Setup AD Domain Between Two Sites

I am starting to learn Active Directory on Windows server. Currently I have downloaded Windows Server 2012 R2 eval. Using basic home internet connection at my house and neighbours (who agreed to help me with my studying) we each have your basic home WiFi
routers. Would like to test out setting up a domain in which a DC is at my house, and one at his house and be able to replicate the directory between the two DC's.
I am really lost on how to go about configuring the routers and respective DNS servers for this to work properly. Anybody know of a basic guide to get me started?

1. First of all for simple transfer you need to open ports that AD uses
http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
2. AD uses DNS that is integrated (in majority of cases) and use of public DNS is unwanted. Similar situation is with DHCP. On the other way, router assignes IP and resolve FQDN.
3. Some configurations with WiFi cards are not allowed in WS2012, for example teaming.
4. Using WiFi is unexpected in AD. That is why I would use least problematic locan network configuration or virtual one.
5. I recommend some reading about AD, Technet guides and step-by-step guides as well as books that ain AD basics.
Regards
Milos

Similar Messages

Exchange High availability between two sites with two servers

Hi Team,
I have a requirement to deploy exchange server 2010 between two sites. but i have limited resources to full fill this. below the summary.
2 servers in two sites
different subnets will user for two sites
Need to deploy DAG.
please let me know the considerations for this deployment.
Thank you

Hi - In this scenario, you would setup the following: Site 1: Exchange 2010 Multi-Role server File Share location to place File Share Witness for the DAG Site 2: Exchange 2010 Multi-Role server The above will give you 2 nodes in the primary location and
one node in the secondary location so that resources will stay in Site one. You will also need to enable DAC (Datacenter Activation Coordination) on the DAG so that the Cluster group can be managed by Exchange. Last but not least, you will want to restrict
automatic failover of resources to Site 2 by blocking that action on the Exchange server in Site 2 using 'Set-MailboxServer <servername> -DatabaseCopyAutoActivationPolicy Blocked' This will make you manually failover to site 2 and not end up with resources
there after a sudden failure or issue that is not impacting the entire site.Jason Apt Microsoft Certified Master | Exchange 2010

Personal Domain for two sites on Family Pack

Can you use two personal domains with iWeb if you are using a Family Pack/.mac?
I have a single .mac now for family and would like to upgrade to family pack and have a small portion for an upcoming home business with its own personal doman.
TIA

I think you want something setup like I have right now - and it works. I have two sites on .mac using iWeb. The first main site is designated with a personal domain. The second has one, but I cannot use it because the whole .mac preference is for all the sites. So I went to my host name provider (domainit.com) and they offer one free "forward" for that personal domain - all I did was type in the site name where it should point to. Now, it wasnt the standard "web.mac.com" because my .mac is designated with a personal domain. For that second site it is mypersonaldomain.com/site. When I enter my domain for that second site, it says the namein the browser bar, but at the bottom of the browser you can see the original full path of mypersonaldomain.com/site.
So, you dont need to have another web host (web space/storage). You can have a primary personal domain working with .mac and then have the second personal domain point to (forward) the second site (that now is a sub of the first personal domain).
Now that I talked in circles, HTH just a bit.

Mapi connection behaviour between two sites-Exchange 2010

Hello,
I have small doubt, need help from you guys,
i have two sites A, B, DAG is span over the two sites;
Both site has array Of different FQDN
site A has active copies, its PASSIVE copies are in site-B
i have witnesserver in third location
if Active mailbox database in Site-A fails, passive copy on Site-B will become active; i guess
My question is ===> without downtime or without MANUAL Task, will mapi connection goes to site-B copy ??? ,

Hi,
In Cross Site maintainence we, have to work out mainly on Database Activation Coordination Mode(DAC) which avoids the split brain syndrome.
below URL's gives you clear vision on how we can do that and what it is for.
- http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/planning-deploying-testing-exchange-2010-site-resilient-solution-sized-medium-organization-part7.html
- https://technet.microsoft.com/en-us/library/dd979790.aspx
Regards,
Gowtham T

Metro-E circuits between two sites

We have two sites connected by two equal cost Metro Ethernet circuits from two different service providers. we also have two redundant L3 core switches at both sites. What is the best way to connect these two sites for load balancing as well as redundancy? They are on different subnets. The core switches currently run HSRP. We also evaluating GLBP as a possible alternative.We want to possibly avoid all single points of failure.

You could, as you note, use GLBP, but an alternative could be, make the two paths from the intial/primary HSRP gateway appear equal cost. Many routing protocols would then alternate flows across the two paths.

Redundant stateful CSS11501 between two sites

We have layer 2 connectivity between to core sites and are implementing two new CSS11501's. Is it possable to implement these in a active/backup configuration and stateful?

not statefullness.
To be statefull your setup needs a dedicated link between the 2 CSS - no extra hop or L2 switch.
You can give it a try but this is not a supported setup.
For active/backup this is no problem.
Regards,
Gilles.

How to setup thunderbolt bridge between two macbook Pro (retina and 2011 )?

I have a new 13" MB Pro retina and want to use the thunderbolt bridge btween the 13" and the 15" MB pro 2011.
Somehow I cannot do anything with this, and on both laptops it shows the the Thunderbolt slots as "Inactive". I have connected the the two laptops via the new Thunderbolt cable.
I looked around and there is no documentation on how to make this happen. The documentations are very thin or non existent.
I want to use this mechanism to transfer my data from my old MB pro to the new retina one.
your help is greatly appreciated.
Amir

unfortunately the option to select thunderbolt/firewire never comes up.
It directly goes to the options from where to transfer and then upcon clicking on it. It keeps on looking with the spinner icon showing and it never finds the other computer.
It does see it through the wiresless but not through thunderbolt.
The more I look to make this happen the more I am convinved that this feature is not fully baked and does not really work as the documentation on "Thunderbolt bridge" setup is next to none existent and only one perons through macrumors has supposedly managed this. It is really a shame as I was looking forward to use this new capability.
All the best,

Repository synchronization between two sites

Hi All,
We are using Oracle Designer 6i for our designs. We are creating DFDs, PFDs and ERDs. Two teams are working on this at two different locations. Can somebody suggest the way to synchronize (combine) the work done by both the teams into a single repository. For example, Team A has created DFDs, PFDs and ERDs at Location1. Team B is also creating DFDs, PFDs and ERDs at Location2. Team B will be using some of the functions in their diagrams created by Team A. Now we want to apply the changes done by Team B into the repository located at Location1.
Thanks in advance for any suggestions
regards,
Vijay

Hi Vishal,
thanks a lot for your reply. You have suggested that we can import the entire application system at Site B. At this time we are using non-versioned repository. And we are using only one application system. But the problem is that at Site B some people are making changes to the same application system used at Site A. I understand that if i have to import an application system, i have to make sure that there is no application system with the same name at the destination. So in this case if i have to import the Site A's application system at Site B, first i have to delete the Site B application system. In which case i will be losing all the changes made by the Team at Site B. But my requirement is that i want to incorporate the chages made at Site B's application system into the Site A's application system. Can you please give your thoughts about this.
thanks in advance
regards,
Vijay

How to setup the sync between two new ACS server

Hey
I setup one acs v5.3 in one server in NYC and another acs v5.3 in SJC,
I want to make the acs.nyc as primary and acs.sjc as the secondary, how do i setup it up ?
thanks,
Yang

make sure that each box has a unique license
On the box that will be the secondary do the following
Go to System Administration > Operations > Local Operations > Deployment Operations
Enter IP address of Primary Instance and admin username / password and then press "Register to Primary"
Regisration process takes a little time since also involves copying the database from the primary and then restarting the secondary with the new database. You can monitor the progress of this on the primary at
System Administration > Operations > Distributed System Management

Message bridge between two instances

I am trying to setup messaging bridge between two instances of weblogic server.
Can the second instance belong to a different domain? If yes how to configure it?

Yes, you can configure a messaging bridge to work between two WebLogic domains.
The general instructions of configuring a message bridge, including the bridge instance itself, the bridge destinations and the adapter, can be found at
http://edocs.bea.com/wls/docs103/bridge/basics.html#wp1168461
The only extra thing that you may need to take care of for the cross-domain case is to configure cross-domain security as instructed at
http://edocs.bea.com/wls/docs103/bridge/wls_interop.html#wp1126873
Regards,
Dongbo

SMTP Namespace Sharing between two mail system

I have used two mail server (Exchange 2013 and Linux sendmail) for mailing in the same domain like abc.com.
I have converted authoritative domain in to internal relay for sending mail in Linux mail user, and create a send connector point to Linux mail system as a smart host. in that case my exchange user send mail to Linux user and internet via Linux smart host,
then I create a receive connector in exchange server for receiving mail from Linux mail system as edge transport custom connector & permission set to anonymous, when Linux user send mail to my exchange user it queued in my exchange message queue and
the error is:
Last Error:A local loop was detected.
What's the problem?

Hi rana78,
As Nathan mentioned, please create Contacts.
Detailed information:
So to avoid NDRs when using shared SMTP namespace you will need to either disable recipient filtering, configure the product to do LDAP queries against all directories that share the namespace, or create Contacts.
More details to see:
How to Share an Email Domain Between Two Mail Systems
http://exchangeserverpro.com/how-to-share-an-email-domain-between-two-mail-systems/
Disclaimer:
Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure
that you completely understand the risk before retrieving any suggestions from the above link.
Thanks
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Mavis Huang
TechNet Community Support

How to route traffic between two different interfaces

Hi,
I need to setup a routing between two different interfaces on a host.
Inferface ce1 : 192.168.120.12
Inteface ce2 : 192.168.110.50
Is it possible to add a route which enables the ce2 interface to catch packets from the ce1 interface ?
Regards,
Armin

The problem is a application which is only able to listen on one interface.
To fix this, I have to make all packages visible on one interface.

Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

hello,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
FYI the asa's are different versions, one is 9.2 the other is 8.2
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
ASA Version 8.2(2)
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)4
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Hi Keegan,
Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
I would suggest to do a 'clear xlate'? Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
HTH
"Please rate useful posts"

Two sites, Two Exchange servers, same domain

Exchange can seriously baffle me at the best of times. Which is why I'm writing here at the moment.
I have 2 sites in two geographical locations for the same business connected via IPsec VPN. At each site we have:
- Domain Controller (domain.local)
- RDS Server
- File server
- Exchange server (domain.org.au) (SiteA - exch1, SiteB - exch2)
All servers are Windows Server 2008R2, Exchange servers are 2010, Outlook is also 2010.
Both exchange servers are set up with DAG replicating the primary mailbox database.
Both RDS servers have outlook set up - users are currently connecting to exch1 for exchange connectivity (at both siteA and siteB)
I want to configure the outlook clients so that SiteA uses exch1, and SiteB uses exch2.
When testing, I manually set up an outlook profile and entered the server name as 'exch2', but upon clicking 'check name' it substituted 'exch2' for 'exch1'.
I have had a look at implementing CAS array, but this will not work as we have DAG set up between exchange servers, and according to a microsoft article this cannot be done:
""WNLB can't be used on Exchange servers where mailbox DAGs are also being used because WNLB
is incompatible with Windows failover clustering.""
Is there something I need to change in either the Group Policy or Autodiscover instance, or even DNS to allow this to work? Is this even possible? Any help would be greatly appreciated.

Forgive me - I still dont quite understand what's required..
Because I have 2 physical sites with AD and Exchange, even though both sites are using the same domain and the same Exchange Mailbox Database, I still require 2 CAS arrays?
Just to clarify, both DC's arent under separate sites within Active Directory Sites and Services - they are both members of the 'Default-First-Site-Name' site. Would this make any difference to the config I am aiming for?
I can understand the concept of having 2 CAS arrays, one for physical site A and physical site B, so that their respective RDS servers outlook clients point to their own local exchange server - but if both exchange servers are replicating and using the one
Mailbox Database, I'm not sure if that will cause any issues - Cant you only apply one CAS array per database?
Also, if I am unable to use network load balancing because the software balancing service wont work with the cluster service, what IP(s) would I point the CAS array to - my guess is the local IP's of the exchange servers for its relevant site?

Authentication needed after doing trust between two different domains.

Hi There,
I have a problem when i did the trust relationship between two different domains in two different forests ,,in the trust relationship steps all working two ways trust,with external trust,stub zone created on both domains and they are validated in both sides
,,my problem is with the objects it can't be retrieved from side and it can be from the other side . For instance :
NY domain can get the users and computers of 2012DC1
but 2012DC1 can't get the users and computers of NY
Date and time are the same,i am always getting this error
The session setup from computer '2012DC1' failed because the security database does not contain a trust account 'test.com.' referenced by the specified computer.
USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. If this is a Read-Only Domain Controller and 'test.com.' is a legitimate machine account
for the computer '2012DC1' then '2012DC1' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller). Otherwise,
the following steps may be taken to resolve this problem:
If 'test.com.' is a legitimate machine account for the computer '2012DC1', then '2012DC1' should be rejoined to the domain.
If 'test.com.' is a legitimate interdomain trust account, then the trust should be recreated.
Otherwise, assuming that 'test.com.' is not a legitimate account, the following action should be taken on '2012DC1':
If '2012DC1' is a Domain Controller, then the trust associated with 'test.com.' should be deleted.
If '2012DC1' is not a Domain Controller, it should be disjoined from the domain.
Can you please help me in this error.
Thank You in advance.

Hello,
"The session setup from computer '2012DC1' failed because the security database does not contain a trust account 'test.com.' referenced by the specified computer. "
This belongs to the machine 2012Dc1 in test.com and not to the other domain from your trust. Seems for me that you mix the trust with the problems of the machine 2012DC1 in test.com.
In this error message 2012DC1 has lost the trust to its OWN domain and therefore you have to find the reason. How exactly was this machine installed?
Or was there a restore on that machine from not supported type of backup like image/clone/snapshot?
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:

Setup AD Domain Between Two Sites

Similar Messages

Maybe you are looking for