0

I have two separate Windows Domains in different LANs. Between both I have established a site-to-site VPN. Red is a Windows 2003 Domain Controller of Domain Dom_a. Blue an Windows 2008 R2 Domain Member of Domain Dom_b. I want to mount a Red shared folder from Blue.

[Red] --- [Gateway A] === [Gateway B] --- [Blue]
Share     NAT / Router    Router
---------------------     ----------------------
          A                          B

Blue can ping Red, execute an RDP connection or access any server in A. The routing is done with static routes on Red and Blue. If I enter \\red.domain\ in blue's explorer I get a passwort promt. After submit I get the error message that the user is not allowed to connect from this station. Credentials should be okay. "Net use" on the machine gives me a system error 2240 (user is not permitted to connect from this station).

Next I configured Gateway A to work as a NAT towards Red. So all traffic from B seems to come from A's local network. Still the same situation.

The only specialty is that the first part of both domains is identical. The later part is not. Usernames are different too. I think it should be no problem.

To me it looks like the DC does not permit connection from a non Domain Computer. Maybe some kind of network isolation? I do not have direct access to Red.

Wesley
  • 32,320
  • 9
  • 80
  • 116
Roman
  • 372
  • 1
  • 7
  • 19
  • I will try to find out more details on how the share is configured. – Roman Jan 06 '12 at 22:41
  • 2
    Shares should be accessible by all computers as long as you know valid credentials. You might be blocked by a policy, local or group or domain. – Tim Jan 06 '12 at 23:09
  • 1
    When you provide the credentials are you specifying the username as either domain\user or user@domain? – Zoredache Jan 06 '12 at 23:39
  • Thanks for replying. Actually only user@domain-fqdn worked. But I had to do some other tweaks. Including "correct" credentials. – Roman Jan 06 '12 at 23:53
  • Just to be clear, the domains are not trusted or federated in any way? When you try to open `\\red.dom_a\ ` from `blue.dom_b` , you authenticate as a user from the `dom_a` domain right? – Mathias R. Jessen Jan 06 '12 at 23:55
  • JudasIscariot1651: Exactly. – Roman Jan 07 '12 at 00:00
  • Well, it works for me now. But I cannot answer my question within 8 hours. Any suggestions? – Roman Jan 07 '12 at 00:02

1 Answers1

1

I just solved the problem. I will summarize some notable aspects:

  • Used a different login. Using name@domain schema. The permissions were not okay. It's actually a set of DFS shares.
  • Re-Enabled the NAT. Some folders were still inaccessible from a different subnet.
  • Created a stub zone (with forwarder to an A DNS server) for the remote domain (A) inside (B).
  • Manually configured DNS suffixes. First the domain of the remote net (A) then the local (B)

Now hostnames, FQDN and IP can be used to access Red.

Update regarding the system error 2240

This is a separate Problem caused by the user account. The account has been configured to allow login only from specific Computers. It worked as soon as Blue's hostname was added to the user. This is done in the AD. See unrelated question Change list of allowed logon computers from batch file.

Community
  • 1
Roman
  • 372
  • 1
  • 7
  • 19