​If you are planning on adding a domain controller located in a remote site and linked by a slow vpn connection, there are two things you need to check before running DCPROMO.

The first is to turn off ‘fragmented packet handling’ in the VPN tunnels.

The second thing is to configurel Kerberos to use TCP instead of the less reliable connectionless UDP protocol.

Kerberos uses UDP by default. On a slow VPN link, if the UDP packets arrive at their destination out of sequence, they are dropped. This causes DCPROMO to fail. With TCP, the packets are reassembled and DCPROMO will not fail.

To force Kerberos to use TCP/IP, do the following: On the remote server, open the registry editor and navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters

Create a DWORD MaxPacketSize

Change the value to 1 and restart your server. Now run DCPROMO and your server should be promoted to a DC without any problems.

For more information visit: http://support.microsoft.com/?kbid=244474

Leave a comment

Your email address will not be published. Required fields are marked *