One user can not access network resources L2L PIX to 3000

I have a small remote office where 4 employees work using a L2L VPN from their local pix 506E to our VPN 3000 at our main office.  3 of the users have no problem accessing network resources, but one can not.  The only difference that I can see is that the three who can, are members of a workgroup, and the user who can't, was joined to our domain when in our office...  He can ping the inside ip addresses of the servers he is trying to access, but can not get to resources.  

I don't know where else to look?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yves AccadNetwork Security EngineerCommented:
can he access \\ipaddress\share?
mchad65Author Commented:
Well, that is where it gets stranger.  If he tries to map bp ip, he is promped for a password (even though he is logged in as a domain user) and when he enters it in the format domain\username he gets an error like "the username entered is the same username that the computer is logged in as" (or something very similar) and is denied.  However, if a different username is used, it grants access to the resource...
mchad65Author Commented:
I meant "map BY ip" not "map bp ip"...
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Yves AccadNetwork Security EngineerCommented:
It sounds like a dns issue.

can he access \\machinename.domainname\share?
Yves AccadNetwork Security EngineerCommented:
If the above works have him go to the properties of his nic > advanced > DNS Tab. Does he have the domain value under: Append these DNS suffixes?
mchad65Author Commented:
But if it is DNS only, why is he a) being prompted for a username and password, and b) getting the error that the username is the same as the login name?

Note:  when he connects via cisco VPN client from home, everything works as it should...
mchad65Author Commented:
I will have to have him check the above on Monday.  It's 6pm there now and I'm sure he's in a pub. (where I should be)
Yves AccadNetwork Security EngineerCommented:
HEHE, Cheers!
Yves AccadNetwork Security EngineerCommented:
I would make sure of one other thing, that his machine points to the DC for dns. When a machine is part of a domain and you're dealing with active directory if the client machine is not using the Domain Controller for it's Dns even if it can resolve names through another dns server you will have that type of issues.
mchad65Author Commented:
The DHCPD DNS command assigns his local ISP dns as primary, and our internal DNS as secondary (the same as all the other users that work ok)
mchad65Author Commented:
Also, he has a host file with the ip and server names as well...
Yves AccadNetwork Security EngineerCommented:
That might be the problem, remember your other users are not part of the domain according to your initial question.
>The DHCPD DNS command assigns his local ISP dns as primary, and our internal DNS as secondary (the same as all the other users that work ok)
>Also, he has a host file with the ip and server names as well...
Looking at the above 2 statements:
-host file takes precedence, so basically anything in the hostfile will be used before dns.
-primary dns will be used next which is your ISP, your internal DNS will probably never be used because as secondary the only way it would be used is if your primary dns ceased to respond.

I would suggest using your internal DC DNS as primary dns and enable forwarders on the internal dns server to your public DNS as HQ. This way any zone not found in your internal dns, would be forwarded so the user could still connect to domain names not found on your internal DNS

mchad65Author Commented:
But if the host file takes priority, why does it still fail, as the servers in question are in the host file?
Yves AccadNetwork Security EngineerCommented:
Because active directory requires dc dns even if the servers are in the host file that is not enough. It's enough at the network level, but not at the application level. You can ping the machines but you cannot use active directory resources.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.