I installed Active Directory same time ago. Client have two office than I installed two domain controller and make two sites.

After promoted second server DC2 to domain controller I found some errors in event log:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10009
Date: 2008-10-20
Time: 16:44:06
User: N/A
Computer: DC2
Description:
DCOM was unable to communicate with the computer dc1 using any of the configured protocols.

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 2008-10-20
Time: 10:33:30
User: N/A
Computer: DC2
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0×800706ba). The RPC server is unavailable.

I checked DCOM and RPC services but everything was ok.

I ran certutil ?ping ?config DC1 on server DC2 and there was no communications.

On Technet I found this articles http://support.microsoft.com/kb/899148/en-us
??o?Remote Procedure Call-based operations may fail if certain firewall and VPN products deny network requests. This denial occurs if the network requests come from Microsoft Windows Server 2003 Service Pack 1-based or Windows Vista-based computers. These network requests may fail on computers where you apply Windows Server 2003 Service Pack 1 (SP1) to a Windows Server 2003-based computer or your OEM or retail installation media includes SP1 updates. The following products may deny these network requests:
??c Firewall or virtual private network (VPN) products from Checkpoint Software Technologies
??c Microsoft Internet Security and Acceleration (ISA) Server
??c Cisco VPN Client 5.0.0.0340????

and this was the reason!!!

Why? Because my client have Checkpoint firewalls. Firewall supports changed SmartDefense rules and DC2 enroll certificate.