We just added a new Server 2008 (sp2) Domain Controller in a new Site, our first such config. It's over a VPN gateway WAN (10Mbit). Unfortunately it is displaying a strange network symptom. Connections to the SMB ports (TCP/139 and TCP/445) are being actively refused... if the connection is coming in on pure IPv4. If the incoming connection is coming by way of the 6to4 tunnel those connections establish and work just fine.
It isn't the Firewall, since this behavior can be replicated with the firewall turned off. Also, it's actually issuing RST packets to connection attempts; something that only happens with a Windows Firewall if there is a service behind a port and the service itself denies access. I doubt it's some firewall device on the wire, since the server this one replaced was running Samba and access to it from our main network functioned just fine.
I'm thinking it might have something to do with the Subnet lists in AD Sites & Services, but I'm not sure. We haven't put any IPv6 addresses in there, just v4, and it's the v4 connections that are being denied. Unfortunately, I can't figure this out. We need to be able to talk to this DC from the main campus. Is there some kind of site-based SMB-level filtering going on? I can talk to the DC's on campus just fine, but that's over that v6 tunnel. I don't have access to a regular machine on that remote subnet, which limits my ability to test.
Answering my own question here, but Helvick nailed it. Just had a long talk with our firewall people (they'd been out of the office all day rigging up a new remote site, so I hadn't had a chance to speak with them before now). They rearranged the rules order and that seemed to have picked it up. An old legacy IPv4 BLOCK TCP/139 rule was getting bypassed by the 6to4 gateway, which was why that traffic was getting through.
Looking back on it, the Samba access we had been doing before shouldn't have worked from the main network. I'll have to check what happened.
Anyway, resolved.