Directory replication among DC through SSL ports

Similar Messages

• How do I restrict access to JSP or servlet only through SSL Port

  Hi
  I want to restrict the access to few jsp and servlet only through SSL port,
  so how can I block the acces to those jsp and servlet through normal port??? We
  are using weblogic 5.1.
  Any help on this highly appreciated.
  Aruna

  Hi,
  To restrict access(56 bits or less). follow the below steps.
  1. Go to your Webserver instance ServerManager
  2. Click Preferences Tab ------> Encryption Preference
  ------> There disable "DES with 56 bit
  encryption and MD5 message authentication."
  for SSL 2.0 ciphers or SSL3.0 Ciphers. Which ever
  needed.
  3. Save and Restart the Webserver instance.
  The above steps are for 4.x version.
  Thanks,
  Daks.

• FYI: Testing Active Directory Replication Latency/Convergence Through PowerShell (Update 2)

  see:
  (2014-02-01) Testing Active Directory Replication Latency/Convergence Through PowerShell (Update
  2)
  Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

  Might that link has been been broken.Here is the link
  http://jorgequestforknowledge.wordpress.com/2014/02/01/testing-active-directory-replication-latencyconvergence-through-powershell-update-2/
  Nice Jorge. Thanks for sharing.
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• SSL Replication - why supplier using regular port?

  My consumer is using the default SSL port 636, but the supplier port is
  fixed with 390. I am using regular port 390. Is that mean referrals are
  made over non-SSL(regular) port, and only replications done over SSL? I
  would like all communications between the consumer and the supplier to be
  over SSL.
  There is an optional item under "Replica Settings" where I could specify
  URLs for write operations for referral, but it would not accept
  ldaps://myhost:636. It would take ldap://myhost:636. The iPlanet doc said
  that if I specify ldaps:// then referrals would be done over SSL not over
  regular port. What am I doing wrong?
  Also, the iPlanet doc said I must not use the same port number for regular
  and SSL. But did not explain why. We are thinking of using only SSL port.
  So the question came up - so why not just disable the regular port?
  Thanks in advance,
  Choi

  Hallo Armin,
  Please check the ownership of the files in your /opt/iplanet/servers/alias
  directory. All files should be owned by the user under slapd is running.
  I hope this helps.
  Bertold
  "Armin Wenz" <[email protected]> wrote in message
  news:[email protected]..
  Hallo all
  We are using iDS 5.0 on a Solaris. When I want to try a replication over
  SSL I got the following error from my supplier server:
  NSMMReplicationPlugin - Connection Init Failed. Can not establish secure
  replication to consumer leela:13636
  - SSL alert:
  ldapssl_clientauth_init(/opt/iplanet/servers/alias/slapd-replica-supplier-ce
  rt7.db)
  failed -8174 (error -8174 - security library: bad database.)
  What does this mean: bad database? Is the database corrupt or are there
  any entries missing?
  Both Servers (supplier and consumer) are running with SSL enabled and I
  can connect to both via ldaps. Replication over an unencrypted line is
  working as well.

• SSL port is enabled, so why can't I connect through HTTPS?

  Hi,
  I'm using Weblogic 9.2.2, Solaris 9 with Java 1.5 We have our created our managed server within a cluster, and although we have enabled the SSL listen port ...
  http://screencast.com/t/t5UN6Exwp
  when I try connecting to our app through HTTPS in a web browser, I get a "Failed to Connect" error. Specifically in Firefox it says http://screencast.com/t/TGl0FIuQ. However, i can connect to our app fine through the HTTP port. How should I start troubleshooting this problem or what other info should I provide here?
  Thanks, - Dave

  I tried everyone's suggestions and wanted to report back the results. Running
  netstat -na | grep LIST | grep 7032produced no data. I did find a reference to the SSL port (7032) in my server log file, but didn't see any errors associated with it (I listed the working HTTP port first to compare) ...
  ####<Mar 12, 2009 10:47:03 AM EDT> <Info> <RJVM> <pacdcbpmdeva01a.cable.myco.com> <mmwcdc311> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1236869223832> <BEA-000570> <Network Configuration for Channel "mmwcdc311"
  Listen Address 24.40.36.101:7031
  Public Address N/A
  Http Enabled true
  Tunneling Enabled false
  Outbound Enabled false
  Admin Traffic Enabled true>
  ####<Mar 12, 2009 10:47:03 AM EDT> <Info> <RJVM> <pacdcbpmdeva01a.cable.myco.com> <mmwcdc311> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1236869223834> <BEA-000570> <Network Configuration for Channel "mmwcdc311"
  Listen Address 24.40.36.101:7032 (SSL)
  Public Address N/A
  Http Enabled true
  Tunneling Enabled false
  Outbound Enabled false
  Admin Traffic Enabled true>
  ####<Mar 12, 2009 10:47:03 AM EDT> <Debug> <RJVM> <pacdcbpmdeva01a.cable.myco.com> <mmwcdc311> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1236869223835> <BEA-000571> <Network Configuration Detail for Channel "mmwcdc311"
  Finally, openssl produced:
  [weblogic@mymachine logs]$ openssl s_client -connect 24.40.36.101:7032
  connect: Connection refused
  connect:errno=29
  Anything else I should be looking for? - Dave

• OIM AD password Sync connector. Connection to AD through SSL

  Hi.
  I am trying to configure AD password sync connector 9.1.1.5 with patch 14627510 to connecto to AD through SSL.
  At this moment, connector is able to connect to OIM through SSL but not to the AD. If i set AD port number to 389 on the connector configuration, everything works fine.
  If i set it to 636, it is not able to connect to the AD.
  I've imported the AD SSL certificate to <connector install directory>\OIMADPasswordSync\_jvm\lib\security\cacerts and restarted the domain controller but still no luck.
  To test that the certificate and everything else is OK, i've also installed a jxplorer and imported the same certificate into <jexplorer install directory>\jxplorer321\security\cacerts. Jxplorer is able to connect to the AD through SSL on port 636 so user credentials, certificate, etc.. are ok
  Connector documentation doesn't mention anything regarding SSL connection to AD, it only describes SSL connection to OIM.
  Anyone has donde this before? Is there any additional step i should follow to enable SSL connection from AD password sync connector to AD? Does the connector support SSL connection to AD?
  Regards.

  have you tried importing the cert in cacerts under $JAVA_HOME?

• Error in people search when connecting through ldaps port

  Hello,
  I am getting following error when doing windows people search through ldaps port(636).
  The specified directory service could not be reached.
  The service may be temporarily unavailable or the server name may be incorrect.
  It is working fine when i am connecting thro ldap port.
  Could any one help me in this regard
  -mala

  Just setting the port in the console does not enable SSL. Do you have a certificate installed on that instance? If so, does your ldap client have that certificate (or its CA certificate) as a trusted cert? If not, you may need to run certutil to create/update the client certificate database.

• Custom sig: Non-SSL over SSL port

  I am trying to build a custom signature for detecting non-SSL traffic on a specific SSL port (let's say tcp/443). This has to do with CONNECT tunnels through an HTTP proxy. Conceptually, it's not a complicated idea. Whether or not it can technically be done effectively with the Cisco IPS I don't know.
  It seems that very early in every SSL connection, there is an SSL "client hello" message(SYN,SYN/ACK,ACK,CLIENT HELLO). There are two relevant record formats, SSLv2 and SSLv2/TLS. I would like to create a signature that fires when it DOES NOT see the client hello message very early in a given TCP session. I would want the signature to only need to check the very first n packets of any given TCP session (n = max size of connection establishment + max size of client hello packet). Has anyone created such a beast or willing to help? Here are a couple packets.
  SSLv3 Client Hello
  0000 00 00 5e 00 01 67 00 a0 8e 82 ec 5d 08 00 45 00 ..^..g.....]..E.
  0010 00 8e 33 b8 40 00 3e 06 94 16 ce c3 c3 6c 40 22 ..3.@.>......l@"
  0020 a2 49 58 27 01 bb b7 42 c6 92 fd 36 a3 d1 50 18 .IX'...B...6..P.
  0030 44 70 08 e2 00 00 16 03 00 00 61 01 00 00 5d 03 Dp........a...].
  0040 00 44 5f 9a 77 69 49 5a 85 52 a0 96 38 b3 b4 15 .D_.wiIZ.R..8...
  0050 8f db f2 0f c9 0e ea 10 f5 69 39 8c 58 87 e5 33 .........i9.X..3
  0060 70 20 ba 06 1e 3f d4 4e 3c d0 de a8 ea 4e a3 7f p ...?.N<....N..
  0070 0f 07 fd 5f 88 07 17 ef 50 ce 6b cf 10 e3 84 99 ..._....P.k.....
  0080 04 a2 00 16 00 04 00 05 00 0a 00 09 00 64 00 62 .............d.b
  0090 00 03 00 06 00 13 00 12 00 63 01 00 .........c..
  TLSv1 Client Hello
  0000 00 0f 20 6c 99 8b 00 a0 8e 82 c4 c1 08 00 45 00 .. l..........E.
  0010 00 96 a2 89 40 00 7f 06 32 b3 ce c3 c2 29 ce c3 [email protected]....)..
  0020 c6 74 0d 13 01 bb 38 17 d5 89 98 0f fc 73 50 18 .t....8......sP.
  0030 44 70 6c 75 00 00 16 03 01 00 69 01 00 00 65 03 Dplu......i...e.
  0040 01 44 5f 9a 84 8a 94 ab f3 78 e7 b1 c9 ca 04 34 .D_......x.....4
  0050 3b 95 1b 86 51 05 5f ac 9d a0 b0 69 fe 0c 27 e5 ;...Q._....i..'.
  0060 9c 20 78 08 00 00 ce c3 c2 29 58 58 58 58 58 58 . x......)XXXXXX
  0070 58 58 58 58 58 58 58 58 58 58 48 9a 5f 44 8c 4b XXXXXXXXXXH._D.K
  0080 05 00 00 1e 00 04 00 05 00 2f 00 33 00 32 00 0a ........./.3.2..
  0090 00 16 00 13 00 09 00 15 00 12 00 03 00 08 00 14 ................
  00a0 00 11 01 00 ....
  SSLv2 Client Hello
  0000 00 00 5e 00 01 67 00 a0 8e 82 ec 5d 08 00 45 00 ..^..g.....]..E.
  0010 00 82 fb a7 40 00 3e 06 cf 32 ce c3 c3 6c 9f 35 ....@.>..2...l.5
  0020 40 36 58 6d 01 bb b7 78 06 1b cd e2 e2 3d 80 18 @6Xm...x.....=..
  0030 44 70 47 6b 00 00 01 01 08 0a 31 fd f9 51 00 00 DpGk......1..Q..
  0040 00 00 80 4c 01 03 00 00 33 00 00 00 10 00 00 04 ...L....3.......
  0050 00 00 05 00 00 0a 01 00 80 07 00 c0 03 00 80 00 ................
  0060 00 09 06 00 40 00 00 64 00 00 62 00 00 03 00 00 [email protected].....
  0070 06 02 00 80 04 00 80 00 00 13 00 00 12 00 00 63 ...............c
  0080 7b af 57 75 f8 a9 72 54 23 29 32 50 bf ef 1e a9 {.Wu..rT#)2P....

  Hi mhellman:
  I can see 3 difficulties with this kind of sign.
  1) To determine the order of the packets.
  2) To determine that happen at the very begining of the conection
  3) fire when the traffic doesn't match with the signature.
  The difficulty number 3, I think, is imposible to resolve because the sensor can compare the trafic with a well defined pattern and fire when it match, but not when it doen't.
  The difficult number 2
  You need a kind of state signature because this can be classified like a machine state (first three way handshake, then hello packet) but I can't see fields in the state engine that help in this case.
  The difficult number 1 could be resolved by a Meta signature.
  You will need to create an a custom atomic signature for the syn packet, another for the syn ack, another to ack, and the last one for hellow packet.
  Then create a meta signature and add the fourth atomic singatures whith a strict order.
  but guess what...
  Meta signature doesn't permit custom signatures.
  I think this kind of signature is imposible to write.
  But I'd try.
  Regards
  Alberto Giorgi from spain.

• Active Directory Replication 2008 R2

  Hi
  We are getting an error as "The following server could not be reached (topology incomplete)"
  Domain Controllers: 2008 R2
  How can we resolve this issue.
  Aravind

  The error message mentions that the server is not reachable.
  You might want to start with checking the basics:
  Check that the faulty DC has its A, CNAME and SRV records properly registered in your DNS system (You can
  NSlookup for checking: http://social.technet.microsoft.com/wiki/contents/articles/29184.nslookup-for-beginners.aspx). If this is not the case then you follow the IP settings recommendation I mentioned here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx).
  Once the IP settings are corrected then you can ipconfig /registerdns
  command
  Check that required ports for AD replication are opened between your DCs and are not filtered: http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
  If none helped then you can temporary disable security software you use on DCs and check again
  The last resort could be to demote the DC and promote it again.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• How to configure Node manager on Linux on ssl port

  Hi,
  I have installed SOA BPM 11.1.1.3 on linux with ssl enabled. I am trying to configure Node Manager but it's not working.
  Here are the steps I did to configure.
  1. Created a machine
  2. Added managed servers to the machine i.e. soa,bam
  3. Enroll domain using nmEnroll using
  cd $BEA_HOME/user_projects/domains/<domain_name>/bin/
  . setDomainEnv.sh
  java weblogic.WLST
  wls> connect(’weblogic’,'weblogic1’, ‘t3://mymachine.mydomain:7001’)
  wls> nmEnroll(’$BEA_HOME/user_projects/domains/<domain_name>’, ‘$BEA_HOME/wlserver_<version>/common/nodemanager’)
  here 7001 is the admin server non-ssl port but when I try 7002 ssl port it doesn't connect. But I need to enroll it on ssl port as I have ssl enabled.
  4. reset the node manager user/password same as weblogic console
  5. started the node manager using $WL_HOME\server\bin\startNodeManager.sh
  But when I log back into console and try to start my manage server it gives the following error
  SEVERE: java.io.FileNotFoundException: /usr3/app/oracle/Middleware/user_projects/domains/wcbpm_domain/./config/jps-config.xml (No such file or directory)
  <Aug 6, 2010 5:30:16 PM EDT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The dynamic loading of the OPSS java security policy provider class oracle.security.jps.internal.policystore.JavaPolicyProvider failed due to problem inside OPSS java security policy provider. Exception was thrown when loading or setting the JPSS policy provider. Enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-01538: The default policy provider was not found.I did not add my Admin server to be part of the machine.
  Any help if I am missing anything or doing anything wrong.
  Thanks

  Hi,
  Do I need to add Admin Server also part of the Machine where I added bam,soa servers. I tried again following the steps but gets the below error again. Appreciate if someone can list the steps as the docs are a bit vague:
  <Aug 6, 2010 6:14:01 PM> <INFO> <wcbpm_domain> <bam_server1> <Starting WebLogic server with command line: /usr3/app/oracle/Middleware/user_projects/domains/wcbpm_domain/bin/startWebLogic.sh >
  Aug 6, 2010 6:14:01 PM weblogic.nodemanager.server.ServerManager log
  INFO: Starting WebLogic server with command line: /usr3/app/oracle/Middleware/user_projects/domains/wcbpm_domain/bin/startWebLogic.sh
  <Aug 6, 2010 6:14:01 PM> <INFO> <wcbpm_domain> <bam_server1> <Working directory is '/usr3/app/oracle/Middleware/user_projects/domains/wcbpm_domain'>
  Aug 6, 2010 6:14:01 PM weblogic.nodemanager.server.ServerManager log
  '/usr3/app/oracle/Middleware/user_projects/domains/wcbpm_domain/servers/bam_server1/logs/bam_server1.out'
  <Aug 6, 2010 6:14:02 PM> <INFO> <wcbpm_domain> <bam_server1> <Server failed during startup so will not be restarted>
  Aug 6, 2010 6:14:02 PM weblogic.nodemanager.server.ServerManager log
  INFO: Server failed during startup so will not be restarted
  <Aug 6, 2010 6:14:02 PM> <WARNING> <Exception while starting server 'bam_server1'>
  java.io.IOException: Server failed to start up. See server output log for more details.
          at weblogic.nodemanager.server.ServerManager.start(ServerManager.java:331)
          at weblogic.nodemanager.server.Handler.handleStart(Handler.java:567)
          at weblogic.nodemanager.server.Handler.handleCommand(Handler.java:118)
          at weblogic.nodemanager.server.Handler.run(Handler.java:70)
          at java.lang.Thread.run(Thread.java:619)
  [WARN ] Use of -Djrockit.optfile is deprecated and discouraged.
  [WARN ] Use of -Djrockit.optfile is deprecated and discouraged.
  Unknown option or illegal argument: -XX:+UseParallelGC.
  Please check for incorrect spelling or review documentation of startup options.
  Could not create the Java virtual machine.
  <Aug 6, 2010 6:14:02 PM> <FINEST> <NodeManager> <Waiting for the process to die: 590>
  <Aug 6, 2010 6:14:02 PM> <INFO> <NodeManager> <Server failed during startup so will not be restarted>
  <Aug 6, 2010 6:14:02 PM> <FINEST> <NodeManager> <runMonitor returned, setting finished=true and notifying waiters>Don't know if I hve missed any steps in node manager configuration.
  Thanks

• Yosemite Mail 10.10.2 - SSL port, Certificate not trusted, email can't be seen

  Hi All,
  Thanks in advance for your help.
  I have just upgraded  (quite regrettably) to Yosemite 10.10.2 with a clean install (Time machine... that's a whole new bag of tricks hasn't worked can't even reinstall mail via TimeMachine RESTORE.. very helpful apple)
  Mail – The simplest of software, is causing no end of problems:
  PROBLEMS:
  1) When mail opens, it kept saying "Certificate for this server is invalid"
  2) The 2 email accounts I have, keep going offline? NEVER had this on any of the macs i've had set up before ran 10.6.8 for ages not a blip?
  3) And another glorious trick, even if the email accounts aren't showing any exclamation marks (about being off line)
  I select any mail box AND out of nowhere, no emails show in the mail boxes, where only 10 seconds ago they were all there?
  4) REPLY ALL just a few moments ago DIDN'T work or reply to all
  NOW, it either replies to ALL including me (the original sender) OR it'll place the original sender email address in TO and all others in CC? when all emails were in the TO field?
  Just to be clear: I have set up 2 email accounts as IMAP on the mac (Say email X and email Y), and have tested by sending an email FROM email X TO email Y and a hotmail account, just to have more than 1 email address in the to field to see what happens with the REPLY ALL. It doesn't work suffice to say
  SOLUTIONS TRIED BUT NOT WORKED SO FAR
  I have scoured the forums and tried a few suggested things
  1) I have 2 email accounts, both of which I'm setting up as IMPA,  my ISP Tech support for email host has said "Set the SSL port to 587"
  – Tried doing that in 2 places
  a) Mail > Accounts > (select email account) > Advanced  There under PORT stated 587
  b)  Mail > Preferences > Accounts (select account) > Advanced > PORT And here it is NOT the stated 587, it's (currently) 143?
  (I've tried changing this to 587) and this doesn't solve the problem(s)
  2) I tried UNTICKING "automatically detect and maintain account settings". but this didn't solve anything, and the whole certificate error and Mail going offline started up pretty much instantly
  3) Tried ticking the "Allow Insecure authentication" - Again, no solution?
  4) I did have my gmail account set up, but took that out of the equation as that wasn't helping, and with that I couldn't hit REPLY ALL and it show up in the TO field????
  I appreciate this is a lot of information on the screen, but i've tried to be as through as I can, and seriously I CANNOT believe Apple have managed to mess up a corner stone app that should Just work?
  Thanks agin for any help or pointers.
  Mypetshadow

  CAVEAT:
  1)I'm not technically qualified, but thought i should share the info I have found that works for me after having a tech guy from the ISP sort out the settings to get my main running:
  2) This has been working for all of 2 hours... lets hope it stays that way.
  3) My emails are set up as IMAP accounts.
  So....
  After speaking / emailing with my ISP and after 4 days of what seems like ****... (Seriously, thanks Apple "it just works.... like a hole in the head") I have a few solutions that are working for me and thought I would post them up for people who maybe having the same difficulty...
  SSL PORTS AND CERTIFICATES ISSUE
  1) Once you "CREATE' an email account, you have to adjust the settings manually (No surprise there)
  • There are some people saying you have to UNTICK the "Automatically detect and maintain my account settings"
  • (I'm NOT a techie kinda guy), BUT in my case I LEFT THIS CHECKED (on advise from the ISP tech guy), and for me it is working. The tech guy from my ISP said something on the lines of  "If the PORT is 993 then SSL has to be checked, If it's port 143 the SSL IS UNCHECKED"
  Again, i'm not a techie, but this may be of relevance to you.
  Screen grab of the main IMAP settings page
  2) EDITING the SMTP settings
  • MAIL > PREFERENCES > ACCOUNTS > select your newly created account > ACCOUNT INFORMATION TAB
  – From the OUTGOING MAIN SERVER Dropdown list, Select EDIT SMTP SERVER LIST and change your port to 465 (note: Originally port was 587... read below)
  Here, SSL WAS CHECKED, as was "Automatically detect and maintain account settings".
  REPLY ALL MOVES EMAILS INTO THE CC FIELD
  • Originally the port was set at 587 BUT I noticed a glitch; when I hit reply all, this would put all email addresses that were in the TO field into the CC field? (excluding the original sender...) Not helpful.
  • I noticed  (in an earlier mess up and moving around of ports etc) that when the port was changed to 465 (another port that the ISP tech guys said was an option) my email started behaving as expected... emails in the TO field stay in the TO field, as expected. and not placed in the CC field
  Screen grab of the SMTP edit page:
  Right, that's my non-techie tuppence and hope that it is of some help, and if not specifically all you need, it might give a few clues.
  Cheers

• Error when changing OID instance SSL port to 636

  I have OID 11.1.1.6 instance running on port 3065 for it's SSL port. I wanted to change the SSL port to 636 from the em console. When I request to change it, it says it was successful...restart the OID server. Once the OID instance is restarted and comes back up, I get an error "Failed to load server configuration" Check the Internet Directory Server logs. Possible Error: "<hostname>:636>
  Do I need to run/restart other services for this change?
  I also tried extending the domain and creating a new instance using the staticports.ini. I specified the SSL port in there at 636 and ran the oracleRoot.sh script but get the same error when I look at it in em console.

  Hey,
  1)Did you follow these steps 'Configuring Ssl by Fusion Middleware Control'?
  Link: http://docs.oracle.com/cd/E14571_01/oid.1111/e10029/ssl.htm#CHDJHGGC
  Also,
  2)When you type from command line: opmnctl status -l , what ports OID is showing to you?
  If 1) did not resolve your issue, can you pls provide oid logs that you are receiving?
  I hope this helps,
  Thiago Leoncio.

• FYI: Testing SYSVOL Replication Latency/Convergence Through PowerShell (Update 2)

  see:
  (2014-02-02)
  Testing SYSVOL Replication Latency/Convergence Through PowerShell (Update 2)
  Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

  see:
  http://jorgequestforknowledge.wordpress.com/2014/02/16/testing-active-directory-replication-latencyconvergence-through-powershell-update-3/
  Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

• Testing SYSVOL Replication Latency/Convergence Through PowerShell (Update 3)

  see:
  http://jorgequestforknowledge.wordpress.com/2014/02/17/testing-sysvol-replication-latencyconvergence-through-powershell-update-3/
  Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

  see:
  http://jorgequestforknowledge.wordpress.com/2014/02/16/testing-active-directory-replication-latencyconvergence-through-powershell-update-3/
  Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/

• Windows Server 2008 R2 - Active Directory Replication over DynDNS

  Hello,
  I have one server that Windows Server 2008 R2 - Active Directory / DNS
  Now some users shifted to new office with the server
  Some users still in the original place that now don't have ADDS/DNS
  i want to install one replication server in the original place to retrieve AD/DNS form new office via DynDNS
  is that possible of not?
  Best regards,

  Badr, I don't think you want AD replication occurring over the internet - even if that was possible the server would need access to all the SRV records, a records, And all the ports required for communication - See here for an exhaustive list
  http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx - I don't think I have to tell you how bad opening all these ports to the internet would be.
  You may want to look at Setting up a vpn or DirectAccess from the original site to the new site. This will give you more security and generally won't cost to much.
  http://technet.microsoft.com/en-us/network/dd420463.aspx
  Another thing that may work for you would be if you setup remote desktop services in the new location and had the original location remote into via a gateway server -
  http://blogs.technet.com/b/windowsserver/archive/2012/05/09/windows-server-2012-remote-desktop-services-rds.aspx as a starting point. With RDS your users would be able to access the new location from anywhere, although there would be upfront costs associated,
  licensing and server being part of them - I don't recommend turning your domain controller into an RDS server.These are just some ideas to help you with your issue