I had to setup a 2nd domain controller at an offsite location this past week. I don’t have any good VPN-ing routing equipment so I was just going to use OpenVPN to create a tunnel between the two sites. I set up OpenVPN to work with site-to-site routing and everything seemed to work… I could browse the shares from both sides, everyone was happy and could ping each other. I was even able to successfully install the 2nd domain controller and join the Windows domain. But then, I started getting all these random issues:
- AD Replication error 1722: The RPC server is unavailable – http://support.microsoft.com/kb/2102154
- DNS wasn’t syncronizing
- AD was out of sync
I spent lots of time troubleshooting it and I realized the issue. I set up the 2 OpenVPN servers to Masquerade NAT between the 2 subnets so all the traffic looked like it was coming from the VPN server itself. All the RPC calls were failing presumably because the domain controller was trying to open ports to communicate on. Anyways, I fixed that by making the openVPN server properly route and then DFSR was able to properly sync and replicate the two domain controllers. Moral of the story – make sure you set up proper routing and not NAT between domain controllers!
If you were able to get DCs working using masquerading NAT, please let me know. I’d be interested if that was possible.