I had an issue in my lab where the PDC emulator changed his password while the IPv6 communication was not properly up and running, and so 2 different password were register on my 2 DCs, this remember that IPv6 is the preferred network in Windows and been like that since Vista.
Nothing new in the this article, but just some precision, as the documentation can be confusing sometimes and we tend to forget things.
The architecture is the following:
DC1 : Server 2012R2
DC2 : Server 2016 (All FMSO hosted) – The culprit
First thing to check is the DNS and point the network card of DC2 to the working DC, as DC2 DNS server might not be working properly, in my case DC2 didn’t had IPv6 records while DC1 had them and since the DNS zone is replicated via AD, we clearly see an issue here.
If you’re using L2TP with IPSec.
Windows doesn’t activate NAT-T by default (Windows 10 included) you need to add a registry key:
To create and configure the
registry value, follow these steps:
- Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
- Right Click Start, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
Locate and then click the following registry subkey:
- On the Edit menu, point to New, and then click DWORD (32-bit) Value.
- Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
- Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
In the Value Data box, type one of the following values:
A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
- Click OK, and then exit Registry Editor.
- Restart the computer.
Validate that the windows service: IPSec Policy Agent is started.
To force a sync, navigate to “C:\Program Files\Microsoft Azure AD Sync\Bin” and run:
- “DirectorySyncClientCmd.exe delta” for a delta sync
- “DirectorySyncClientCmd.exe initial” for a full sync