So we are having some issues with AD replication over site to site VPN. We have 15 locations all setup for site to site. Each location has it's own DC all running on one domain. Recently we started having an issue where we can not resolve host names of the other locations. This has stopped DFSR replication from working. I can reach everything by IP but not by host name or FQDN. Anyone have this issue before?
Have you created a SD-WAN firewall rule by mistake that is blocking it?
We have multi-site AD replication including DFSR over AutoVPN/SD-WAN and have not seen the issue you are getting. If you cannot resolve hostnames that sounds like your DNS is broken. Is each site DC running DNS and what are they using as forwarders? I'd start there.
Each site has a DNS server. Local DNS at each site is working fine. It just name resolution between sites. No SD-WAN rules blocking anything. Local firewalls were disable for testing to eliminate that possibility.
If there is an AD DC at each site and DNS at each site, are the DNS servers not AD integrated?
In which case they should all be a copy of each other. Or are you using something else for DNS?
Can you resolve the other site's AD DC names from each site?
Is DFSR the only thing that is broken, i.e. the namespaces domain\dfsshare?
Oh and what firmware are you running, we are using 15.32 at the moment but have used 15.x assorted versions for the last year.
DNS servers are AD integrated.
I can not resolve let’s say site A’s DC name from site B and vice versa.
DFSR is the main problem since it used for replication but we also can not access files server and some app server that use host name for communication.
I will have to log in and double check firmware to be sure but I know we are on a 15.x version. I will log in later and check as I’m currently on my way home.
Okay, so DNS seems very broken, how many AD sites do you have, one per actual site or clusters? If at site A you do a nslookup for a DC at site B and it fails, then change the server to site B's AD DNS, does that then work? If so, for a temporary fix you could set the DNS to use other site's servers.
One per actual site. Servers are already set to look at another site for primary DNS then it’s self for secondary. The odd thing is, nslookup resolves just fine but you can’t ping by host name, only IP. That’s where I’m lost.
So you can ping the IP address, but if you ping the fan, it resolves to the IP, but doesn't reply? That makes no sense at all! 🤔