Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
2008 DC to DC replication issues with ISA 2006
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
2008 DC to DC replication issues with ISA 2006 - 15.May2008 12:40:37 PM
|
|
|
swoolhead
Posts: 14
Joined: 7.Nov.2002
Status: offline
|
Thought I'd post this here as it might help out someone else.
We have two 2008 DCs, a root forest and a child domain, and sitting between them is an ISA server. The firewall rules allow all traffic between the two networks, and RPC strict is turned off. If you try and force replication between the two DCs you'll get an RPC error along the lines of RPC call failed. If you have a look in the ISA logs you'll see RPC (All Interfaces) FWX_E_CONNECTION_KILLED. If you disable the RPC filter via Add-Ins the problem goes away. Having a look with wireshark and you can see invaild context errors in the rpc calls that are not there when the filter is disabled.
Fix is contained in this hotfix http://support.microsoft.com/kb/951510
Stephen.
|
|
|
|
|
RE: 2008 DC to DC replication issues with ISA 2006 - 16.May2008 2:33:57 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
DCs are not supposted to have a firewall between them.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: 2008 DC to DC replication issues with ISA 2006 - 16.May2008 3:00:38 PM
|
|
|
swoolhead
Posts: 14
Joined: 7.Nov.2002
Status: offline
|
What about branch offices solutions, you saying that ISA is not a valid option for that.
|
|
|
|
|
RE: 2008 DC to DC replication issues with ISA 2006 - 16.May2008 3:46:08 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
You would connect them with either VPN or with private lease lines. In the case of VPN ISA would be acting as the "VPN Router" and not as a "Firewall". If some other brand of VPN Router is used then ISA would not be involved with inter-site traffic at all becuase it would be passing through the VPN Router instead.
I guess you may have to clarify your situation. Just because you have two DCs with a Master/Child Domain doesn't really tell us how the LAN/WAN is really arranged. Even if the ISA machine is physically between them doesn't mean ISA is logically between them in terms of being a NAT or proxy based firewall, because it may be doubling as a LAN Router or a VPN Router and that changes everything.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: 2008 DC to DC replication issues with ISA 2006 - 16.May2008 3:52:27 PM
|
|
|
swoolhead
Posts: 14
Joined: 7.Nov.2002
Status: offline
|
The DCs are at two remote sites, the sites are linked via two ISA machines and routed site to site VPNs. The firewall rules allow all outbound traffic in both directions, so yes there is a firewall between them.
< Message edited by swoolhead -- 16.May2008 3:54:13 PM >
|
|
|
|
|
RE: 2008 DC to DC replication issues with ISA 2006 - 16.May2008 4:04:05 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Ok...and it works when the Filter is disabled? The hotfix didn't fix it?
I wouldn't have thought the Filter even came into play when the Network Relationship between the two "networks" was set to "routed". The relationship is set to "routed" isn't it?
Have you made sure the Domains List is correct in the Domains Tab of the Internal Network Definition? It should be the Forest Root name like this:
*.mycompany.local
I'm not sure what else to think. Maybe some of the other guys here can toss in some ideas?
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: 2008 DC to DC replication issues with ISA 2006 - 16.May2008 4:06:03 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Since these are 2008 DCs,...maybe the way they communicate with RPC has change somewhat and the Filter that was creaded long before Server 2008 came along can't handle it?
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
