Hi all,
Could really need some help here.
I realize that this probably isn't a "supported" way of doing it, but
here goes:
First a little background:
Two domain controllers (win2k3 std.) in the same domain was synched,
and prepared for long-time disconnection.
One of them was shut down and moved to a remote location, being a
couple of months underway, while the other server was still being
worked on.
Now the shipped server has been powered back on, and i'd like the two
servers to see each other and start replicating again. When this is
done, the server still at my location, will be shut down at moved to
the same place.
The two sites are connected by a VPN tunnel (Cisco routers), where they
can reach each other by their NAT address. No trafic restrictions
between the two servers.
Now i'd like to create a PPTP tunnel between the two servers (using the
NAT addresses), so they can reach each other on their real addresses.
Have created a couple of test-setups similar to the above, and here i'm
having no problems creating the PPTP tunnel with RRAS and letting them
talk over that.
This fails miserably, when being implemented on the "real" servers,
though. I'm getting the error that i'm using invalid username/password
on the domain. The answering server logs an event, that the user isn't
allowed to log on to that computer with logon type 3 (logon from
network). This user right, however, has been granted (and using the
domain admin account doesn't work either).
Have been trying exisiting users, new users created manually, new users
created from the RRAS wizard, nothing seems to work.
Have also tried using Radius (IAS) authentication on a single server,
to authenticate users on both the servers. Still no luck.
The user(s) that i've created are able to log on the servers both
locally and remote. Logging in to one server, gives me full access to
the other with an explorer and other computer management (using the NAT
address, at that...).
Trying to have the IAS to not authenticate users, but just accept the
connection instead, gives me an error, that the identity of the server
couldn't be verified.
There has been quite a lot of changes made to group policies, that has
to do with security. These changes, however, i have exported from the
real servers and imported them into the test-setups, so i can't see
that the tightened security could be the issue.
The only thing that i can think of that isn't the same in the
test-setup, is the period of time the servers has been disconnected.
Was thinking that perhaps a machine account has been changed in the
meantime (the server that has been shipped), that the other server
isn't aware of, but i don't know if it's allowed to do that "on its
own". The server here at my location holds all FSMO roles, but i guess
that perhaps the remote server, being a DC, might change "something"
anyways.
Is there anyone out there with similar experiences or ideas to what i
can do to get the machines to talk to each other again?!
Thanks.
--
/Sune
|
Similar Threads
Linear Mode
