[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 421
  • Last Modified:

Domain Authentication issue

I have a problem which is affecting users travelling from UK to France.

We have DFS setup in the UK server, so all network shares are mapped using DFS
i.e. \\domain_name\share\share
However when i try to browse to the UK domain name from the France Server or a DFS share I have given permission to i get a username/password box. This was never the case.

Incidently, this is affecting Outlook/Exchange 2003 users travelling from the UK to France. When one of us travel from the UK to France, open outlook, it asks us for a username/password to authenticate first. Again this was never the case.

TWO WAY MPLS TRUST is in place - for both the UK and France Domain

Seems some kind of authenticate / permission issue is occuring somehwere, but cannot understand why and where and it's causing a major headache.

Hope you can assist.
0
Mandev23
Asked:
Mandev23
  • 14
  • 8
  • 4
2 Solutions
 
Jim P.Commented:
What account have you used to authenticate between the domains? Has the password (or userids) changed?

Also is the times in both domains in sync?
0
 
Mandev23Author Commented:
we've used the same administrator passwords for each domain for years.
i log onto the france server using it's admin active directory account, and UK server using the UK administrator account.
times appear to be in sync.

?
0
 
Jim P.Commented:
Have you added/replaced any servers? Changed the placement of shares or files?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Mandev23Author Commented:
No nothing at all.  that's the thing as far as i'm aware nothing has changed....
?
dont understand why we have to put in our windows username / password to use outlook when in france. Our exchange box is in the UK, but we've never had to do this before. and when accessing a DFS share on the UK server from France, again we have to authenticate. ??!!
0
 
Jim P.Commented:
It sounds like some trust relationship has failed. I would start searching on that.
0
 
Mandev23Author Commented:
i need more clarification on this.
which areas do i need to look at? anything on the server i could look at? etc.
0
 
Chris DentPowerShell DeveloperCommented:

Two separate domains (separate forests) participating in a trust? Or two domains within the same forest?

Have you validated the trust in both directions?

How is name resolution configured between domains?

Chris
0
 
Mandev23Author Commented:
two seperate domains (seperate forests) participating in a trust.

Yes trust is validated in both directions.

each DC in each domain has its own DNS and DHCP.
UK and france have their own DNS and DHCP, and we can see each other's DNS
0
 
Chris DentPowerShell DeveloperCommented:

When you mentioned browsing, were you talking about My Network Places? That'll throw WINS into the mix. However, browsing on that level isn't really necessary for AD.

Back to name resolution briefly. All DNS servers in France can resolve names for the UK domain, and vice versa? Sorry to repeat, just want to be really clear.

Does this only effect DFS based shares? Or does it effect all shares you attempt to access across the trust?

Given that the trust is in place, does the remote domain appear in the drop down box for domain logon? And I would guess you are not able to complete authentication there?

Chris
0
 
Mandev23Author Commented:
WINS is an area i don't know much about however, give me some things i can check on this? as it could be related to WINS
I can the UK domain in My Network Places from the France DC, but can't appear to access it... not sure if even i'm supposed to.., says access denied.

yes if i ping the FQDN of the France server it reply's ok.  and Vice - versia. but I have to use the FQDN

It only affects DFS based shares. Others shares i can access from the France server.

Given that the trust is in place, does the remote domain appear in the drop down box for domain logon?
- if you mean the domain is listed in the server login box, then yes.
0
 
Chris DentPowerShell DeveloperCommented:

WINS. Do you have anything configured there? To be honest I wouldn't dwell too much on that, it will effect My Network Places, but not authentication between the forests.

> if you mean the domain is listed in the server login box, then yes

Are you able to log on to the remote domain as well?

Do you have any record of the authentication attempt in the Security log when attempting to access DFS?

You could try adding the remote domain to the DNS suffix search list on each side (a client-side setting). But you've run this successfully without that in the past?

Chris
0
 
Mandev23Author Commented:
yes we can log onto the servers no problem.  i log onto the UK and France server each day with their own admin logins.

Which server logs do you want me to check? there are no recent entries in the DFS Replication log on the france server, and the security log is quiet as well.  However on 18/02/10 under the replication log it says:

The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory, or DNS issues.

nothing else or recent after this.

You could try adding the remote domain to the DNS suffix search list on each side (a client-side setting).
-how do i do this?  is it from TCP/IP settings, from network connections.... etc
0
 
Chris DentPowerShell DeveloperCommented:

> i log onto the UK and France server each day with their own admin logins.

I mean using an account from the remote domain. That is, logging onto a system in France with credentials from the UK, and vice versa.

> -how do i do this?  is it from TCP/IP settings, from network connections.... etc

Yes, that's right. It shouldn't have any impact because it should be quite happy resolving fully qualified names. But it would be interesting to see.

You could run DCDiag on each of your domains and see if more general problems are occurring. Not much to point to a specific problem so far though unfortunately.

Chris
0
 
Jim P.Commented:
I'm not a specialist in DNS/WINS/etc. so take this with a large chunk of salt. We had an audit firm recommend that we shut down the WINS/Netbios on our network. We did it and rWe did it from GPO and had to go back and reset it. We could not see shares, had problems referring to machines by name and many other things.

Could that be an issue?
0
 
Mandev23Author Commented:
Chris, it it worth testing.  Do you want me to display the contents of DCDiag from both servers?
Watch this space please i will update your post asap.

Jimpen / Chris
Do you want me to turn of WINS on both servers, uk / France?  I dont think the France server is using WINS anyway.
0
 
Chris DentPowerShell DeveloperCommented:

> Chris, it it worth testing.  Do you want me to display the contents of DCDiag from both servers?

Yeah, for sure. Anything helps at this stage :)

> Do you want me to turn of WINS on both servers, uk / France?  I dont think the France server
> is using WINS anyway.

In my opinion...

If you have NetBIOS running (and it will be by default) you should have WINS. It'll save you some of the messy broadcast traffic at the very least. If you do that, set the two WINS servers to replicate (Push/Pull replication).

Personally I quite happily run my network with NetBIOS / WINS entirely disabled.

Chris
0
 
Mandev23Author Commented:
Chris

**Dcdiag from France Server:

C:\>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\W2K3REAMET01
      Starting test: Connectivity
         ......................... W2K3REAMET01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\W2K3REAMET01
      Starting test: Replications
         ......................... W2K3REAMET01 passed test Replications
      Starting test: NCSecDesc
         ......................... W2K3REAMET01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... W2K3REAMET01 passed test NetLogons
      Starting test: Advertising
         ......................... W2K3REAMET01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... W2K3REAMET01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... W2K3REAMET01 passed test RidManager
      Starting test: MachineAccount
         ......................... W2K3REAMET01 passed test MachineAccount
      Starting test: Services
         ......................... W2K3REAMET01 passed test Services
      Starting test: ObjectsReplicated
         ......................... W2K3REAMET01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... W2K3REAMET01 passed test frssysvol
      Starting test: frsevent
         ......................... W2K3REAMET01 passed test frsevent
      Starting test: kccevent
         ......................... W2K3REAMET01 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 04/19/2010   10:31:33
            (Event String could not be retrieved)
         ......................... W2K3REAMET01 failed test systemlog
      Starting test: VerifyReferences
         ......................... W2K3REAMET01 passed test VerifyReferences

   Running partition tests on : TAPI3Directory
      Starting test: CrossRefValidation
         ......................... TAPI3Directory passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... TAPI3Directory passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : Reamet
      Starting test: CrossRefValidation
         ......................... Reamet passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Reamet passed test CheckSDRefDom

   Running enterprise tests on : Reamet.local
      Starting test: Intersite
         ......................... Reamet.local passed test Intersite
      Starting test: FsmoCheck
         ......................... Reamet.local passed test FsmoCheck

________________________________________________________________________________

**Note dcdiag would not work from the server which holds the DFS Management Console. Says dcdiag could not be recognised from an internal or external command???????

below is dcdiag from the main file server (DC)

**Dcdiag from UK server

C:\>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: RTIUK\W2K3RTI02
      Starting test: Connectivity
         ......................... W2K3RTI02 passed test Connectivity

Doing primary tests

   Testing server: RTIUK\W2K3RTI02
      Starting test: Replications
         ......................... W2K3RTI02 passed test Replications
      Starting test: NCSecDesc
         ......................... W2K3RTI02 passed test NCSecDesc
      Starting test: NetLogons
         ......................... W2K3RTI02 passed test NetLogons
      Starting test: Advertising
         ......................... W2K3RTI02 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... W2K3RTI02 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... W2K3RTI02 passed test RidManager
      Starting test: MachineAccount
         ......................... W2K3RTI02 passed test MachineAccount
      Starting test: Services
         ......................... W2K3RTI02 passed test Services
      Starting test: ObjectsReplicated
         ......................... W2K3RTI02 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... W2K3RTI02 passed test frssysvol
      Starting test: frsevent
         ......................... W2K3RTI02 passed test frsevent
      Starting test: kccevent
         ......................... W2K3RTI02 passed test kccevent
      Starting test: systemlog
         ......................... W2K3RTI02 passed test systemlog
      Starting test: VerifyReferences
         ......................... W2K3RTI02 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : RTI-EUROPE
      Starting test: CrossRefValidation
         ......................... RTI-EUROPE passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... RTI-EUROPE passed test CheckSDRefDom

   Running enterprise tests on : RTI-EUROPE.COM
      Starting test: Intersite
         ......................... RTI-EUROPE.COM passed test Intersite
      Starting test: FsmoCheck
         ......................... RTI-EUROPE.COM passed test FsmoCheck
0
 
Mandev23Author Commented:
Chris

Also note i added the UK domain to the France DNS Suffix (network connections)

France has 2 DC's, This is the preferred DNS server:

Strange thing is from the one DC i can browse to the UK domain from RUN (i.e. \\<domain_name.com)from the france server, and i can see all the shares as well. But when i try access one (which i know has the access rights) "it says configuration could not be read from the domain controller, either because the machine is unavailable or access has been denied".  

From the other DC, This is the Alternate DNS server:

I cannot browse to the UK domain without entering in the domain credentials. It prompts for a username and password.

??
0
 
Mandev23Author Commented:
I got Dcdiag working from the UK Server which holds the Management Console:

C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: RTIUK\W2K3RTI05
      Starting test: Connectivity
         ......................... W2K3RTI05 passed test Connectivity

Doing primary tests

   Testing server: RTIUK\W2K3RTI05
      Starting test: Replications
         ......................... W2K3RTI05 passed test Replications
      Starting test: NCSecDesc
         ......................... W2K3RTI05 passed test NCSecDesc
      Starting test: NetLogons
         ......................... W2K3RTI05 passed test NetLogons
      Starting test: Advertising
         ......................... W2K3RTI05 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... W2K3RTI05 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... W2K3RTI05 passed test RidManager
      Starting test: MachineAccount
         ......................... W2K3RTI05 passed test MachineAccount
      Starting test: Services
         ......................... W2K3RTI05 passed test Services
      Starting test: ObjectsReplicated
         ......................... W2K3RTI05 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... W2K3RTI05 passed test frssysvol
      Starting test: frsevent
         ......................... W2K3RTI05 passed test frsevent
      Starting test: kccevent
         ......................... W2K3RTI05 passed test kccevent
      Starting test: systemlog
         ......................... W2K3RTI05 passed test systemlog
      Starting test: VerifyReferences
         ......................... W2K3RTI05 passed test VerifyReferences

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : RTI-EUROPE
      Starting test: CrossRefValidation
         ......................... RTI-EUROPE passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... RTI-EUROPE passed test CheckSDRefDom

   Running enterprise tests on : RTI-EUROPE.COM
      Starting test: Intersite
         ......................... RTI-EUROPE.COM passed test Intersite
      Starting test: FsmoCheck
         ......................... RTI-EUROPE.COM passed test FsmoCheck
0
 
Chris DentPowerShell DeveloperCommented:
hmmm... Lets go back to name resolution once more. Did you get a chance to play with WINS at all?

There are a number of ways DNS can be configured. Which of these do you have?

1. Conditional Forwarders

DNS servers on each site have Conditional Forwarders configured so they can find names in the remote domain.

2. Secondary Zones

DNS servers on each site have Secondary zones configured for the remote domain.

3. Stub Zones

DNS servers on each site have Stub zones configured so they can find names in the remote domain.

Chris
0
 
Mandev23Author Commented:
Both sites have forwarders...

i'll have a look at WIN's now...
0
 
Mandev23Author Commented:
quickly mention the France DC's are not using WINS.

the DFS Management Console server in UK has WINS. it appears to be running, nothing in Active Registrations or Replication Partners.  Shall i leave this enabled??
0
 
Chris DentPowerShell DeveloperCommented:

It shouldn't be necessary, but you may consider configuring WINS in France then setting up replication between it and the UK.

You would also have to distribute the WINS server address to your network clients.

Chris
0
 
Mandev23Author Commented:
but it's not critical as of now ?

what did you make of the post where i mentioned about the 2 DC's in france. One asking for username/password when accessing the UK domain from RUN and the other server taking me straight to the window?
0
 
Chris DentPowerShell DeveloperCommented:

> but it's not critical as of now ?

It shouldn't be remotely necessary, so no, not critical at all.

> One asking for username/password when accessing the UK domain from RUN and the other server taking
> me straight to the window?

It would suggest inconsistent name resolution, but everything is configured in the same way isn't it?

What about network access, are all DCs on each site allowed to talk to all DCs on the remote site?

You could start sniffing packets, letting you see exactly which system each server is talking to. That's not guaranteed to show you very much and it's going to be very difficult for me to explain what to look for.

I think the issues with authentication against DFS are symptomatic of a problem with the trust rather than a problem with DFS itself. As such I can't see us gaining a lot from the DFS diagnostic tools.

Chris
0
 
Mandev23Author Commented:
ok
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 14
  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now