Unable to Access Remote Domain Server

We need some help with a remote server.  I was on the phone with MS support for 10 hours yesterday and solved nothing.

We have two servers in our remote office Server A and Server B.  Server A is the DC that handles everything and Server B handles some Shares.

-Communication between Server A and B works fine accessing shares via name or IP.  
-VPN handles communication fine between local shares, remote shares, and server names.
-Communication between all machines in the Main office can access Remote Server B with no issues by shares, IP, or names.
-Communication between all machines in the main office CANNOT access Remote Server A Shares, name, or IP, but we can RDP into Server A.
-Remote Server A has no issues communicating with all machines in the main office.

This started to happen sometime Friday afternoon and appears that the health of everything is still checking out fine.  The main office just cannot access the file shares to Remote Server A via, DFS, IP, or Server name.

Any Ideas?
Who is Participating?
canteyhangerConnect With a Mentor Author Commented:
Just an update, we found the problem for this.  First, I appreciate your help in trying to troubleshoot the issue.  The fix had nothing to do with AD but rather with one of our WAN Optimization boxes where it quit passing traffic. Why to only one server is still a mystery but once we got that back to health everything worked fine.

Again, thanks for your help.
Are you able to connect to server A from server B.

Double check to make sure the IP did not change. Or its default gateway unset.
Is server A the one through which the VPN terminates?

There are powershell/wmic commands that can reenable the RDP service if that is what is locking it out.  The other issue to check is whether the windows firewall was re enabled on server A.

First thing you should eliminate is server A as the cause which is accomplished via server B.
Then look at the IP and see whether it matches the VPN rules.
Misread the issue, server A as a DC has a more restrictive GPOS applying to it.

Run net share.

Are you using DFS?

Are you able to access sysvol share or you can not enumerate any shares on the DC server a?
Apis the setup between the two location uses similar AD domain I.e. Main and branch, or there is a domain delegations?
Check server a's security event log to see whether the main office access attempts are rejected with access denied.

Ad trust issue.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

canteyhangerAuthor Commented:
We do receive a "access denied" if we open a command prompt and try Start \\Server A or start \\Server A\Share.

No UNC paths work to Server A via IP or Name.
Ad relationship between the two location?

Is there a trust?
Main is domain.local
What ad is in use at the remote locations?
canteyhangerAuthor Commented:
All in the same domain.
Are the server a DC replicates data from a DC server at the main location?

What errors if any are you getting on server a security eventlog.

Is your VPN between the DCs? I.e each DC is the end point for the VPN or you have a hardware Firewall VPN?

What about the IP check?

Anti-virus/severity applications recently installed?
canteyhangerAuthor Commented:
Yes, there is replication between the two.  This is the only Audit Failure in the Security log:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/4/2015 5:13:36 PM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:     serverA.domain.internal
Kerberos pre-authentication failed.

Account Information:
      Security ID:            domain\D-2443$
      Account Name:            D-2443$

Service Information:
      Service Name:            krbtgt/CANTEYHANGER.INTERNAL

Network Information:
      Client Address:            ::ffff:
      Client Port:            57640

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x25
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

The failure appears to be from one of our desktops residing in that office.

All VPN connections are from our ASA 5510's.  Routing is done from there.

Server A can be reached with icmp using either Netbios or IP.

We disabled all of the A/V while testing.  I believe it is now enabled.  No other apps installed.  

Has the enterprise CA expire and was recently renewed? Check the certificate store on server A to make sure it has the newer CA public certificate as trusted.

Does server B have the same inability to access any server A shares?
canteyhangerAuthor Commented:
I'll take a look at that.  Not Server B has not had any problems like A.  We are really at a loss.  Thanks for your help.
After further look on event  Id 4771 and the error 0x25 your issue is time mismatch.

The time on the dc might be out of whack check timezone, time. Compared to the server B or workstation that is having issues accessing this.

There is a significant time difference between the dc and the systems requesting access.
canteyhangerAuthor Commented:
I fixed the time.  It was about 2 minutes off.  The CA has not expired.
Can server B access the shares on server A?
I beleive a discrepancy more than 5 or 10 minutes, but two should not be an issue.

Does server A synchronize to the main DC or do they synchronize to the same external NTP servers?
canteyhangerAuthor Commented:
It should sync with our two internal time servers.  We run Presentense on two Linux boxes.  We will make sure all DC's are syncing with those.

Yes, Server B can access all shares on A.  That's the weird part.
Presumably server B and all workstation at the remote site sync with server A, the main site might be more than five minutes out of sync.
canteyhangerAuthor Commented:
I fixed the time to match all the DC's in both offices.
Is the problem still there?  Are you now able to access shares on server a from the other Dcs?
The workstations will take some time to synchronize to their local Dcs.
canteyhangerAuthor Commented:
No, still getting the error that the specified network name is no longer available from any DC in the main office.
How about accessing by IP?

How are DNS records maintained through?  
Look at DNS, is the remote DC servera.domain.internal exist in the zone?
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Try the following for test purpose;

Try ping to the Server B from your main office.

If you can RDP to the Server B, then;
Disable Fire wall and try.
Make sure File and printing is enabled.
Make sure the share permissions, security permissions of the folders.
canteyhangerAuthor Commented:
I think I was about clear as mud and I'm sorry for the confusion. Remote location, any device, can access server A including server B. Ping works in the remote office to all machines in the enterprise as well as connect to all file shares. Main location can ping all machines including server A with name or IP. The main location just can't reach server A through file shares. RDP works to server A and B from the enterprise.
One option could be to setup dfs to replicate the server A data back to the main office systems.

If these shares are part of a domain based distributed file system, the issue might be with the settings I.e. Access is configured to access the local such that attempts to access the share on server a get a response for a target that might not be functional on the main site.
canteyhangerAuthor Commented:
Ok, that will have to be an overnight process. I will see when I can get that done.  I will post back asap. Thanks.
Glad to hear your issue is resolved.
canteyhangerAuthor Commented:
We had a separate hardware issue causing the problem.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.