We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Cannot access Windows shares across different subnets in the same domain

Medium Priority
Last Modified: 2012-05-06
We have 2 machines on the same domain using Active Directory.  "compA" is a VM running Windows Server 2008 and "compB" is a workstation running Windows XP SP2.  

compA can ping compB
compB can ping compA
compB can access \\compA\c$

but when compA tries to access \\compB\c$ I get the error "Windows cannot access \\compB\c$ - Check the spelling of the name. Otherwise, there might be a problem with your network."

compA and compB are on different subnets.  All workstations on the same subnet as compB experience the same issue when compA tries to connect to them.

I cannot turn off the Windows firewall on compB due to group policy settings, but the issue persists even when the firewall service is stopped and disabled.  What do I need to do to enable compA to access the shares on compB?  
Watch Question

They're on different subnets, is there a firewall in between?

Can you get to the share from another machine on the same subnet?
Do you have physical firewall/router devices between subnets?  The necessary ports may be getting blocked at that level.

Use a tool like fport.exe or portqry.exe (both free Googleable downloads) to determine if the remote server is listening on the SMB ports: TCP 135/139/445 - if not, the required traffic is being blocked.

Is file and print sharing enabled on compB?


@ zelron:  There is a firewall between, but the appropriate ports should be open.  Other machines on the same subnet as compA cannot access the compB share.  File and Printer Sharing is enabled on compB.

Can you access the share on compB from a machine on the same subnet as compB?

Also be aware that you can only have 10 connections to an XP share at one time.


@zelron22:  Yes, I can access shares within a subnet.  
> There is a firewall between, but the appropriate ports should be open

The behavior that you are describing would appear to indicate otherwise.


I'm attempting to use the tools suggested by LauraEHunterMVP to determine where exactly the blockage is occurring.
The problem is you are trying to contact the remote shares using a netbios path. Netbios is not routeable. This means it will not go through a VPN tunnel, across subnets, through a firewall, or across NAT.

To resolve this issue you have two options. Both are outlined here.

The problem with each is security. Netbios and SMB shares are often blocked by your firewalls or communications through your ISP because they are HIGHLY targeted ports.

To allow Netbios to become routable you can use the old school method or the new school method. Old school sets up a WINS connection between the PDCe. The PDCe is the domain master browser of the subnet, by default.

The second way is to open up port 445 and allow SMB sharing of these files and sharing of the browselist via SMB port 445/TCP and 139 netbios datagram port/UDP.

Old school way is to create a WINS connection between the site domain master browsers. (Those are usually the PDCe's)

New school way is to get SMB shares going through the tunnel on port 445 and Netbios datagram port 137. Now some ISP's block port 445 due to the vulnerabilities of that data. Also, some routers are now encrypting port 445 to secure the shared traffic. So, this setup depends upon what is offered to you.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

I like it ChiefIT, I believe you've hit the nail on the head.  I usually have WINS set up, so I didn't even consider that.

Another option is to make sure that the DNS domain for compB is set in the DNS suffixes search order in the TCP/IP settings.  That way if it can't resolve with NETBIOS it will try DNS and tack the domain name on to create the FQDN (assuming that the NETBIOS and HOSTNAMEs are the same).

Also, you can rule out the firewall by trying \\[compB's IP address]\sharename.

Yes, you can use the DNS suffix to map to a share on the UNC path.

UNC stands for Universal Naming Convention for a reason. It can link up to a path using a netbios connection, DNS connection, or IP address.

Examples of each:

//server.domain.name/share  (maps to a share using DNS, this is routeable and should work between subnets)
//xxx.xxx.xxx.xxx/share (where xxx.xxx.xxx.xxx maps to a IP address, and is routeable. This should work fine)
//servername/share  (this maps to a share using netbios naming, so this is NOT routeable and shouldn't work between different subnets)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.