Question : Active directory Replication over VPN Connections

After no help from watchguard and microsoft i have decided to go to the first place i should have looked to start with. EXPERTS_EXCHANGE!  this is the best resource i've found to assist with troubleshooting.  But now to the problem at hand.  I just came on board here and there is a whole slew of issues that i thnk results from the way the network has been designed and the equipment used.

There is seven locations spread out all over the state.  Each site is connected to the internet using either full or fractional T1 lines. To connect each office together there are a watchguard soho 6 or edge firewalls connected through vpn connections.  Each office is connected to every other office through VPNs in a mesh topology.  Each office is its own subnet and has its own DNS and DHCP servers. There is a main office of sorts that has a watchguard firebox 1000 III,  But it seems that it is being used as no more than a glorified soho.  The only traffiic that hits this firebox is from the local office only.  ALthough i have setup policies on this box to allow LDAP and I open up the ANY policy to and from every VPN.  Replication is still very inconsistant and quite often problematic.  Each site has a domain controller and each site often unable to communicate with other sites several times a day.  Rebooting the domain controllers seems to resolve the issue but only for a short time usualy 8 hours or so and then the "hikups" begin again.  These are just some of the error coeds i get every day.

EVENT ID 10005
 DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service IISADMIN with arguments "" in order to run the server

Event ID 13508
The File Replication Service is having trouble enabling replication from AFRS-DC2 to DAYTONASRVR for c:\winnt\sysvol\domain using the DNS name afrs-dc2.company_name.net. FRS will keep retrying.

EVENT ID 1839
The following number of operations is waiting in the replication queue. The oldest operation has been waiting since the following time.
Time:
2006-02-12 17:24:24
Number of waiting operations:
8

EVENT ID 1925
The attempt to establish a replication link for the following writable directory partition failed.

EVENT ID 1865
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result,
the following list of sites cannot be reached from the local site.

EVENT ID 1566
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.

I know that all these or most of them are due to connection issues, the problem isI don't know why there would be connection issues.  Each office has a connection to each other and i have allowed all traffic to pass between each vpn connection with no restictions and yet here we are.  These problems if left long enough will completely lock up the servers to where remote desktop won't work and the server will not respond to any rpc request.  The i have to send a force shutdown command.  IF i catch it before the server locks up I can use REPLMON to force replication between server but it seems that this isn't a long term solution. We are running server 2003 with the latest service packs.

Anyone I am open to suggestions.  I have setup an internal time server. I adjusted the MTU size .  I opend the firewalls up to all traffic from the trusted networks.   I messed around with the use internt ports regisry entry for RPC.  Does not work!  PLEASE HELP!

Sicerely
ME
 

Answer : Active directory Replication over VPN Connections

check this out.  i just found it

"Remote Desktop Connection" works just fine as long as you're trying to connect from within the same subnet. However, there is a good chance that RDC does not work anymore if you are trying to connect to your W23KSP1 server through a VPN tunnel. I have spoken to Microsoft about this case, they told me that they have made changes to the RPC protocol and that they have seen issues with VPN appliances. Remember that RPC is also used for Active Directory synchronization, Exchange mail-flow, printing etc...


We are using Watchguard Fireboxes X700 with the latest firmware (ver7.3) installed. Be advised that Watchguard DOES NOT WORK with W23KSP1. I have talked to Watchguard (Level2) tech support, but they do not acknowledge this problem, their tech support is completely useless.


In any case, do not install SP1 unless you have thoroughly tested it with your VPN appliances.
Good luck….