ulensr
asked on
Accessing domain controller and resources from a remote site using VPN
Hi experts,
this one is urgent ...and rather complex...
Here is the story, we have 2 main sites and 14 branch sites.
The branch sites connect to the main sites using permanent VPN tunnels over the internet.
When I start some (this doesn't happen on all machines!) PC's in a branch office, it cannot access the resources (file server and exchange server) of the remote site.
Here is the setup:
1) Each main site has a domain controller and exchange server that succesfully replicate with each other. They also each have their own file server which the remote sites need to access.
2) The remote sites each have their own IP subnet 192.168.1xx.xxx
Here is what I tried and found out...
--> server pings are succesfull
So there is connectivity!
--> nsloopkup for any server / client of the main site works smoothly without errors
So the DNS configuration is working!
--> When I change the password of a remote client in the AD, the user cannot login anymore and has to use the new password
So the client can contact the domain controller!
--> in the DNS servers I have added the IP subnet of the remote site to the reverse DNS folder, with allowing zone transfers between the sites and when the client logs in, the entry is created here.
So the client can read from and write to the DNS server!
--> when I check the eventviewer audit log, everything is succesful
So audit is working properly!
Running DCdiag on the domain controllers does not return any errors ...
Now for the errors:
------------------------
1) System Log:
EVENTID 40960
The Security System detected an attempted downgrade attack for server exchangeRFR/server.domain.
(0xc000005e)".
EVENTID 40961
The Security System could not establish a secured connection with the server cifs/DC. No authentication protocol was available.
--> We are running XP SP2 and I read that this behaviour is caused by the domain controller being unavailable (but it is as prooved above) I have also tried adding the domain controllers to the LMHOSTS file and allowing broadcast by adding NodeType=4 to the registry but this results in the same.
--> I receive this error when starting up and also each time I try to connect to the exchange server. When I try to access a file share I am prompted for a loginname/password.
So something is wrong with authentication somewhere!
2) Application Log
EVENTID 1054
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.
--> I get the same error if I run gpupdate from the console window!
So there is a networking issue what is causing the group policy to be halted!
3) Netdiag on the client machine gives the following errors:
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{C1CB5D21-8B68
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{C1CB5D21-8B68
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to '\\DOMAIN*\MAILSLOT\NET\NE
' via redir. [ERROR_BAD_NETPATH]
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to dc.domain.local (192.168.1xx.x). [E
RROR_INTERNAL_ERROR]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for krbtgt/domain.local.
[FATAL] Kerberos does not have a ticket for host/localhostname.domain.
So I get a lot of errors here but I have no clue where they come from.
Anyone can help me out pls ?
Many thanks
this one is urgent ...and rather complex...
Here is the story, we have 2 main sites and 14 branch sites.
The branch sites connect to the main sites using permanent VPN tunnels over the internet.
When I start some (this doesn't happen on all machines!) PC's in a branch office, it cannot access the resources (file server and exchange server) of the remote site.
Here is the setup:
1) Each main site has a domain controller and exchange server that succesfully replicate with each other. They also each have their own file server which the remote sites need to access.
2) The remote sites each have their own IP subnet 192.168.1xx.xxx
Here is what I tried and found out...
--> server pings are succesfull
So there is connectivity!
--> nsloopkup for any server / client of the main site works smoothly without errors
So the DNS configuration is working!
--> When I change the password of a remote client in the AD, the user cannot login anymore and has to use the new password
So the client can contact the domain controller!
--> in the DNS servers I have added the IP subnet of the remote site to the reverse DNS folder, with allowing zone transfers between the sites and when the client logs in, the entry is created here.
So the client can read from and write to the DNS server!
--> when I check the eventviewer audit log, everything is succesful
So audit is working properly!
Running DCdiag on the domain controllers does not return any errors ...
Now for the errors:
------------------------
1) System Log:
EVENTID 40960
The Security System detected an attempted downgrade attack for server exchangeRFR/server.domain.
(0xc000005e)".
EVENTID 40961
The Security System could not establish a secured connection with the server cifs/DC. No authentication protocol was available.
--> We are running XP SP2 and I read that this behaviour is caused by the domain controller being unavailable (but it is as prooved above) I have also tried adding the domain controllers to the LMHOSTS file and allowing broadcast by adding NodeType=4 to the registry but this results in the same.
--> I receive this error when starting up and also each time I try to connect to the exchange server. When I try to access a file share I am prompted for a loginname/password.
So something is wrong with authentication somewhere!
2) Application Log
EVENTID 1054
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.
--> I get the same error if I run gpupdate from the console window!
So there is a networking issue what is causing the group policy to be halted!
3) Netdiag on the client machine gives the following errors:
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{C1CB5D21-8B68
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{C1CB5D21-8B68
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to '\\DOMAIN*\MAILSLOT\NET\NE
' via redir. [ERROR_BAD_NETPATH]
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to dc.domain.local (192.168.1xx.x). [E
RROR_INTERNAL_ERROR]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for krbtgt/domain.local.
[FATAL] Kerberos does not have a ticket for host/localhostname.domain.
So I get a lot of errors here but I have no clue where they come from.
Anyone can help me out pls ?
Many thanks
Are your DCs Windows 2003 and have you recently applied SP1?
ASKER
The domain controllers are indeed Windows 2003 Server but no SP
ASKER
I did apply SP2 to the Windows XP clients but for some it works so it is strange
Regards
Regards
Hmm.
Have a look at the following article.
http://support.microsoft.com/kb/898060/en-us
We have a similar network structure to yourself. Windows 2003 DCs at head office. 7 branch offices connected via IPSec VPNs with the remote offices using XP SP2 clients with a local Windows 2003 Server.
We had a major problem with our Windows 2003 SP1 branch office servers. We could ping them no problem, but were unable to terminal services in, map drives, etc... until we rebooted. We applied SP1 to our DCs and within a couple of days, the overseas offices could not communicate. It was obvious that SP! had introduced the problem.
This article outlined the issues and suggested a fix.
http://support.microsoft.com/kb/899148/en-us
I think the first may well be a good avenue to investigate first.
Have a look at the following article.
http://support.microsoft.com/kb/898060/en-us
We have a similar network structure to yourself. Windows 2003 DCs at head office. 7 branch offices connected via IPSec VPNs with the remote offices using XP SP2 clients with a local Windows 2003 Server.
We had a major problem with our Windows 2003 SP1 branch office servers. We could ping them no problem, but were unable to terminal services in, map drives, etc... until we rebooted. We applied SP1 to our DCs and within a couple of days, the overseas offices could not communicate. It was obvious that SP! had introduced the problem.
This article outlined the issues and suggested a fix.
http://support.microsoft.com/kb/899148/en-us
I think the first may well be a good avenue to investigate first.
ASKER
I will take a look at these articles right no but just for your information, I seem to have left this out, we do not have local server in the remote sites.
The remote sites need to logon over the VPN tunnel to the closest AD (which works for all) but accessing resources is still a problem.
We have the remote sites DNS servers in the DHCP config of the remote sites and the hosts file contains the most critical servers (this is just to speed up things, they can resolve even without the hosts file)
Thx
The remote sites need to logon over the VPN tunnel to the closest AD (which works for all) but accessing resources is still a problem.
We have the remote sites DNS servers in the DHCP config of the remote sites and the hosts file contains the most critical servers (this is just to speed up things, they can resolve even without the hosts file)
Thx
ASKER
I just noticed that when I try a remove/rejoin domain I get the following event altough the join domain was succesful.
The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:
Adapter Name : {C1CB5D21-8B68-4BE1-B1D6-B
Host Name : NITSICDS02
Primary Domain Suffix : domain.local
DNS server list :
CORPORATE DNS SERVER'S IP, ISP DNS SERVER IP
Sent update to server : 192.1.1.1
IP Address(es) :
LOCAL IP
Why does it send the update to 192.1.1.1 ???? There is nowhere anything configured with that IP address.
Maybe this additional information helps ...
Thx
The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:
Adapter Name : {C1CB5D21-8B68-4BE1-B1D6-B
Host Name : NITSICDS02
Primary Domain Suffix : domain.local
DNS server list :
CORPORATE DNS SERVER'S IP, ISP DNS SERVER IP
Sent update to server : 192.1.1.1
IP Address(es) :
LOCAL IP
Why does it send the update to 192.1.1.1 ???? There is nowhere anything configured with that IP address.
Maybe this additional information helps ...
Thx
I wonder whether the first DC in your domain has been configured with the address of an ISPs DNS server by mistake? Could you check DNS settings on your DCs.
ASKER
Hi,
our DNS server is configured properly, own IP in DNS settings, ISP IP's in forwarders.
our DNS server is configured properly, own IP in DNS settings, ISP IP's in forwarders.
ASKER
UPDATE!!!! Problem (seems) fixed....
When looking on the internet for the various erros, I found this on EVENTID
In order to make this LSASRV event log entry disappear, simply make NETLOGON depend on DNS. This can be done in the registry easily, just go to “\HKEY_LOCAL_MACHINE\SYSTE
I just tried it - what the hell, nothing to loose - and the entry indeed disappeared .. better even ... the resources could be accessed now and outlook connected !!!!
Nevertheless, I'm halfway there, I would still need to fix the issues with Netdiag & Eventlog because I don't feel very comfortable with this "fix".
Still points to earn ...
When looking on the internet for the various erros, I found this on EVENTID
In order to make this LSASRV event log entry disappear, simply make NETLOGON depend on DNS. This can be done in the registry easily, just go to “\HKEY_LOCAL_MACHINE\SYSTE
I just tried it - what the hell, nothing to loose - and the entry indeed disappeared .. better even ... the resources could be accessed now and outlook connected !!!!
Nevertheless, I'm halfway there, I would still need to fix the issues with Netdiag & Eventlog because I don't feel very comfortable with this "fix".
Still points to earn ...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello ulensr,
We have a very similar setup to yours and we are also having outlook connectivity issues over the VPN, with the same errors. Is this registry change still working for you in your environment?
Thanks!
We have a very similar setup to yours and we are also having outlook connectivity issues over the VPN, with the same errors. Is this registry change still working for you in your environment?
Thanks!
ASKER
Dear, the registry change was only a temporary solution and it didn't even work on all machines.
I found out that the proper way of doing this was to include the following in the IPCONFIG
DNS1: DNS server of the remote site
DNS2: public DNS
Regards
I found out that the proper way of doing this was to include the following in the IPCONFIG
DNS1: DNS server of the remote site
DNS2: public DNS
Regards