Accessing domain controller and resources from a remote site using VPN

Hi experts,

this one is urgent ...and rather complex...

Here is the story, we have 2 main sites and 14 branch sites.

The branch sites connect to the main sites using permanent VPN tunnels over the internet.

When I start some (this doesn't happen on all machines!) PC's in a branch office, it cannot access the resources (file server and exchange server) of the remote site.

Here is the setup:

1) Each main site has a domain controller and exchange server that succesfully replicate with each other. They also each have their own file server which the remote sites need to access.
2) The remote sites each have their own IP subnet

Here is what I tried and found out...

--> server pings are succesfull

So there is connectivity!

--> nsloopkup for any server / client of the main site works smoothly without errors

So the DNS configuration is working!

--> When I change the password of a remote client in the AD, the user cannot login anymore and has to use the new password

So the client can contact the domain controller!

--> in the DNS servers I have added the IP subnet of the remote site to the reverse DNS folder, with allowing zone transfers between the sites and when the client logs in, the entry is created here.

So the client can read from and write to the DNS server!

--> when I check the eventviewer audit log, everything is succesful

So audit is working properly!

Running DCdiag on the domain controllers does not return any errors ...

Now for the errors:

1) System Log:

The Security System detected an attempted downgrade attack for server exchangeRFR/server.domain.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.

The Security System could not establish a secured connection with the server cifs/DC.  No authentication protocol was available.

--> We are running XP SP2 and I read that this behaviour is caused by the domain controller being unavailable (but it is as prooved above) I have also tried adding the domain controllers to the LMHOSTS file and allowing broadcast by adding NodeType=4 to the registry but this results in the same.

--> I receive this error when starting up and also each time I try to connect to the exchange server. When I try to access a file share I am prompted for a loginname/password.

So something is wrong with authentication somewhere!

2) Application Log

Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

--> I get the same error if I run gpupdate from the console window!

So there is a networking issue what is causing the group policy to be halted!

3) Netdiag on the client machine gives the following errors:

[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Redir and Browser test . . . . . . : Failed
    List of NetBt transports currently bound to the Redir
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
    The browser is bound to 1 NetBt transport.
    [FATAL] Cannot send mailslot message to '\\DOMAIN*\MAILSLOT\NET\NETLOGON
' via redir. [ERROR_BAD_NETPATH]

DC list test . . . . . . . . . . . : Failed
    [WARNING] Cannot call DsBind to dc.domain.local (192.168.1xx.x). [E

Kerberos test. . . . . . . . . . . : Failed
        [FATAL] Kerberos does not have a ticket for krbtgt/domain.local.
        [FATAL] Kerberos does not have a ticket for host/localhostname.domain.local.

So I get a lot of errors here but I have no clue where they come from.

Anyone can help me out pls ?

Many  thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are your DCs Windows 2003 and have you recently applied SP1?
ulensrAuthor Commented:
The domain controllers are indeed Windows 2003 Server but no SP
ulensrAuthor Commented:
I did apply SP2 to the Windows XP clients but for some it works so it is strange

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.


Have a look at the following article.

We have a similar network structure to yourself.  Windows 2003 DCs at head office.  7 branch offices connected via IPSec VPNs with the remote offices using XP SP2 clients with a local Windows 2003 Server.

We had a major problem with our Windows 2003 SP1 branch office servers.  We could ping them no problem, but were unable to terminal services in, map drives, etc... until we rebooted.  We applied SP1 to our DCs and within a couple of days, the overseas offices could not communicate.  It was obvious that SP! had introduced the problem.

This article outlined the issues and suggested a fix.

I think the first may well be a good avenue to investigate first.
ulensrAuthor Commented:
I will take a look at these articles right no but just for your information, I seem to have left this out, we do not have local server in the remote sites.

The remote sites need to logon over the VPN tunnel to the closest AD (which works for all) but accessing resources is still a problem.

We have the remote sites DNS servers in the DHCP config of the remote sites and the hosts file contains the most critical servers (this is just to speed up things, they can resolve even without the hosts file)

ulensrAuthor Commented:
I just noticed that when I try a remove/rejoin domain I get the following event altough the join domain was succesful.

The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:

   Adapter Name : {C1CB5D21-8B68-4BE1-B1D6-B16C76C00773}
   Host Name : NITSICDS02
   Primary Domain Suffix : domain.local
   DNS server list :
   Sent update to server :
   IP Address(es) :

Why does it send the update to ???? There is nowhere anything configured with that IP address.

Maybe this additional information helps ...

I wonder whether the first DC in your domain has been configured with the address of an ISPs DNS server by mistake?  Could you check DNS settings on your DCs.
ulensrAuthor Commented:

our DNS server is configured properly, own IP in DNS settings, ISP IP's in forwarders.

ulensrAuthor Commented:
UPDATE!!!! Problem (seems) fixed....

When looking on the internet for the various erros, I found this on EVENTID

In order to make this LSASRV event log entry disappear, simply make NETLOGON depend on DNS. This can be done in the registry easily, just go to “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon”, and add the string “DNS” to the key "DependOnService" (place it under LanmanServer).
I just tried it - what the hell, nothing to loose - and the entry indeed disappeared .. better even ... the resources could be accessed now and outlook connected !!!!

Nevertheless, I'm halfway there, I would still need to fix the issues with Netdiag & Eventlog because I don't feel very comfortable with this "fix".

Still points to earn ...
PAQed with points refunded (500)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hello ulensr,

We have a very similar setup to yours and we are also having outlook connectivity issues over the VPN, with the same errors. Is this registry change still working for you in your environment?

ulensrAuthor Commented:
Dear, the registry change was only a temporary solution and it didn't even work on all machines.

I found out that the proper way of doing this was to include the following in the IPCONFIG

DNS1: DNS server of the remote site
DNS2: public DNS

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.