Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cannot access Windows shares across different subnets in the same domain

Posted on 2009-02-10
11
Medium Priority
?
1,554 Views
Last Modified: 2012-05-06
We have 2 machines on the same domain using Active Directory.  "compA" is a VM running Windows Server 2008 and "compB" is a workstation running Windows XP SP2.  

compA can ping compB
compB can ping compA
compB can access \\compA\c$

but when compA tries to access \\compB\c$ I get the error "Windows cannot access \\compB\c$ - Check the spelling of the name. Otherwise, there might be a problem with your network."

compA and compB are on different subnets.  All workstations on the same subnet as compB experience the same issue when compA tries to connect to them.

I cannot turn off the Windows firewall on compB due to group policy settings, but the issue persists even when the firewall service is stopped and disabled.  What do I need to do to enable compA to access the shares on compB?  
0
Comment
Question by:loniadmin
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 23604582
They're on different subnets, is there a firewall in between?

Can you get to the share from another machine on the same subnet?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 23604594
Do you have physical firewall/router devices between subnets?  The necessary ports may be getting blocked at that level.

Use a tool like fport.exe or portqry.exe (both free Googleable downloads) to determine if the remote server is listening on the SMB ports: TCP 135/139/445 - if not, the required traffic is being blocked.
0
 
LVL 15

Expert Comment

by:zelron22
ID: 23604597
Is file and print sharing enabled on compB?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:loniadmin
ID: 23604936
@ zelron:  There is a firewall between, but the appropriate ports should be open.  Other machines on the same subnet as compA cannot access the compB share.  File and Printer Sharing is enabled on compB.
0
 
LVL 15

Expert Comment

by:zelron22
ID: 23604985
Can you access the share on compB from a machine on the same subnet as compB?

Also be aware that you can only have 10 connections to an XP share at one time.
0
 

Author Comment

by:loniadmin
ID: 23605076
@zelron22:  Yes, I can access shares within a subnet.  
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 23605178
> There is a firewall between, but the appropriate ports should be open

The behavior that you are describing would appear to indicate otherwise.
0
 

Author Comment

by:loniadmin
ID: 23605272
I'm attempting to use the tools suggested by LauraEHunterMVP to determine where exactly the blockage is occurring.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 23615712
The problem is you are trying to contact the remote shares using a netbios path. Netbios is not routeable. This means it will not go through a VPN tunnel, across subnets, through a firewall, or across NAT.

To resolve this issue you have two options. Both are outlined here.

The problem with each is security. Netbios and SMB shares are often blocked by your firewalls or communications through your ISP because they are HIGHLY targeted ports.

________________________________________________________________
To allow Netbios to become routable you can use the old school method or the new school method. Old school sets up a WINS connection between the PDCe. The PDCe is the domain master browser of the subnet, by default.

The second way is to open up port 445 and allow SMB sharing of these files and sharing of the browselist via SMB port 445/TCP and 139 netbios datagram port/UDP.


Old school way is to create a WINS connection between the site domain master browsers. (Those are usually the PDCe's)
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_23652843.html

New school way is to get SMB shares going through the tunnel on port 445 and Netbios datagram port 137. Now some ISP's block port 445 due to the vulnerabilities of that data. Also, some routers are now encrypting port 445 to secure the shared traffic. So, this setup depends upon what is offered to you.
http://ourworld.compuserve.com/homepages/timothydevans/browse.htm
0
 
LVL 15

Expert Comment

by:zelron22
ID: 23615880
I like it ChiefIT, I believe you've hit the nail on the head.  I usually have WINS set up, so I didn't even consider that.

Another option is to make sure that the DNS domain for compB is set in the DNS suffixes search order in the TCP/IP settings.  That way if it can't resolve with NETBIOS it will try DNS and tack the domain name on to create the FQDN (assuming that the NETBIOS and HOSTNAMEs are the same).

Also, you can rule out the firewall by trying \\[compB's IP address]\sharename.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 23616116
Yes, you can use the DNS suffix to map to a share on the UNC path.

UNC stands for Universal Naming Convention for a reason. It can link up to a path using a netbios connection, DNS connection, or IP address.

Examples of each:

//server.domain.name/share  (maps to a share using DNS, this is routeable and should work between subnets)
//xxx.xxx.xxx.xxx/share (where xxx.xxx.xxx.xxx maps to a IP address, and is routeable. This should work fine)
//servername/share  (this maps to a share using netbios naming, so this is NOT routeable and shouldn't work between different subnets)
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question