2003 server. When I set up the network it was in a test enviro using another sever as a router to allow for the two networks.
Once the servers were installed replication failed. I get the following errors
NTDS KCC 1311/1865/1566 in the event logs and using repadmin the RPC call time out keeps occuring. I have checked that it's running on both DC's and that the firewall is not stopping any traffice between the two sites. But still no joy?
Seriously need some help here.
|
|
|
stash
Major Contributor
USA
809 Posts
Status: offline |
Posted - 04/19/2004 : 11:38:33 AM
|
How are the sites connected now? VPN? It could be packet fragmentation and Kerberos packets being dropped, but IRCC, 2003 will use TCP for Kerberos by default.
What about DNS...does a netdiag /v look ok? What about a dcdiag /v? |
 |
|
|
OutThere
Welcome Newcomer
13 Posts
Status: offline |
Posted - 04/19/2004 : 12:26:53 PM
|
Thanks,
The sites are connected via a vpn connection using two coisco routers. connectivity is fine Ping and tracert.
The netdiag/v has one negative entry:-
saying that my remote site is down so it has failed to query SPN registration on the DC.
All DNS entries appear to resolve fine.
Currently I cannot even connect to the remote site to view the event log or perform any other management functions.
The dcdiag/v command give the same errors I get in the event log and report that the domain controller is unaccessable, KCC offers some solutions but I do all my intersite transports check out.
but the error still states that KCC was unable to perform a complete spanning tree network topology.
|
|
|
|
stash
Major Contributor
USA
809 Posts
Status: offline |
Posted - 04/19/2004 : 1:01:40 PM
|
It could be related to this hotfix: 829074 Users Cannot Connect to a Windows Server 2003 Domain by Using a VPN
http://support.microsoft.com/?id=829074
Ping may work fine, but you may want to try different size pings. |
|
|
|
OutThere
Welcome Newcomer
13 Posts
Status: offline |
Posted - 04/19/2004 : 2:03:37 PM
|
Hi Stash,
I have the two routers authenticating with each other rather than windows to create a secure tunnel between my two sites.
but thanks for your input.
It's 1900 here so time to go home but I will be at the other of the two site tomorrow to start tracing the problem again. |
|
|
|
stash
Major Contributor
USA
809 Posts
Status: offline |
Posted - 04/19/2004 : 4:04:25 PM
|
| If you have a Cisco VPN, this could definitely be the issue. The MTU size is 1500 by default in 2003, but the max size of a Kerberos packet before it switches to TCP is 2000 bytes. So between 1500 and 2000 bytes, Kerberos will use UDP, and it will be fragmented. If the VPN drops fragments (which is common), you will see these types of problems. |
|
|
|
OutThere
Welcome Newcomer
13 Posts
Status: offline |
Posted - 04/20/2004 : 05:13:25 AM
|
I gave this some more thought last night and I think you may be right.
When I originally set up my two servers, I used another server as the router and replication worked fine. But once they were installed with the two routers providing the tunnel, replication consistantly failed. I even dropped the access-lists and firewall from both sites to run tests to check they were not causing the issue. this morning I ran portqry on 135 from both ends which works fine too.
When I take into consideration that I cannot even browse to the other site over the vpn tunnel then authentication does seem to be the overall issue.
I will let you know how it turns out.
|
|
|
|
OutThere
Welcome Newcomer
13 Posts
Status: offline |
Posted - 04/22/2004 : 1:54:36 PM
|
Still no joy on this one the patch didnt solve the problem. I have been advised to use a registry hack to force kerberos to use TCP has any one had any experience of this?
|
|
|
|
stash
Major Contributor
USA
809 Posts
Status: offline |
Posted - 04/22/2004 : 5:32:34 PM
|
Yes, that's what I was getting at. I'm not sure what patch you tried...?
The registry hack is the MaxPacketSize value. If it set to 1, all Kerberos traffic will be over TCP. However, this usually only applies to 2000 DCs. But it would be a good thing to try.
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474 |
|
|
|
OutThere
Welcome Newcomer
13 Posts
Status: offline |
Posted - 04/23/2004 : 12:01:05 PM
|
Ok sussed it,
It was the MTU size of the packets as you pointed out. I tested it with the following:-
Ping -l 1500 -f <IP of remote server>
Ping -l 1450 -f <IP of remote server>
Ping -l 1400 -f <IP of remote server>
Ping -l 1350 -f <IP of remote server>
Ping -l 1300 -f <IP of remote server>
Ping -l 1250 -f <IP of remote server>
Ping -l 1200 -f <IP of remote server>
My remote server only started responding when I got to 1350.
What was happening was the replication packets were being sent out from the server with the don't fragment switch set. So once they were encrypted at the router they were too large and were being dropped. I used a command on each router as follows:-
crypto ipsec df-bit clear
This allowed the router to fragment the packets before encryption and replication was immediate.
The MS option was to enter the following registry REG_DWORD values to HKLM\SYSTEM\CurrentControlSet\Services\tcpip\parameters
EnablePMTUDiscovery
EnablePMTUBHDetect
Set both to the value - 1
Which would detect the MTU and set it accordingly.
As a newbie this was quite a problem. Thanks for pointing me in the right direction.
|
|
|
|
stash
Major Contributor
USA
809 Posts
Status: offline |
Posted - 04/23/2004 : 9:32:34 PM
|
| Nice! Glad you got it working. |
|
|
|
chuz76
Welcome Newcomer
Costa Rica
1 Posts
Status: offline |
Posted - 05/19/2005 : 1:47:29 PM
|
| I have the same replication problems, but I'm not using IPSEC, is this solution aplicable for me? |
|
|
| |
Topic |
|
Replication issues
