VPN and folder redirection
I have an Point to Point VPN with 2 SonicWALL's. Site A has the server Site B is where some other workstations are. I have folder re-direction setup on group policy. Site A works fine, on Site B in the event log it says it cannot access the server. If I do \\server name I get to the server but get a permission error, if I do \\IP Address I get right to the shared folders without issue.
ASKER
There is only a DC on Site A,
I ran NSLookup on a workstation and got this response.
C:\Windows\system32>nslook
Default Server: UnKnown
Address: 192.168.2.254
> input in flex scanner failed
I ran NSLookup on a workstation and got this response.
C:\Windows\system32>nslook
Default Server: UnKnown
Address: 192.168.2.254
> input in flex scanner failed
IS that looking at the firewall for DNS? that would be the problem if it is. Marrys up with what your describing here too.
Accessible by IP not by Hostname.
Im pretty sure if we ping site A DC from the site B machine your referencing here the request will fail.
Try and manually specify the Site A DC as the primary DNS server on one of the site B machines see if that resolves the issue as a test.
How many domain controllers in total? Can you confirm your not using Windows SBS ?
What operating systems are the domain controller(s)?
With regards to your dns config it should be setup like this as far as im aware.
1. It is Microsoft recommended to use root hints for external dns resolution. Some people and sites use forwarders in general this works fine either way don't worry about this setting it will work either way.
2. Client machines should only really be using the domain controllers for DNS not the firewall and not any other DNS servers.
3. Your firewall(s) should be using the DNS servers in its configs that are specified by the Service Provider.
4. Just seen your response below, I would consider long term to put a DC in site B. I would keep the DC in site A holding all of the roles which it should be holding already.
You can get it working fine without points 1 and 4 here, be careful making such changes and just make sure you go through the relevant Microsoft Docs for adding a DC if you decide to go that route.
Accessible by IP not by Hostname.
Im pretty sure if we ping site A DC from the site B machine your referencing here the request will fail.
Try and manually specify the Site A DC as the primary DNS server on one of the site B machines see if that resolves the issue as a test.
How many domain controllers in total? Can you confirm your not using Windows SBS ?
What operating systems are the domain controller(s)?
With regards to your dns config it should be setup like this as far as im aware.
1. It is Microsoft recommended to use root hints for external dns resolution. Some people and sites use forwarders in general this works fine either way don't worry about this setting it will work either way.
2. Client machines should only really be using the domain controllers for DNS not the firewall and not any other DNS servers.
3. Your firewall(s) should be using the DNS servers in its configs that are specified by the Service Provider.
4. Just seen your response below, I would consider long term to put a DC in site B. I would keep the DC in site A holding all of the roles which it should be holding already.
You can get it working fine without points 1 and 4 here, be careful making such changes and just make sure you go through the relevant Microsoft Docs for adding a DC if you decide to go that route.
ASKER
1 DC
Server 2008 NOT SBS for sure.
Thanks! I will try the DNS change.
Server 2008 NOT SBS for sure.
Thanks! I will try the DNS change.
ASKER
I set the DNS to the server, IPCONFIG/FLUSHDNS and reboot. I get the same permission error.
What happens if you ping the hostname of the dc.?
What happens if you ping the FQDN of the hostname if this fails ie. Hostname.domainname.local?
What happens if we run the NSlookup on this Site B machine now.
Try running IPconfig /flushdns then IPconfig /registerdns too
What happens if you ping the FQDN of the hostname if this fails ie. Hostname.domainname.local?
What happens if we run the NSlookup on this Site B machine now.
Try running IPconfig /flushdns then IPconfig /registerdns too
Also what is the DHCP server on the Site B Machine here, is it the firewall on Site B by any chance?
ASKER
Ping hostname - full reply
Ping FQDN - Full reply
C:\Windows\system32>nslook
Default Server: UnKnown
Address: 192.168.2.254
Ran both commands, still same issue.
Ping FQDN - Full reply
C:\Windows\system32>nslook
Default Server: UnKnown
Address: 192.168.2.254
Ran both commands, still same issue.
ASKER
Site B DHCP is the SonicWALL - 192.168.1.1
can we access any network shares from site b machine?
has this ever worked before I'm taking it this is a new site btw.
on the site b machine can we
1 manually set the ip on the site b network range subnet mask as you see fit and default gateway to site b firewall.
2 manually set the dns as follows primary dns ip of domain controller secondary dns none.
has this ever worked before I'm taking it this is a new site btw.
on the site b machine can we
1 manually set the ip on the site b network range subnet mask as you see fit and default gateway to site b firewall.
2 manually set the dns as follows primary dns ip of domain controller secondary dns none.
ASKER
At lunch, will do as soon as I get back
192.168.1 is site A . 192.168.2 is site B
please correct me if I'm wrong
site B machine is receiving dhcp from site A firewall?
is active directory DC on site A not using dhcp?
if it is we should not have 2 different dhcp servers
active directory should be configured to do dhcp for both sites here and to use root hints.
can you also confirm in the registry where the redirected folders are pointed too on site b machines?
cool enjoy your lunch
please correct me if I'm wrong
site B machine is receiving dhcp from site A firewall?
is active directory DC on site A not using dhcp?
if it is we should not have 2 different dhcp servers
active directory should be configured to do dhcp for both sites here and to use root hints.
can you also confirm in the registry where the redirected folders are pointed too on site b machines?
cool enjoy your lunch
also what is 192.168.2.254
also would like to confirm lan ip for Sonic A and Sonic B
lan ip for DC too
What the exact DHCP settings issues from Sonic A Sonic B and DC.
lan ip for DC too
What the exact DHCP settings issues from Sonic A Sonic B and DC.
ASKER
Site A Server 2008 DHCP and DNS on the Server - 192.168.2.254 - SonicWALL TZ210 VPN (192.168.2.1)
Site B - SonicWALL (192.168.1.1) VPN to Site A
Site B folders are still on local machine.
This has never worked. Not a new site.
With the VPN connection does it not have to be on a different subnet?
Site B - SonicWALL (192.168.1.1) VPN to Site A
Site B folders are still on local machine.
This has never worked. Not a new site.
With the VPN connection does it not have to be on a different subnet?
The networking looks fine actually. Site B machine actually has the correct DNS settings and DHCP settings.
Yes both sites have to be on different subnets with the VPN.
Yes both sites have to be on different subnets with the VPN.
ASKER
What would you like me to try next?
hehe im thinking about it, its a funny one. You can access by IP by going \\IP but not by \\Hostname also try access \\FQDN
Can you access other shared folders or printers on DC from Site B machine?
Can you post the exact event log message from the client machine please. Sensor out any private info.
Can you access other shared folders or printers on DC from Site B machine?
Can you post the exact event log message from the client machine please. Sensor out any private info.
ASKER
\\ip = access to folder shares
\\hostname = you do not have permission to access
\\FQDN = access to folder shares
Failed to apply policy and redirect folder "Pictures" to "\\server\shared\users\use
Redirection options=0x9021.
The following error occurred: "Can not create folder "\\server\shared\users\use
Error details: "Access is denied.
I guess I could just add the FQDN to the folder redirection in the GP correct?
\\hostname = you do not have permission to access
\\FQDN = access to folder shares
Failed to apply policy and redirect folder "Pictures" to "\\server\shared\users\use
Redirection options=0x9021.
The following error occurred: "Can not create folder "\\server\shared\users\use
Error details: "Access is denied.
I guess I could just add the FQDN to the folder redirection in the GP correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try this create a new test folder on the DC with sharing Everyone full control and the NTFS permissions everyone full control.
Create the test folder through computer management -> shared folders on the DC. See if you can access that area.
Curious aswell if we type just \\hostname we get nothing right? access denied?
What I mean is when you say we cant access by hostname are you trying to access \\hostname\shared or \\hostname
Create the test folder through computer management -> shared folders on the DC. See if you can access that area.
Curious aswell if we type just \\hostname we get nothing right? access denied?
What I mean is when you say we cant access by hostname are you trying to access \\hostname\shared or \\hostname
I reckon this one is us
Try adding the DNS domain suffix in the TCP/IP advanced properties of the troubled computer. That option should be set via DHCP option 015 as a best practice
Can you test this and revert back, add it to the site b machine and then if it works add it to the dhcp options under 015.
Try adding the DNS domain suffix in the TCP/IP advanced properties of the troubled computer. That option should be set via DHCP option 015 as a best practice
Can you test this and revert back, add it to the site b machine and then if it works add it to the dhcp options under 015.
ASKER
I just added the fqdn to the gp policy and all is good now. Thank you very much for your help. This is a small network and really not worth spending that much time on it.
Thank you again for your help!!!
Thank you again for your help!!!
ASKER
Adding the FQDN to the GP fixed the issue. Thanks Mark!!
Yep it will work im fairly nitty with my solutions though haha.
NP.
It might be worth adding the FQDN to your DHCP 015 pretty easy to do play around with it and test it. :D GL
NP.
It might be worth adding the FQDN to your DHCP 015 pretty easy to do play around with it and test it. :D GL
How many domain controllers are there in this setup?
If you type the command NSlookup on one of the machines on site B are they looking at the site B DNS server or the site A Dns server?