Can you try these 2 settings and see how it works for you?
set ser MS-NETLOGON time 2
set service MS-AD-DRSUAPI time 2
Both of these services are usually set to a default of 1 min on the FW. I have had many instances where 1 min is not long enough. 2mins is a good timer but you can extend it if required depending on your network infrastructure.
Let me know if this helps.
Message Edited by WL on 03-12-2009 10:07 AM