Hello everyone, n00b here.

We had a cisco tech help us out today so it wasnt I, the n00b, configuring the routers and ASA.

So let me explain.

We have a domain with 3 childs, all in a Paetec MPLS.  One of these childs was taken out of the MPLS today and was put on a comcast business line, therefore outside our ASA firewall.

To keep this kicked out child within the domain a vpn tunnel was created using an ASA 5550 at our colo site which routes traffic to the outside child whenever MPLS traffics needs to reach it.  A few changes on Paetecs side and we were pinging and remote desktop-ing from the kicked off child domain controller.  We thought "great, we're done, lets get the fudge out".

We were wrong...

Later in the evening a user residing in this child domain could not connect via vpn nor check his webmail.  Oh-oh!

So I log into the child server and I can still ping every server in the domain, opened AD users&computers to check the users account to see if it was blocked, it was not.

So I log into another DC from another domain, I can still ping and access the share of the kicked off child BUT active directory gives me the following when trying to connect to that domain to manage the users:

WTF?!?!?

This happens with our other 4 DC's when trying to connect to the kicked off child, yet they can access its shares (all the servers that have shares can be contacted by ALL servers).  The only diff I notice is that when accessing a share of the kicked off child it prompts to authenticate with a network user/pass.  Once auth you can access the shares.

Now, I am thinking that this could be an LDAP and cisco vpn tunnel issue, but I would have no clue.

I've ran dcdiag and dnsdcdiag on the DC of the kicked off child as well as our main DC in the root domain that holds all the FSMO roles and for the life of me I do not see any FAILS or ERRORS that can guide me in the right direction.

Does the tunnel block LDAP?

WTF is going on?!?!?

Please help!

Thanks,

cesar