[image: Inline image 1]
- WJR ššš On Wed, Feb 5, 2014 at 5:16 PM, Jonathan Link <[email protected]>wrote: > Someone has to be plucky comic relief. > > > On Wed, Feb 5, 2014 at 5:48 PM, Michael B. Smith <[email protected]>wrote: > >> Funny guy. :P >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Crawford, Scott >> *Sent:* Wednesday, February 5, 2014 3:29 PM >> >> *To:* [email protected] >> *Subject:* [NTSysADM] RE: windows advanced firewall >> >> >> >> Prolly best to start at the beginning. Is the network cable plugged in? ;) >> >> >> >> *From:* [email protected] [ >> mailto:[email protected] <[email protected]>] *On >> Behalf Of *Michael B. Smith >> *Sent:* Wednesday, February 5, 2014 2:17 PM >> >> *To:* [email protected] >> *Subject:* [NTSysADM] RE: windows advanced firewall >> >> >> >> Ohā¦. Not a bad idea. I checked. None present. >> >> >> >> *From:* [email protected] [ >> mailto:[email protected] <[email protected]>] *On >> Behalf Of *Crawford, Scott >> *Sent:* Wednesday, February 5, 2014 3:04 PM >> >> *To:* [email protected] >> *Subject:* [NTSysADM] RE: windows advanced firewall >> >> >> >> Nah, just brainstorming. Thought maybe an IPSec rule could be blocking it. >> >> >> >> *From:* [email protected] [ >> mailto:[email protected] <[email protected]>] *On >> Behalf Of *Michael B. Smith >> *Sent:* Wednesday, February 5, 2014 1:53 PM >> >> *To:* [email protected] >> *Subject:* [NTSysADM] RE: windows advanced firewall >> >> >> >> You are suggesting setting up an IPSec connection between the two >> servers? While that may be a possible solution, itās a cop-out. J This >> works everywhere else in the world. J >> >> >> >> *From:* [email protected] [ >> mailto:[email protected] <[email protected]>] *On >> Behalf Of *Crawford, Scott >> *Sent:* Wednesday, February 5, 2014 2:42 PM >> >> *To:* [email protected] >> *Subject:* [NTSysADM] RE: windows advanced firewall >> >> >> >> IPSec? >> >> >> >> http://technet.microsoft.com/en-us/library/cc730656.aspx >> >> >> >> >> >> *From:* [email protected] [ >> mailto:[email protected] <[email protected]>] *On >> Behalf Of *Michael B. Smith >> *Sent:* Wednesday, February 5, 2014 12:00 PM >> *To:* [email protected] >> >> *Subject:* [NTSysADM] windows advanced firewall >> >> >> >> Iām stumped. >> >> >> >> Server 2008 R2. All current patches. >> >> >> >> We have DS1 and DS2. I built these servers a couple of years ago using my >> handy-dandy deployment scripts. They are identical. They are physical. They >> have exactly the same firewall rules (and yes, I have compared those rules >> from a rules dump). They are on the same subnet. They have this subnet in >> their Scope Ć Allowed Remote IP Addresses. They are both DCs and GCs. >> They point to themselves as primary DNS and each other as alternate DNS. >> They are both running Endpoint Protection 2012 R2 using the standard DC >> template provided by MSFT. They plug into the same switch. >> >> >> >> DS2 dumps all AD-related RPC and DNS traffic from DS1. >> >> >> >> I turned on firewall logging on DS2. The firewall even says itās dropping >> the packets. For example: >> >> >> >> 2014-02-05 11:18:15 DROP TCP 10.0.59.36 10.0.59.37 54897 389 40 FA >> 1470786861 397644096 253 - - - RECEIVE >> >> 2014-02-05 11:39:13 DROP UDP 10.0.59.36 10.0.59.37 53 58716 123 - - - - - >> - - RECEIVE >> >> >> >> (DS1 is 10.0.59.36, DS2 is 10.0.59.37) >> >> >> >> But rules say that traffic should be allowed. >> >> >> >> So I created another rule on DS2 that allows ALL traffic from DS1 to DS2. >> NO change. DS2 dumps all RPC and DNS traffic from DS1. >> >> >> >> So AD replication initiated on DS1 toward DS2 doesnāt work. DS2 has to >> initiate replication. >> >> >> >> DNS requests from DS1 to DS2 donāt work. Etc. There are a variety of >> problems. >> >> >> >> Some RPC related things do work (on DS1, I can ātasklist /s ds2ā, I can >> open the ds2 services console, the ds2 event console, etc.). >> >> >> >> What have I missed? What next to check? >> >> >> >> Thanks for any assistanceā¦ >> > >
