Windows server 2003 domain DFS connectivity in remote location

When you say they're connected via vpn do you mean a branch office vpn (firewall to firewall)?  Anyhing in the Event Logs on either server?

yes, firewall to firewall.  I looked in the event logs and there was nothing regarding this.  Do I need to setup the dfs roots on the second DC?  I thought everything was handled by active directory.

  Ok is your active directory replicating correctly  ? you can check via event viewer.....  
and also check dns to make sure there is no errors there....  Usually an access denied in active directory is a permission issue....  and can be a replication issue if the permissions haven't replicated to the other server....
 
  Also if you can give a more detailed description of your network setup it will help us with the troubleshooting.....

 

there haven't been any errors in the event logs for active directory, replication, dns or dfs for some time.  I can manually map drives for the users in the second location to their dc using \\SDC\folder (which replicate from PDC) just fine.

My network: 2 locations connected together via a site to site vpn over a wan.  Each location has a DC (location 1 has the PDC and location 2 has the SDC).  Both DC's are windows 2003 servers R2.  Both run active directory which sync just fine.  SDC looks to PDC for dns.  Both sites have been setup in AD using subnets.  I enabled DFS insite only.  Both DC's can ping each other using their respective FQDN.  

One thing I noticed is if I open the DFS setup on the SDC, it doesn't show any roots at all (not sure if this is supposed to be this way) even though the folders replicate between the 2 DC's.

 Try adding new dfs root browse to the primary dc and select it...

should I add it?

yes

on the sdc, I attempted to add a new root.  I told the SDC to look at its self, then I named the root the same as on the PDC.  It then says that the root name already exists.

even though it does not show it.

in the dfs snap in, I tried show root.  I browsed and found my root on the PDC... when I attempt to show it, it says root cannot be found even though it sees it in the browse portion.

   Usually when that happends  something is not transfering accross the vpn (netbios, permissions something)  on the VPN do you have split-tunnel setup on the firewalls ?

I am using a hardware vpn (routers).  I don't know what split-tunnel is.

  what kind of firewalls are they ?

linksys business to business vpn routers...  Also, I checked the permissions for authenticated users on both DCs and they were exactly the same.

sorry authenticated users security in the dfs portion of the AD users and groups snap in

try adding domain users to the security group

k... gimme a sec.

I am going to add domain users to the PDC and see if it updates the SDC

will do

OK, so it updated the security changes from the PDC to the SDC.  But adding domain users did not work.

is the second dc setup as a bridge head server ? use" ip" to update ?   make sure to set it up on both sides.....
      and remenber remote DC's default take 15 min to update..... its not instant......

I think I changed the dc sync from 60 minutes to 15 minutes when I originally set them up.  

Yes, both use IP to update each other... I don't know what a bridge head server is.

I know if i remove the dfs insite switch, both sites will be able to connect to the dfs shares.  The only problem with this is that site 2 will connect to site 1 for the shares... which means site 2 file access will be slooooow.

on site 2 dc do the files replicate tot he server ?

yes, the files copy and update both ways.