It depends on the server on what you cannot access. Sometimes it’s the Intranet server, in which you cannot connect to the web site. Sometimes it’s the Exchange Server, and you cannot get your emails. Other times it’s the file server and you cannot access the shares on the server. Every time it’s any of the servers, you are unable to use RDP to connect from either a client or a server to the Terminal server of the affected server.

We have DCs with a GC on each end of the connection. They are configured using Sites and Services as the main office (2 DCs) and remote office (1 DC). There is an IP bridgehead server configured for each of the sites. The servers are set to replicate twice every hour (default). Since the T1 was not over burdened, I decided to keep it at the default unless I started to see that it was overwhelming the link. We have rather strict account lockout policies (3 attempts, lockout forever) that won’t be replicated in case someone gets locked out. I know we can use forced replication to solve that also.

One would think that the local DC would handle the server requests, but I believe it to be at the RPC level and not in the user authentication. The servers do not have static IP routes. I could add it, but let me make sure that we are talking about the same thing: Are you referring to putting in a host entry in the host table, using something like route add, or something else?

I’ve just installed MS06-007 on all of the affected servers today and will wait to see if they fail again this week. I had the previous update installed on all of the servers, yet was still getting the problems last week.

Thanks,
Don

Infrastructure FSMO Role
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference.

NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC’s event log.

If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

This may not apply, but if it does, I would check it out.
rt

I have a DC at both sites, each is a GC in the domain. I also have it setup in sites and services with the appropriate subnets assigned and set the DCs as IP bridgeheads (I think that’s the terminology that MS uses).

All of the routing is static on the network (since there’s a small number of layer3 switches and routers). We definately have IP connectivity, as the pinging works when nothing else does. The remote office has the default routing entries as the remote end of the tunnel. I haven’t tried entering the routes locally on the remote server, though.

CheckSix:
The article appears to hit the nail on the head. Obviously with the tunnel, the MTU sizes differ across the VPN. At one point, I actually disabled the VPN totally to see if it helped, but we were still getting the problems. Still, I think this might be the solution and I can’t wait to try it out next week. Thanks a ton for the information! I’ll let you know if it fixes it. My only problem with it is that we stay on top of patches, so we may already have MS05-019 and MS06-007 on the server. I’m still praying that it works or possibly reapplying them fixes the problem.

Again, thanks guys,

Don

http://support.microsoft.com/kb/898060/

Regards,
CheckSix