Accessing domain controller and resources from a remote site using VPN
Posted on 2006-04-24
this one is urgent ...and rather complex...
Here is the story, we have 2 main sites and 14 branch sites.
The branch sites connect to the main sites using permanent VPN tunnels over the internet.
When I start some (this doesn't happen on all machines!) PC's in a branch office, it cannot access the resources (file server and exchange server) of the remote site.
Here is the setup:
1) Each main site has a domain controller and exchange server that succesfully replicate with each other. They also each have their own file server which the remote sites need to access.
2) The remote sites each have their own IP subnet 192.168.1xx.xxx
Here is what I tried and found out...
--> server pings are succesfull
So there is connectivity!
--> nsloopkup for any server / client of the main site works smoothly without errors
So the DNS configuration is working!
--> When I change the password of a remote client in the AD, the user cannot login anymore and has to use the new password
So the client can contact the domain controller!
--> in the DNS servers I have added the IP subnet of the remote site to the reverse DNS folder, with allowing zone transfers between the sites and when the client logs in, the entry is created here.
So the client can read from and write to the DNS server!
--> when I check the eventviewer audit log, everything is succesful
So audit is working properly!
Running DCdiag on the domain controllers does not return any errors ...
Now for the errors:
1) System Log:
The Security System detected an attempted downgrade attack for server exchangeRFR/server.domain.local. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
The Security System could not establish a secured connection with the server cifs/DC. No authentication protocol was available.
--> We are running XP SP2 and I read that this behaviour is caused by the domain controller being unavailable (but it is as prooved above) I have also tried adding the domain controllers to the LMHOSTS file and allowing broadcast by adding NodeType=4 to the registry but this results in the same.
--> I receive this error when starting up and also each time I try to connect to the exchange server. When I try to access a file share I am prompted for a loginname/password.
So something is wrong with authentication somewhere!
2) Application Log
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.
--> I get the same error if I run gpupdate from the console window!
So there is a networking issue what is causing the group policy to be halted!
3) Netdiag on the client machine gives the following errors:
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to '\\DOMAIN*\MAILSLOT\NET\NETLOGON
' via redir. [ERROR_BAD_NETPATH]
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to dc.domain.local (192.168.1xx.x). [E
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for krbtgt/domain.local.
[FATAL] Kerberos does not have a ticket for host/localhostname.domain.local.
So I get a lot of errors here but I have no clue where they come from.
Anyone can help me out pls ?