[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4123
  • Last Modified:

Can't access a DFS share from a Windows 2008 server

i have a DFS share successfully set up which 5-10 servers in a domain all access.

i have just cloned a new server and although it can successfully log in to the domain, the domain based DFS share is not accessible. i get the error "Windows cannot access \\domain\sharename"

could anyone help me resolve this?

thanks
0
nstand
Asked:
nstand
  • 11
  • 10
1 Solution
 
martin_babarikCommented:
Hello,

make sure this server has correctly entered the IP of the DNS server. Please run ipconfig /all and compare the output to the output on the original machine - especially whether they don't have the same MAC address or IP.
As you mentioned it's cloned machine, it's possible that it has duplicate SID (same as the machine it was cloned from).

Also make sure you are trying to access the DFS share using the domain user account who is supposed to have access to this folder.
Please check the event viewer on the machine in question, I guess you will find some events related to the problem - please post them back (likely in System and Application).

Martin
0
 
martin_babarikCommented:
Something more...try to ping yourdomain.com from the affected machine - are you getting a reply?
0
 
nstandAuthor Commented:
ping domain = OK
DNS Entry = OK
MAC & IP are different on each server = OK
DFS Account is the same account that accesses the shares on other servers

the only error i have in the Event Viewer is "The system failed to register host (A or AAAA) resource records (RRs) for network adapter", but this appears on working servers too.

i thought it could be SID related but have run NewSID and deleted and re-added the server from the domain on several occasions?!!!
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
martin_babarikCommented:
Thank you. Regarding the SID - I don't understand if you did use NewSID and re-addes the server to the domain or just planned to do it:-) If not, please try it.

Regarding the account - when it works for another server, it doesn't necessarily mean that it will work also here. I suggest to log on to unaccessible server, open the Properties of the shared folder which is the DFS target, choose Security tab, click Advanced - Effective permissions - and enter here the username you are trying to access the share with. You will see whether you have permissions or not.

Also try to access the shared folder directly, not using the DFS domain name...it means \\server\share, not \\domain\share. Do you have access this way?
0
 
nstandAuthor Commented:
i have run newSid, but i am doing it again now. i will remove the server from the domain too.

my account has full control of the folder under effective permissions.

i already tried accessing the share via \\servername\sharename and it doesn't work either.
0
 
martin_babarikCommented:
Thank you for updating.

Will you get to the server itself by opening \\servername? Just to see if it's connectivity problem?
I'd bet more on permissions problem - my guess is that the folder is maybe shared twice or multiple times, while on one of those shares you have set access denied (on the other hand, why would you configure it like that...).

I was also thinking about firewall - maybe try to disable it completely for a minute just to check if something changes.
Running out of ideas :-( But I'm sure it's going to be something really basic, not a special-hitech-extra troubleshooting:-)
0
 
nstandAuthor Commented:
new SID has made no difference.

the share is a domain hosted dfs share and i can telnet to the domain controllers on port 445

however, i can't connect to the actual DFS file servers by using \\servername\c$ whereas i CAN DO this on the servers that can access the DFS file share.

the networking team have confirmed that the same firewall rules apply to both servers and the windows firewall is not started!!!!
0
 
martin_babarikCommented:
Well, did it ever worked or it's just a new installation which never worked?

If it was working and now it isn't, what changed?
Just trying to simplify the problem...

Can you RDP to the 2008 server and check the firewall status yourself? Nothing against the network team, but you know how it works :-) Trust is a weakness...
Because it's WS2008, I'd also recommend to start Network and Sharing center to see whether the components like Network discovery and File sharing are turned on - if I understand correctly, you are not able to connect to ANY share on the WS2008 server, is that right?
If so, the problem must be either in firewall, stopped service or not enabled component like file sharing (assuming DNS and network connectivity as whole is works fine).

As a last diagnostic step you can download and run Wireshark on the WS2008 server. You don't need to be a network specialist - just run the capture, try to access the share from another computer and check, if you can see SMB packets incoming to your server (and whether they are not erratic or corrupted somehow. Also if the server is sending some response).
0
 
nstandAuthor Commented:
it has never worked on the cloned server.

i have checked firewall status and it is off. i have checked the network team firewall by setting the working server to use the non working servers IP address and it still works fine.

is there any DFS setting about the number of connections etc..?? or any AD settings that need to be changed??

from the non working server i can \\domainname\SYSVol etc.. and that all works!!!!
0
 
martin_babarikCommented:
Thanks for updating.
I think you think in the right direction :-) In the properties of the shared folder it's possible to limit the number of concurrent connections, so you can check it here.

Another thing I'd check is whether you have Network Discovery enabled on that WS2008 server (it's in the Network and Sharing Center control panel).

Btw - we are still looking for the cause of the problem on the server side - but couldn't this be something on the client? Don't you have some setting on firewall that could prevent you from accessing this particular server?

As a last resort - on the computer from which you are trying to access the shared folder, do the following:
start -> run -> type in this command "control userpasswords2" -> switch to Advanced tab and click Manage passwords - if you see any entries here related to your server, remove them please.

If none of this helps, I think I give it up :-( Sorry not being able to help somehow better. You would know more if you could install Wirehark on the server and examine the data traffic - at least to see if the requests are comming from your computer. But I understand it's not that easy in production environment.

Martin
0
 
nstandAuthor Commented:
i've been looking at the client side (w2k8 server) as i know the DFS share is working for other servers.

theconnection limit is set at about 16000 so that's not the problem!!

i have just built a new server from scratch and still no luck. i'm wondering if there is something wrong in the AD???
0
 
martin_babarikCommented:
I really don't think it is related to AD (but never say never).

Now with the new server: is it a clone or clean install? Now when you say "no luck" - what exactly do you mean? The new server cannot access the DFS server or you installed DFS on the new one and can't access it here neither?
Martin
0
 
nstandAuthor Commented:
i don't seem to be able to access the DFS share on any new server, cloned or not!

i'm wondering whether the AD has been changed, or whether there is a problem with the DFS servers (even though they are still accessible from all previously setup existing servers).

i have seen an MS document, which refers to DFS using fully qualified domain names; would this help??

http://support.microsoft.com/kb/244380
0
 
martin_babarikCommented:
Hard to say:-(
I don't know how much is your network dependant on NetBIOS names and if you have some problems with the name resolution.
But there might be some (quite likely).
As you can not access any shared folder on the server, I wouldn't search for the problem neither in AD nor DFS. I'd prefer to diagnose the name resoultion mechanizms like NetBIOS and DNS en route between the client and server.

There are many ways to try to fix the problem and I had really difficult times when troubleshooting this on my customers' networks.
After several days of deep and desperate analysis you can end up finding there was a faulty switch or router or some incorrectly made connector or cable, which sometimes works and sometimes doesn't.

Anyway - to totally exclude AD as the possible cause of the problem, try to run DCDIAG.exe on your DC's. It's just a diagnostic test and might tell you, if something is wrong with replications.
Also you can run REPADMIN.EXE to perform some tests.

If all of them doesn't show up an error affecting your shares, you will need to go more down to the network level and examine the packets. Maybe your network team can do this for you.
I'm not a network specialist like some CISCO guy, but I was still able to read the packets, see there is something wrong and think about WHAT could be wrong. It always helped me to at least set the right way with troubleshooting.
0
 
nstandAuthor Commented:
when i run "net view \\domainname." it returns "sysvol, netlogon, certenroll" so it is communicating with the domain.

what firewall rule should be in place between the client and the DFS server?? i thought that as long as the client had domain access then that was enough??

the hardware shouldn't be an issue as they are all virtual machines and are using the same physical ports/cables/switches.

thanks
0
 
martin_babarikCommented:
The firewall rule should be to allow SMB, DNS and/or NetBIOS traffic.

Yes it's communicationg with the domain, but your problem is narrowed to particular servers. The listing you mentioned is kind of "generic" and actually doesn't give away relevant info about the functionality of entire network.

Regarding HW: I don't know how "far" is your client from the server, but ANY device en route can be the cause of the problem. Even the NIC card on the client or server itself.
Martin
0
 
nstandAuthor Commented:
yes, but does the firewall rule need to be between Server1 and DomainController1 or Server1 and DFSServer1??
0
 
martin_babarikCommented:
DNS must be allowed between all computers involved, SMB must be between DFS client and DFS server and NetBIOS ideally between all computers.
Being not able to give you some better advice I suggest to open another question, while hoping to catch someone else's attention and hopefully help.
0
 
nstandAuthor Commented:
right, i've allowed traffic between the client server and the dfs server (in addition to the domain controllers) and it now appears to work!

this makes sense.

what i don't understand, and has confused me, is how it was working without these firewall rules in place. it looks like all the domain servers that were in the domain before i added the DFS servers were able to access the DFS shares without the firewall rule, and any new server added to the domain after the DFS servers could not access the DFS shares???

thanks very much for your continued responses and help with my question.

0
 
martin_babarikCommented:
Maybe it was because different individual firewall settings on individual servers - each of them could have something slightly different, what led to this situation.
Also those servers might be placed in different OUs and thus being affected by different firewall group policy settings. Just few guesses.

Anyway I'm glad it finally works, as I was becoming quite desperade about this:-)

All the best
Martin
0
 
nstandAuthor Commented:
all firewall rules the same and no difference in OUs. very strange.

thanks once again.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 11
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now