Environment:
Main Office:
Sophos SG320 with UTM 9.601-4
2 x Windows Server 2012 Domain Controllers
3 Branch Offices with ASE Circuits and RODC's
1 Branch Office with RED50
Issue:
We recently had to demote a domain controller in our branch office behind a RED50, it was having alot of issues, which initially i suspected were just the DC itself having issues. But when we tried to stand up a new RODC (Server 2012 R2 Standard), it joined the domain(albeit connections lost, didnt notice at the time), then became an RODC, but never replicated NETLOGON or SYSVOL no matter what Microsoft troubleshooting we did. Telnet 389 and Telnet 53 all work to our Main Office DC's. Replication works in our 3 other offices to RODCs connected via ASE circuits. It is only behind this RED50 that have any issues.
So left that in hopes it might replicate and create the NETLOGON / SYSVOL, and moved on to our workstations and a NAS that needed to join the Windows domain, but would have to do it by reaching out to DCs in our main office across the RED50 link, changed DHCP to hand out the DNS1 and DNS2 of Main Office to the systems in Branch Office behind RED50.
This revealed a concern in that every time we tried to join a computer or NAS to the domain, it would fail, and the RED would crash with a "Overflow....reds1:0", and then logs about reloading, which would essentially disconnect the entire remote office until RED came back up 2-3 minutes later.
Our SG320 is running UTM 9.601-4, i have tried disabling IPS, ATP, Web Filtering, and set Any > Any > Any Firewall rules. Our NAT is basic "NETWORK(LAN)" - "WAN Interface"
I monitored our traffic between the RED50 and the Main Office via the UTM firewall logs, and traffic to 389 and 53 seems to be listed as allowed, even 445 is allowed, but attempts to join the domain fail for any device behind the RED50. Only those that were previously domain joined are still working. No new devices can be joined.
This thread was automatically locked due to age.
