Accessing domain controller and resources from a remote site using VPN

Posted on 2006-04-24
Last Modified: 2013-12-23
Hi experts,

this one is urgent ...and rather complex...

Here is the story, we have 2 main sites and 14 branch sites.

The branch sites connect to the main sites using permanent VPN tunnels over the internet.

When I start some (this doesn't happen on all machines!) PC's in a branch office, it cannot access the resources (file server and exchange server) of the remote site.

Here is the setup:

1) Each main site has a domain controller and exchange server that succesfully replicate with each other. They also each have their own file server which the remote sites need to access.
2) The remote sites each have their own IP subnet

Here is what I tried and found out...

--> server pings are succesfull

So there is connectivity!

--> nsloopkup for any server / client of the main site works smoothly without errors

So the DNS configuration is working!

--> When I change the password of a remote client in the AD, the user cannot login anymore and has to use the new password

So the client can contact the domain controller!

--> in the DNS servers I have added the IP subnet of the remote site to the reverse DNS folder, with allowing zone transfers between the sites and when the client logs in, the entry is created here.

So the client can read from and write to the DNS server!

--> when I check the eventviewer audit log, everything is succesful

So audit is working properly!

Running DCdiag on the domain controllers does not return any errors ...

Now for the errors:

1) System Log:

The Security System detected an attempted downgrade attack for server exchangeRFR/server.domain.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.

The Security System could not establish a secured connection with the server cifs/DC.  No authentication protocol was available.

--> We are running XP SP2 and I read that this behaviour is caused by the domain controller being unavailable (but it is as prooved above) I have also tried adding the domain controllers to the LMHOSTS file and allowing broadcast by adding NodeType=4 to the registry but this results in the same.

--> I receive this error when starting up and also each time I try to connect to the exchange server. When I try to access a file share I am prompted for a loginname/password.

So something is wrong with authentication somewhere!

2) Application Log

Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

--> I get the same error if I run gpupdate from the console window!

So there is a networking issue what is causing the group policy to be halted!

3) Netdiag on the client machine gives the following errors:

[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Redir and Browser test . . . . . . : Failed
    List of NetBt transports currently bound to the Redir
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
    The browser is bound to 1 NetBt transport.
    [FATAL] Cannot send mailslot message to '\\DOMAIN*\MAILSLOT\NET\NETLOGON
' via redir. [ERROR_BAD_NETPATH]

DC list test . . . . . . . . . . . : Failed
    [WARNING] Cannot call DsBind to dc.domain.local (192.168.1xx.x). [E

Kerberos test. . . . . . . . . . . : Failed
        [FATAL] Kerberos does not have a ticket for krbtgt/domain.local.
        [FATAL] Kerberos does not have a ticket for host/localhostname.domain.local.

So I get a lot of errors here but I have no clue where they come from.

Anyone can help me out pls ?

Many  thanks
Question by:ulensr
    LVL 13

    Expert Comment

    Are your DCs Windows 2003 and have you recently applied SP1?

    Author Comment

    The domain controllers are indeed Windows 2003 Server but no SP

    Author Comment

    I did apply SP2 to the Windows XP clients but for some it works so it is strange

    LVL 13

    Expert Comment


    Have a look at the following article.

    We have a similar network structure to yourself.  Windows 2003 DCs at head office.  7 branch offices connected via IPSec VPNs with the remote offices using XP SP2 clients with a local Windows 2003 Server.

    We had a major problem with our Windows 2003 SP1 branch office servers.  We could ping them no problem, but were unable to terminal services in, map drives, etc... until we rebooted.  We applied SP1 to our DCs and within a couple of days, the overseas offices could not communicate.  It was obvious that SP! had introduced the problem.

    This article outlined the issues and suggested a fix.

    I think the first may well be a good avenue to investigate first.

    Author Comment

    I will take a look at these articles right no but just for your information, I seem to have left this out, we do not have local server in the remote sites.

    The remote sites need to logon over the VPN tunnel to the closest AD (which works for all) but accessing resources is still a problem.

    We have the remote sites DNS servers in the DHCP config of the remote sites and the hosts file contains the most critical servers (this is just to speed up things, they can resolve even without the hosts file)


    Author Comment

    I just noticed that when I try a remove/rejoin domain I get the following event altough the join domain was succesful.

    The system failed to update and remove host (A) resource records (RRs) for network adapter
    with settings:

       Adapter Name : {C1CB5D21-8B68-4BE1-B1D6-B16C76C00773}
       Host Name : NITSICDS02
       Primary Domain Suffix : domain.local
       DNS server list :
       Sent update to server :
       IP Address(es) :
         LOCAL IP

    Why does it send the update to ???? There is nowhere anything configured with that IP address.

    Maybe this additional information helps ...

    LVL 13

    Expert Comment

    I wonder whether the first DC in your domain has been configured with the address of an ISPs DNS server by mistake?  Could you check DNS settings on your DCs.

    Author Comment


    our DNS server is configured properly, own IP in DNS settings, ISP IP's in forwarders.


    Author Comment

    UPDATE!!!! Problem (seems) fixed....

    When looking on the internet for the various erros, I found this on EVENTID

    In order to make this LSASRV event log entry disappear, simply make NETLOGON depend on DNS. This can be done in the registry easily, just go to “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon”, and add the string “DNS” to the key "DependOnService" (place it under LanmanServer).
    I just tried it - what the hell, nothing to loose - and the entry indeed disappeared .. better even ... the resources could be accessed now and outlook connected !!!!

    Nevertheless, I'm halfway there, I would still need to fix the issues with Netdiag & Eventlog because I don't feel very comfortable with this "fix".

    Still points to earn ...

    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Expert Comment

    Hello ulensr,

    We have a very similar setup to yours and we are also having outlook connectivity issues over the VPN, with the same errors. Is this registry change still working for you in your environment?


    Author Comment

    Dear, the registry change was only a temporary solution and it didn't even work on all machines.

    I found out that the proper way of doing this was to include the following in the IPCONFIG

    DNS1: DNS server of the remote site
    DNS2: public DNS


    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now