Funny guy. :P From: [email protected] [mailto:[email protected]] On Behalf Of Crawford, Scott Sent: Wednesday, February 5, 2014 3:29 PM To: [email protected] Subject: [NTSysADM] RE: windows advanced firewall
Prolly best to start at the beginning. Is the network cable plugged in? ;) From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, February 5, 2014 2:17 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: windows advanced firewall Oh.... Not a bad idea. I checked. None present. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Crawford, Scott Sent: Wednesday, February 5, 2014 3:04 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: windows advanced firewall Nah, just brainstorming. Thought maybe an IPSec rule could be blocking it. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, February 5, 2014 1:53 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: windows advanced firewall You are suggesting setting up an IPSec connection between the two servers? While that may be a possible solution, it's a cop-out. :) This works everywhere else in the world. :) From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Crawford, Scott Sent: Wednesday, February 5, 2014 2:42 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: windows advanced firewall IPSec? http://technet.microsoft.com/en-us/library/cc730656.aspx From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, February 5, 2014 12:00 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] windows advanced firewall I'm stumped. Server 2008 R2. All current patches. We have DS1 and DS2. I built these servers a couple of years ago using my handy-dandy deployment scripts. They are identical. They are physical. They have exactly the same firewall rules (and yes, I have compared those rules from a rules dump). They are on the same subnet. They have this subnet in their Scope --> Allowed Remote IP Addresses. They are both DCs and GCs. They point to themselves as primary DNS and each other as alternate DNS. They are both running Endpoint Protection 2012 R2 using the standard DC template provided by MSFT. They plug into the same switch. DS2 dumps all AD-related RPC and DNS traffic from DS1. I turned on firewall logging on DS2. The firewall even says it's dropping the packets. For example: 2014-02-05 11:18:15 DROP TCP 10.0.59.36 10.0.59.37 54897 389 40 FA 1470786861 397644096 253 - - - RECEIVE 2014-02-05 11:39:13 DROP UDP 10.0.59.36 10.0.59.37 53 58716 123 - - - - - - - RECEIVE (DS1 is 10.0.59.36, DS2 is 10.0.59.37) But rules say that traffic should be allowed. So I created another rule on DS2 that allows ALL traffic from DS1 to DS2. NO change. DS2 dumps all RPC and DNS traffic from DS1. So AD replication initiated on DS1 toward DS2 doesn't work. DS2 has to initiate replication. DNS requests from DS1 to DS2 don't work. Etc. There are a variety of problems. Some RPC related things do work (on DS1, I can "tasklist /s ds2", I can open the ds2 services console, the ds2 event console, etc.). What have I missed? What next to check? Thanks for any assistance...
