RE: Can't run DCPROMO over a Remote Link?

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sat, 20 Nov 2004 11:51:23 -0600

Hi Mike,

You do *not* need to disable the RPC filter, or disable DCOM to join the
domain. There are issues with certificate autoenrollment, and the
Certificates MMC, but no problem joining the domain.

HTH, 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Mike Anderson [mailto:mike@xxxxxxxxxxxx] 
Sent: Friday, November 19, 2004 9:17 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Can't run DCPROMO over a Remote Link?

http://www.ISAserver.org

Hello Steve,

What confuses me, is why am I able to join - after much diligence?  As I
mentioned before, even know it was reluctant to join Active Directory,
after trying around 12 times - it DID eventually kick off the AD Wizard,
and finally made it into a Domain Controller.

My question is, how was I able to accomplish that, if those rules were
required in the first place?  Of course, it's ridiculous that it failed
those many many times, almost as if it was never meant to be - but it
did work nevertheless.

Do you have any ideas about that?

Thanks,

Mike

-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx] 
Sent: Friday, November 19, 2004 6:50 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Can't run DCPROMO over a Remote Link?

http://www.ISAserver.org

Also I used most of these...as they are not all exchange specific, AD
rep etc.

 http://www.isaserver.org/articles/2004dmzfebe.html

S

-----Original Message-----
From: Mike Anderson [mailto:mike@xxxxxxxxxxxx]
Sent: Friday, November 19, 2004 7:45 PM
To: ISA Mailing List
Subject: [isalist] RE: Can't run DCPROMO over a Remote Link?

http://www.ISAserver.org

Are you serious?  I guess that is kind of deceiving...

There has got to be a way, to literally open up a remote network using a
single setting, in order to let ALL traffic flow.  Surely the creators
of ISA 2004 must understand, that there ARE actually times, where you
are connecting to another secure network - and that one would want to
connect both together seamlessly - therefore creating a wizard or
setting to do so.

So do those articles I mentioned, cover all the stuff I need to do?

Since everybody knows my setup, and also what I am trying to accomplish,
could you all help me regarding setting up the proper protocols?  What
else do I need to do, in additional to "Allowing All Traffic" to and
from the Internal network?

Thanks for all your help,

Mike

-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Friday, November 19, 2004 5:05 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Can't run DCPROMO over a Remote Link?

http://www.ISAserver.org

You will probably have to disable the rpc filter, you have to allow a
myriad of protocols, that are not covered by allow all, in fact allow
all isn't really allow all..... 

-----Original Message-----
From: Mike Anderson [mailto:mike@xxxxxxxxxxxx]
Sent: Friday, November 19, 2004 6:21 PM
To: ISA Mailing List
Subject: [isalist] RE: Can't run DCPROMO over a Remote Link?

http://www.ISAserver.org

Thomas (I gotta ask the guru),

If I have a standalone ISA Server, which connects to our main network
across town, and then in turn, feeds our internal 192 network which my
potential Backup DC belongs to, what must I do in order to have that
server be promoted to a Backup DC?

Joseph just mentioned RPC, and it's odd that he mentions that...  If I
run DCPROMO on that server, and tries to contact the PDC, it DOES
attempt to begin the process, but then gives me an error message about
the RPC.  Now here is the weird part - if I keep hitting the "back"
button on the Wizard (so I can change any settings), and then hit the
"next" button to try again, after about the 10th or 11th attempt, it
WILL finally contact the PDC, and then the Wizard proceeds with the
ENTIRE upgrade process.  Then when it's finished, of course it needs to
reboot, and then that server is officially on the Domain as a Secondary
DC.

BUT, now that the machine is running NOW as a Backup DC, it hangs from
time to time - like when you try to run any Administrative Console Apps
- like DHCP manager, WINS, etc.  It's almost like it works for a while,
then slowly deteriorates.  It can consistently contact all the machines
on the network - including the ones on the other side, but there seems
to be some other higher level communications that it's unable to perform
- and then of course, it starts to affect the workstations on it's own
side of the network.  You know - workstations that are part of the
domain, but used to authenticate across the WAN link (because that's
where the PDC was) - but now, can make LOCAL auth requests since there
is now a local Domain Controller.

Like I mentioned before, I created Rules, that give FULL access from the
Remote Network to the Localhost and Internal network, and also a reverse
rule, that allows FULL access from the Localhost and Internal network to
the Remote Network.  The link works great overall - but only when there
is Domain Controller related traffic, is when things start to get really
bad.

Is this in fact an RPC problem?  Is there anything else I should be
looking at?  The article you wrote, talked more about Exchange Servers
and DMZ's - and that's really not my exact scenario.  All I want, is to
have a PDC and BDC which are both behind their respective ISA 2004
Servers, to talk freely to each other, and allow them to do, whatever it
is they need to do.

Any more thoughts on this?  This is SUPER important, as I really need
this BDC to work properly.

Thanks everybody - and Thomas if you could jump in, I'd be grateful.

Mike


-----Original Message-----
From: josephk [mailto:josephk@xxxxxxxxx]
Sent: Friday, November 19, 2004 3:03 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Can't run DCPROMO over a Remote Link?

http://www.ISAserver.org

Yes, and make sure on the RPC that you setup the port to a number such
as 1600 or 50000 and keep that consistent by Using the registry to
create the desired port.  You'll find 2 documents on isaserver.org that
talks about the ports.


http://www.isaserver.org/articles/2004perimeterdomain.html

 

*ADLogon/DirRep:
Primary Connection: 50000 TCP Outbound (requires RPC key set on the
back-end Exchange Server)

 

Perform the following steps on each of the domain controllers in your
domain to change the RPC replication port to 50000:

1.       Click Start and click Run. In the Open text box enter Regedit
and click OK. 

2.       Go to the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\

3.       Click the Edit menu and point to New. Click DWORD Value. 

4.       Rename the entry from New Value #1 to TCP/IP Port, then double
click the entry. 

5.       In the Edit DWORD Value dialog box, select the Decimal option.
Enter 50000 in the Value data text box. Click OK. 

6.       Restart the domain controller.

 

 

http://www.isaserver.org/articles/2004dmzfebe.html

 

ADLogon/DirRep:
Primary Connection: 1600 TCP Outbound (requires RPC key set on the
back-end Exchange Server)

Thank you,

Joseph

-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Thursday, November 18, 2004 7:59 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Can't run DCPROMO over a Remote Link?


http://www.ISAserver.org

You need to make sure you have allowed the correct protocols for
intra-domain communication between the 2 domains.

S 

-----Original Message-----
From: Mike Anderson [mailto:mike@xxxxxxxxxxxx]
Sent: Thursday, November 18, 2004 11:46 PM
To: ISA Mailing List
Subject: [isalist] Can't run DCPROMO over a Remote Link?

http://www.ISAserver.org

Hello All,

Why can't I make a server into a Backup Domain Controller, while going
over a Remote Site Network link?  It should be just as good as being
there - if the WAN link is doing what it's really supposed to be doing
right?  I must be missing something, and hopefully all of you can shed
some light on the problem...

I get the following error, when I run DCPROMO - after answering all the
final questions before it attempts to contact the Primary Domain
Controller on the other side of the link:

     "The network path was not found.  If this computer is connected
     to the network via a Remote Access Service (RAS) connection,
     ensure that File and Printer Sharing for Microsoft Networks is
     enabled for that connection."

Do you all think this very well may be the problem, since I am in fact,
going over a RAS Style link?

If so, what do I need to do, in order to get this working?

Thanks,

Mike

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------------------------
--------



This E-Mail is confidential. It is not intended to be read, copied,
disclosed or used by any person other than the recipient named above.

Unauthorised use, disclosure, or copying is strictly prohibited and may
be unlawful. Optimum IT Solutions Ltd disclaims any liability for any
action taken in connection of this E-Mail. The comments or statements
expressed in this E-Mail are not necessarily those of Optimum IT
Solutions Ltd or its subsidiaries or affiliates.

administrator@xxxxxxxxxx


------------------------------------------------------------------------
--------


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mike@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mike@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mike@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Can't run DCPROMO over a Remote Link?
• » RE: Can't run DCPROMO over a Remote Link?
• » RE: Can't run DCPROMO over a Remote Link?
• » RE: Can't run DCPROMO over a Remote Link?
• » RE: Can't run DCPROMO over a Remote Link?
• » RE: Can't run DCPROMO over a Remote Link?
• » RE: Can't run DCPROMO over a Remote Link?
• » RE: Can't run DCPROMO over a Remote Link?
• » RE: Can't run DCPROMO over a Remote Link?
• » RE: Can't run DCPROMO over a Remote Link?
• » RE: Can't run DCPROMO over a Remote Link?
• » RE: Can't run DCPROMO over a Remote Link?

1. Home
2. isalist
3. Archive
4. 11-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---