I have two Server 2008 R2 DCs at a main site, and a 2008 R2 RODC at a remote site behind a NAT firewall; they communicate using Connection Security Rules to require encrypted traffic between them. The NAT firewall is open to allow all traffic from the main site DCs, and I've set the "AssumeUDPEncapsulationContextOnSendRule" registry key on the DCs. This works, but after an indeterminate amount of time communication between the servers changes and fails. It looks like it's a Kerberos problem, as that's what I'm using to authenticate the encrypted sessions. I'm seeing a ton of these entries when communication fails: Audit Failure Microsoft Windows security auditing. 4769 Kerberos Service Ticket Operations A Kerberos service ticket was requested. Account Information: Account Name: RODC1@DOMAIN Account Domain: DOMAIN Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: host/DC1 Service ID: NULL SID Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0xffffffff Failure Code: 0x1d Transited Services: - There are no similar requests when communication is established/working. While it's working, packets are showing up in Wireshark as ESP protocol "ESP (SPI=<octal number>)" and UPDPENCAP "NAT-keepalive'" packets, but when the problem occurs they change to ISAKMP protocol "Identity Protection (Main Mode)", "Unknown 243", and "Unknown 246" packets, based on the Info field. The only way to get communication between them working again is to open a connection from the DCs at the main site. All traffic initiated at the RODC will fail. Any suggestions as to what I should look at or settings to mangle?

Hi, The Failure Code 0x1d means "KDC_ERR_SVC_UNAVAILABLE: A service is not available". It may occur when RODC is trying to forward the request to RWDC and RWDC is unreachable. I suggest you verify that DNS is correctly set up, the KDC service is running and port 88 is in listening state in RODC. Hope this helps. Regards, Bruce

Hi Bruce, Thanks for responding. DNS entries and lookups are good, and port 88 is reachable from each of the hosts to the others, assuming the connection is working. At this point I think what's happening is the RODC's Kerb ticket for accessing the DCs expires and it can't negotiate a new one because the connection requires encryption using said ticket. I've added certificates as another form of authentication and so far it seems that's working; I've also considered switching the authentication from required to requested for inbound/outbound. Best, Austin

Hi Bruce, Thanks for responding. DNS entries and lookups are good, and port 88 is reachable from each of the hosts to the others, assuming the connection is working. At this point I think what's happening is the RODC's Kerb ticket for accessing the DCs expires and it can't negotiate a new one because the connection requires encryption using said ticket. I've added certificates as another form of authentication and so far it seems that's working; I've also considered switching the authentication from required to requested for inbound/outbound. Best, Austin