Not able to access domain resourses at remote locations.

I can not browse or access domain resources at remote sites.  We have 3 sites, each with a Windows 2003 server, all in the same domain.  Each site has a Domain Controller.  The  DC at each site is a DNS server pointing to the other sites DC's DNS.  We are not able to  browse network neighborhood to see the computers and printers at the other sites.  Each site can see everything at it's location, but nothing at the other two locations.  When I use active directory, I can see the other sites computers and printers, but I get an error message saying "access is denied."    Each site is connected through a VPN Tunnel.  We have a need to be able to print from a computer at one site to a printer at a different site.  I can not even access the shares at the remote site using the remote device's  IP address in the run command.  I can see the share, but get the access denied message when trying to access it.  I am at a loss...

Thank you for your help
Who is Participating?
ChiefITConnect With a Mentor Commented:
I have an extremely dynamic LAN. computers are plugging into my network all the time. To create less admin work, I use to disable the computers when they left instead of disabling them. Here is the problem with that: Disabling the computer keeps the DNS record in tact. So, I had multiple computers with the same IP space and scavaging of resource records appeared not to work. As soon as I deleted all the old computer SIDs from active directory, these DNS records went away.

You might want to check three things for these old DNS records.

1) Set scavaging of resource records and follow the steps to dynamically delete DNS resource records. (See Link Below)
2)Make sure the SIDs of old computers are deleted instead of disabled.
3) Make sure DHCP is updating DNS records. (See same link Below)
try to change the dc dns to itself and try again
Are their firewalls between the sites?

And im assuming that your DNS Zone for the domain is an AD Integrated zone??  Can you ping by name devices at the other sites?

"The  DC at each site is a DNS server pointing to the other sites DC's DNS" - do you mean that your forwarders are setup to point to the other sites DC's???  
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

sonofdavisAuthor Commented:
The DC's DNS are pointing to themselves.

We use the  Firewalls at each site in the Routers.  I have looked at the firewalls, but I am not sure what to look at for this.  

Yes the DNS zone for the domain is an AD Intergrated zone.  

I will try to ping by name.  I will not be able to try this until Thursday afternoon, 10/18/07.  I will let you know the results.

Thanks for the help.  
You could be running into one of two issues in my opinion.

One would be a trusted site issue.

The second would be the master browser. You said you were having problems browsing computers. I am assuming you mean, they are not showing up in "My Network Places"

Microsoft uses Netbios over TCPIP broadcasts from the clients to populate the master browse list by default. If you are on a local domain, that will work. But in either of these scenarios, Netbios over TCPIP will not work:

>going across to a different domain,
>across a firewall,
>through a NAT box,
>over a WAN connection,
>through a VPN tunnel,
>To different IP spaces
>To different Subnet masks

I have a work around. It requires WINS. Instead of using Netbios broadcasts LMHOST records can be used to populate the browse list in My Network Places. There  is nothing wrong with running both simultaneously.

Here is a link that better describes what I am talking about:

About 3/4 of the way down the page, you can find the WAN configuration of populating the Master Browser Service.

I hope this helps.

sonofdavisAuthor Commented:
matt_beatt: Can you ping by name devices at the other sites? - Yes I can.

ChiefIT:  I am looking into the link you posted.  It will take a couple of days to try it.

Thanks for your efforts.
how goes the battle?
sonofdavisAuthor Commented:
Sorry for the long period of no activity.  I have not had time to work at this location.  But I am here today.  
Here is a summary of where I am:

Browsing problems - computers are not showing up in "My Network Places" across network segments  seperated by routers.

I can ping by IP across network segments, but I can not ping by computer name.  However, I can ping by computer name from the Domain Controllers on each network segment???

From the run prompt I can not connect to a computer by "\\computer_IP".  I am used to doing this to work around name resolution issues.  But I get a network path not found error, but I can ping the IP.  I do not understand this.  

I have tried to configure the routers to allow UDP port 137.  I am not sure if I doing it right, but I created an access rule for the WAN1, allowing UDP port 137 to and from the IP ranges of two network segments.  This has not changed anything.

I have WINS running on one segment but not the others.  I will have to configure a server to run WINS, I was hoping to advoid this because of limited time-configure server and all clients PC.  This may take a couple of days or more.  

sonofdavisAuthor Commented:
Update:  I can ping by computer name across network segments.  I was mis-reading the device name.  But I am resolving computer name to IP by pinging.
If your running across a firewall your going to need to open more than just the one udp port.  See the below list of ports required to connect to a ms domain across a firewall.  Can you try this from one site to another from a command prompt - telnet <remoteResourceIP> 445 - and see if it connects or not?  This will tell you if you can actually connect to a remote resource across your firewall on SMB TCP Port 445

RPC endpoint mapper - 135/tcp, 135/udp
Network basic input/output system (NetBIOS) name service - 137/tcp, 137/udp
NetBIOS datagram service - 138/udp
NetBIOS session service - 139/tcp
RPC dynamic assignment - 1024-65535/tcp
Server message block (SMB) over IP (Microsoft-DS) - 445/tcp, 445/udp
Lightweight Directory Access Protocol (LDAP) - 389/tcp
LDAP ping -389/udp
LDAP over SSL -636/tcp
Global catalog LDAP - 3268/tcp
Global catalog LDAP over SSL - 3269/tcp
Kerberos - 88/tcp, 88/udp
Domain Name Service (DNS) - 53/tcp1, 53/udp
Nice information matt:

At this point, It might be best to get a topology of your network and how you plan on connecting to remote sites. Then we can figure out a path together.

DNS resolution is a separate entity than populating My Network Places with computers. The best way to populate My network places is to use the WAN configuration and WINS for the master browser.

Also there are configurations for Remote Desktop and Telnet connections. Matt is providing you with valuable information.

The default values for the domain that Microsoft put into play are used for a domain on the same subnet. It will take custom configurations to make things work as you wish.
sonofdavisAuthor Commented:
Thanks for the great info!

Update:  I found that the reason I could not access the shared printer off of a PC was because the PC had the XP firewall on.  When I turned the firewall off I can now browse network neighborhood or connect directly and add the printer.  I have found that if I turn off the XP firewall on the PCs I can now browse to them, even across different network segments.

I do have a new issue with a few of the PCs.  Some of the PCs with the firewall now turned off do not show up.  When I try to ping the computer name I get an error message about a duplicate name.  I have looked at the DHCP table and the name only has one IP.  Looking in DNS the forward lookup is right, one computer name to the correct IP, but the reverse lookup has the IP with a different computer name.  Could this cause a duplicate name error?  I have looked at the PCs and can not find two PCs with the same name.  Any ideas on how to find where the duplicate name conflict is?

Should I start a new topic with this duplicate name issue?  

Thanks again for all the help.
Whats the exact error message you get when you try and ping??   Also are you pinging by IP or name?

Sounds unusual getting on error msg like that when pinging!?!?  The duplicate name thing can come from multiple sources - a common one is if you are referencing the PC by a dns alias rather than its FQDN or *proper* name and your trying to connect to it via SMB ie: \\<computerName>

Also check WINS if you are using
close the question
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.