Solved

Unable to Access Remote Domain Server

Posted on 2015-01-04
25
88 Views
Last Modified: 2015-01-16
We need some help with a remote server.  I was on the phone with MS support for 10 hours yesterday and solved nothing.

We have two servers in our remote office Server A and Server B.  Server A is the DC that handles everything and Server B handles some Shares.

-Communication between Server A and B works fine accessing shares via name or IP.  
-VPN handles communication fine between local shares, remote shares, and server names.
-Communication between all machines in the Main office can access Remote Server B with no issues by shares, IP, or names.
-Communication between all machines in the main office CANNOT access Remote Server A Shares, name, or IP, but we can RDP into Server A.
-Remote Server A has no issues communicating with all machines in the main office.

This started to happen sometime Friday afternoon and appears that the health of everything is still checking out fine.  The main office just cannot access the file shares to Remote Server A via, DFS, IP, or Server name.

Any Ideas?
0
Comment
Question by:canteyhanger
  • 12
  • 12
25 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 40530516
Are you able to connect to server A from server B.

Double check to make sure the IP did not change. Or its default gateway unset.
Is server A the one through which the VPN terminates?

There are powershell/wmic commands that can reenable the RDP service if that is what is locking it out.  The other issue to check is whether the windows firewall was re enabled on server A.

First thing you should eliminate is server A as the cause which is accomplished via server B.
Then look at the IP and see whether it matches the VPN rules.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40530520
Misread the issue, server A as a DC has a more restrictive GPOS applying to it.

Run net share.

Are you using DFS?

Are you able to access sysvol share or you can not enumerate any shares on the DC server a?
Apis the setup between the two location uses similar AD domain I.e. Main and branch, or there is a domain delegations?
Check server a's security event log to see whether the main office access attempts are rejected with access denied.

Ad trust issue.
0
 

Author Comment

by:canteyhanger
ID: 40530590
We do receive a "access denied" if we open a command prompt and try Start \\Server A or start \\Server A\Share.

No UNC paths work to Server A via IP or Name.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40530636
Ad relationship between the two location?

Is there a trust?
Main is domain.local
What ad is in use at the remote locations?
0
 

Author Comment

by:canteyhanger
ID: 40530661
All in the same domain.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40530720
Are the server a DC replicates data from a DC server at the main location?

What errors if any are you getting on server a security eventlog.

Is your VPN between the DCs? I.e each DC is the end point for the VPN or you have a hardware Firewall VPN?

What about the IP check?

Anti-virus/severity applications recently installed?
0
 

Author Comment

by:canteyhanger
ID: 40530727
Yes, there is replication between the two.  This is the only Audit Failure in the Security log:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/4/2015 5:13:36 PM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:     serverA.domain.internal
Description:
Kerberos pre-authentication failed.

Account Information:
      Security ID:            domain\D-2443$
      Account Name:            D-2443$

Service Information:
      Service Name:            krbtgt/CANTEYHANGER.INTERNAL

Network Information:
      Client Address:            ::ffff:10.2.1.65
      Client Port:            57640

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x25
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

The failure appears to be from one of our desktops residing in that office.

All VPN connections are from our ASA 5510's.  Routing is done from there.

Server A can be reached with icmp using either Netbios or IP.

We disabled all of the A/V while testing.  I believe it is now enabled.  No other apps installed.  

Thanks.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40530759
Has the enterprise CA expire and was recently renewed? Check the certificate store on server A to make sure it has the newer CA public certificate as trusted.

Does server B have the same inability to access any server A shares?
0
 

Author Comment

by:canteyhanger
ID: 40530763
I'll take a look at that.  Not Server B has not had any problems like A.  We are really at a loss.  Thanks for your help.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40530773
After further look on event  Id 4771 and the error 0x25 your issue is time mismatch.

The time on the dc might be out of whack check timezone, time. Compared to the server B or workstation that is having issues accessing this.

There is a significant time difference between the dc and the systems requesting access.
0
 

Author Comment

by:canteyhanger
ID: 40530788
I fixed the time.  It was about 2 minutes off.  The CA has not expired.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40530797
Can server B access the shares on server A?
I beleive a discrepancy more than 5 or 10 minutes, but two should not be an issue.

Does server A synchronize to the main DC or do they synchronize to the same external NTP servers?
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 

Author Comment

by:canteyhanger
ID: 40530799
It should sync with our two internal time servers.  We run Presentense on two Linux boxes.  We will make sure all DC's are syncing with those.

Yes, Server B can access all shares on A.  That's the weird part.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40530807
Presumably server B and all workstation at the remote site sync with server A, the main site might be more than five minutes out of sync.
0
 

Author Comment

by:canteyhanger
ID: 40530810
I fixed the time to match all the DC's in both offices.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40530831
Is the problem still there?  Are you now able to access shares on server a from the other Dcs?
The workstations will take some time to synchronize to their local Dcs.
0
 

Author Comment

by:canteyhanger
ID: 40530834
No, still getting the error that the specified network name is no longer available from any DC in the main office.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40530840
How about accessing by IP?

How are DNS records maintained through?  
Look at DNS, is the remote DC servera.domain.internal exist in the zone?
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
ID: 40531104
Try the following for test purpose;

Try ping to the Server B from your main office.

If you can RDP to the Server B, then;
Disable Fire wall and try.
Make sure File and printing is enabled.
Make sure the share permissions, security permissions of the folders.
0
 

Author Comment

by:canteyhanger
ID: 40531323
I think I was about clear as mud and I'm sorry for the confusion. Remote location, any device, can access server A including server B. Ping works in the remote office to all machines in the enterprise as well as connect to all file shares. Main location can ping all machines including server A with name or IP. The main location just can't reach server A through file shares. RDP works to server A and B from the enterprise.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40531404
One option could be to setup dfs to replicate the server A data back to the main office systems.

If these shares are part of a domain based distributed file system, the issue might be with the settings I.e. Access is configured to access the local such that attempts to access the share on server a get a response for a target that might not be functional on the main site.
0
 

Author Comment

by:canteyhanger
ID: 40531409
Ok, that will have to be an overnight process. I will see when I can get that done.  I will post back asap. Thanks.
0
 

Accepted Solution

by:
canteyhanger earned 0 total points
ID: 40536131
Just an update, we found the problem for this.  First, I appreciate your help in trying to troubleshoot the issue.  The fix had nothing to do with AD but rather with one of our WAN Optimization boxes where it quit passing traffic. Why to only one server is still a mystery but once we got that back to health everything worked fine.

Again, thanks for your help.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40536494
Glad to hear your issue is resolved.
0
 

Author Closing Comment

by:canteyhanger
ID: 40553092
We had a separate hardware issue causing the problem.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now