[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1071
  • Last Modified:

Accessing domain controller and resources from a remote site using VPN

Hi experts,

this one is urgent ...and rather complex...

Here is the story, we have 2 main sites and 14 branch sites.

The branch sites connect to the main sites using permanent VPN tunnels over the internet.

When I start some (this doesn't happen on all machines!) PC's in a branch office, it cannot access the resources (file server and exchange server) of the remote site.

Here is the setup:

1) Each main site has a domain controller and exchange server that succesfully replicate with each other. They also each have their own file server which the remote sites need to access.
2) The remote sites each have their own IP subnet 192.168.1xx.xxx

Here is what I tried and found out...

--> server pings are succesfull

So there is connectivity!

--> nsloopkup for any server / client of the main site works smoothly without errors

So the DNS configuration is working!

--> When I change the password of a remote client in the AD, the user cannot login anymore and has to use the new password

So the client can contact the domain controller!

--> in the DNS servers I have added the IP subnet of the remote site to the reverse DNS folder, with allowing zone transfers between the sites and when the client logs in, the entry is created here.

So the client can read from and write to the DNS server!

--> when I check the eventviewer audit log, everything is succesful

So audit is working properly!

Running DCdiag on the domain controllers does not return any errors ...


Now for the errors:
------------------------

1) System Log:

EVENTID 40960
The Security System detected an attempted downgrade attack for server exchangeRFR/server.domain.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

EVENTID 40961
The Security System could not establish a secured connection with the server cifs/DC.  No authentication protocol was available.

--> We are running XP SP2 and I read that this behaviour is caused by the domain controller being unavailable (but it is as prooved above) I have also tried adding the domain controllers to the LMHOSTS file and allowing broadcast by adding NodeType=4 to the registry but this results in the same.

--> I receive this error when starting up and also each time I try to connect to the exchange server. When I try to access a file share I am prompted for a loginname/password.

So something is wrong with authentication somewhere!

2) Application Log

EVENTID 1054
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

--> I get the same error if I run gpupdate from the console window!

So there is a networking issue what is causing the group policy to be halted!

3) Netdiag on the client machine gives the following errors:

[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Redir and Browser test . . . . . . : Failed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{C1CB5D21-8B68-4BE1-B1D6-B16C76C00773}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{C1CB5D21-8B68-4BE1-B1D6-B16C76C00773}
    The browser is bound to 1 NetBt transport.
    [FATAL] Cannot send mailslot message to '\\DOMAIN*\MAILSLOT\NET\NETLOGON
' via redir. [ERROR_BAD_NETPATH]

DC list test . . . . . . . . . . . : Failed
    [WARNING] Cannot call DsBind to dc.domain.local (192.168.1xx.x). [E
RROR_INTERNAL_ERROR]

Kerberos test. . . . . . . . . . . : Failed
        [FATAL] Kerberos does not have a ticket for krbtgt/domain.local.
        [FATAL] Kerberos does not have a ticket for host/localhostname.domain.local.



So I get a lot of errors here but I have no clue where they come from.

Anyone can help me out pls ?

Many  thanks
0
ulensr
Asked:
ulensr
1 Solution
 
hstilesCommented:
Are your DCs Windows 2003 and have you recently applied SP1?
0
 
ulensrAuthor Commented:
The domain controllers are indeed Windows 2003 Server but no SP
0
 
ulensrAuthor Commented:
I did apply SP2 to the Windows XP clients but for some it works so it is strange

Regards
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
hstilesCommented:
Hmm.

Have a look at the following article.

http://support.microsoft.com/kb/898060/en-us

We have a similar network structure to yourself.  Windows 2003 DCs at head office.  7 branch offices connected via IPSec VPNs with the remote offices using XP SP2 clients with a local Windows 2003 Server.

We had a major problem with our Windows 2003 SP1 branch office servers.  We could ping them no problem, but were unable to terminal services in, map drives, etc... until we rebooted.  We applied SP1 to our DCs and within a couple of days, the overseas offices could not communicate.  It was obvious that SP! had introduced the problem.

This article outlined the issues and suggested a fix.

http://support.microsoft.com/kb/899148/en-us

I think the first may well be a good avenue to investigate first.
0
 
ulensrAuthor Commented:
I will take a look at these articles right no but just for your information, I seem to have left this out, we do not have local server in the remote sites.

The remote sites need to logon over the VPN tunnel to the closest AD (which works for all) but accessing resources is still a problem.

We have the remote sites DNS servers in the DHCP config of the remote sites and the hosts file contains the most critical servers (this is just to speed up things, they can resolve even without the hosts file)

Thx
0
 
ulensrAuthor Commented:
I just noticed that when I try a remove/rejoin domain I get the following event altough the join domain was succesful.

The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:

   Adapter Name : {C1CB5D21-8B68-4BE1-B1D6-B16C76C00773}
   Host Name : NITSICDS02
   Primary Domain Suffix : domain.local
   DNS server list :
           CORPORATE DNS SERVER'S IP, ISP DNS SERVER IP
   Sent update to server : 192.1.1.1
   IP Address(es) :
     LOCAL IP

Why does it send the update to 192.1.1.1 ???? There is nowhere anything configured with that IP address.

Maybe this additional information helps ...

Thx
0
 
hstilesCommented:
I wonder whether the first DC in your domain has been configured with the address of an ISPs DNS server by mistake?  Could you check DNS settings on your DCs.
0
 
ulensrAuthor Commented:
Hi,

our DNS server is configured properly, own IP in DNS settings, ISP IP's in forwarders.

0
 
ulensrAuthor Commented:
UPDATE!!!! Problem (seems) fixed....

When looking on the internet for the various erros, I found this on EVENTID

In order to make this LSASRV event log entry disappear, simply make NETLOGON depend on DNS. This can be done in the registry easily, just go to “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon”, and add the string “DNS” to the key "DependOnService" (place it under LanmanServer).
I just tried it - what the hell, nothing to loose - and the entry indeed disappeared .. better even ... the resources could be accessed now and outlook connected !!!!

Nevertheless, I'm halfway there, I would still need to fix the issues with Netdiag & Eventlog because I don't feel very comfortable with this "fix".

Still points to earn ...
0
 
GranModCommented:
PAQed with points refunded (500)

GranMod
Community Support Moderator
0
 
Katearna37Commented:
Hello ulensr,

We have a very similar setup to yours and we are also having outlook connectivity issues over the VPN, with the same errors. Is this registry change still working for you in your environment?

Thanks!
0
 
ulensrAuthor Commented:
Dear, the registry change was only a temporary solution and it didn't even work on all machines.

I found out that the proper way of doing this was to include the following in the IPCONFIG

DNS1: DNS server of the remote site
DNS2: public DNS

Regards
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now