10

I keep finding that on our small company LAN (7 users, 3 servers) that some servers keep becoming "not accessible" for the purposes of file sharing. They display the message "\SERVER is not accessible. You might not have permission to use this network resource. The user name could not be found". But I don't know why "the user name could not be found" as all the machines are on the same domain and the PDC and BDC seem to be behaving OK.

EDIT:

VPN seems to be the cause:

It turns out I can see the server if I use the IP address (\\1.2.3.4\ etc) or the FQ active directory name (eg \server.domainname.local) but not if I use the server name on its own or a mapped network drive originally created from the "short" name. Oddly though, my machine has no issue resolving the server's DNS name as I can ping the machine name OK and it immediately comes back with the IP, however nslookup seems to fail.

It seems to be a problem with how Windows looks up machine names when connected to VPNs. When I'm connected to a VPN, windows seems to use the DNS assocated with the VPN and not the one on the domain controller. This behavior to me, seems incorrect as surely that would mean connecting to any VPN would break any ability to lookup local machine names for servers and printers etc. So I guess the real question now is, how can I make my machine still search the local Active Directory DNS (the PDC) even when connected to a VPN?

More info in my comments below.

NickG
  • 654
  • 6
  • 12
  • 28
  • CALs wouldn't have anything to do with it since that applies to terminal services and not the file sharing. As a domain admin, are you able to access say, `\\server\c$` consistently? – Nathan C May 24 '13 at 13:55
  • Check your DNS settings on the workstations that get this error message. Ensure that it is pointing to an internal DNS and not an external one. If I use Google DNS instead of the internal DNS it will tell me I do not have permission and that a possible security breach is detected. – Travis May 24 '13 at 15:27
  • I can ping and Remote Desktop to the servers OK. It's only file sharing which isn't working properly. I don't see how I can connect as a domain admin as it's not even getting that far (normally it would prompt for credentials after you've connected to the resource). – NickG May 24 '13 at 15:54
  • When the issue occurs, can you connect using the server ip address? \\n.n.n.n\share – Greg Askew May 24 '13 at 16:24
  • 1
    Yes! Turns out I can see the server if I use the IP address but not the server name. Oddly though, my machine has no issue resolving the machine name as I can ping the machine name OK and it immediately comes back with the IP. – NickG May 28 '13 at 12:47
  • The error message I get if I type in a fictitious machine name is not the same as if I type in the real one, so although the issue seems to be with resolving the name, it doesn't seem to be the whole story - it's still recognising it as a valid server name somehow. – NickG May 28 '13 at 12:51
  • I had this problem off and on when trying to access my Windows Home Server. I ended up adding the entry to the lmhosts file. Never had the problem again, though I never liked that I add to do this to fix it. I had try a bunch of other things before that, but nothing ever "stuck". – MetalMikester May 28 '13 at 14:13
  • I thought of that but as it CAN lookup the hostname OK I don't see how it would help. It seems like something else is wrong. – NickG May 28 '13 at 15:06
  • you same "some servers" well you only have 3 so does that mean all of them have this issue occasionally? Also if you do a "ping servername" and then do a "nslookup servername" are the results the same? – tony roth May 28 '13 at 15:53
  • Actually I've noticed today it's not just folder shares on servers but also folder shares on other workstations. Once access to one machine isn't working, then I cannot access any others either until I reboot. – NickG May 28 '13 at 16:21
  • Aha! @tonyroth your "nslookup" check has given the source of the problem (not the solution though). While "ping servername" works, "nslookup servername" doesn't work as it attempts to use a DNS server associated with a VPN connection I sometimes use to a remote network. I suspect that connecting to the VPN means Windows can no longer see any Active Directory machine names on my own LAN. So the question is, how can I tell Windows to still search the Active Directory DNS even when connected to a VPN? – NickG May 28 '13 at 16:26
  • what vpn solution are you using? – tony roth May 28 '13 at 17:08
  • when vpn'd in if you do an ipconfig /all what does it say your dns servers are. Also does nslookup fqdn work? – tony roth May 28 '13 at 17:22
  • I'm having a hard time understanding your question. re: the "being connected to a VPN and not using my domain's DNS" - Did you name your Active Directory the same thing as a real Internet domain (i.e. "domain.com" where "domain.com" is also a valid Internet name)? Does the DNS zone for "domain.com" on the Internet contain a wildcard record? – Evan Anderson May 29 '13 at 02:46
  • I'm just connecting to the VPN using Windows itself (no 3rd party software). There's no FQDN for local machines and servers as they're not internet facing so none has been assigned. – NickG May 29 '13 at 08:12
  • @EvanAnderson No, the servers are on a domain which is local only. ie server.company.local. No servers are internet facing so I don't think they need a real domain associated with them. – NickG May 29 '13 at 08:13
  • basically your statement "This behavior to me, seems incorrect as surely that would mean connecting to any VPN would break any ability to lookup local machine names for servers and printers etc." is completely wrong the vpn is doing exactly what you told it to do. So you are jacked in to lan A but vpn'd in to lan B and lan B is what? I'm confused. – tony roth May 29 '13 at 15:25
  • @tonyroth I disagree. I don't see why joining a VPN should deliberately break your local network function? Lots of other people have posted the same problem on forums etc so it's not just me that's having this issue. – NickG May 30 '13 at 08:39
  • @NickG my statement "the vpn is doing exactly what you told it to do." is the key here. I didn't say that it can't be made to work. – tony roth May 30 '13 at 15:37

9 Answers9

2

Setup UseRasCredentials=0 as discribed here: https://www.conetrix.com/Blog/post/Access-Domain-Resources-When-Connected-to-VPN.aspx

Helper
  • 21
  • 2
  • Welcome to Server Fault! Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Scott Pack Oct 07 '13 at 14:06
  • This article really helped me. – Anthony Serdyukov Feb 12 '15 at 04:45
1

With some VPN setups, it is required that you go through the VPN gateway. That is how they maintain a safer network environment by not allowing you to download stuff from potentially threatening sites.

If you have a lax VPN setup, you can also uncheck the box that uses the VPN's default gateway, so any requests first hit your gateway (and domain dns) before hitting the VPN's gateway and DNS.

  • In Windows 7, I click the network icon to view my connections, right-click the VPN and choose 'Properties.'
  • Next, click the 'networking' tab.
  • for each IPv6 and IPv4 (if they are enabled), double click the item, click 'advanced,' then uncheck the 'Use default gateway on remote network' checkbox. Click OK twice and follow the steps for the remaining IP versions.

Disconnect and reconnect to the VPN, if you had it active.

If you notice any connectivity issues, reenable the default gateways. As I said previously, the VPN may require this to be enabled.

ps2goat
  • 111
  • 4
  • This option is already unchecked. However the default gateway has nothing to do with DNS so not sure why this setting would affect it anyway. – NickG May 29 '13 at 08:07
0

Does your DNS server for VPN clients is the same as DNS server for Lan clients?

I think your problem is that the VPN clients use their DNS server from ISP, not from your VPN's DNS. You can make the VPN client use VPN's DNS by this step:

  • Find this registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage

  • Double click Bind

  • Move "\Device\NdisWanIp" item to top os the list

  • Restart client.

or use simple reg file:

%systemroot%\system32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage /f /v Bind /t REG_MULTI_SZ /d \Device\NdisWanIp\0...

Remember backup your registry before doing anything in it.

Community
  • 1
cuonglm
  • 2,346
  • 2
  • 15
  • 20
  • I don't have a key called NDisWanIP... They're all GUIDs. eg \Device\{34D64604-4F4A-4C85-B5E0-9088F583F1F1} – NickG May 29 '13 at 08:08
  • Do you see it in `HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters` – cuonglm May 29 '13 at 08:36
  • But doesn't this do the same thing as just changing the binding order using the binding order dialog? (ncpa.cpl [Menu] > Advanced Settings). If so, the binding order in that dialog already seems to be correct, with LAN prioritised over Remote Access Connections. – NickG May 29 '13 at 08:48
  • No, move the Remote Access Connections above Lan – cuonglm May 29 '13 at 09:04
  • But I want it to check my LAN DNS before the RAS DNS? – NickG May 29 '13 at 12:35
0

Change the binding order so that your physical NIC is higher than your VPN interface. You may have to manually (or via script) poke things around further, depending on what the VPN software does.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • might as well poke this with a 2x4 since none of what you say would work. – tony roth May 28 '13 at 17:33
  • 1
    I read this as, the questioner trying to prioritize the local DCs to be the DNS providers when a given machine is connected to a VPN that connects to an outside organization. Did I misunderstand the question and edits? – mfinni May 28 '13 at 17:55
  • After rereading his last reponse you maybe correct! – tony roth May 28 '13 at 18:11
  • If my reading of the scenario is correct, then I have been in similar positions, and my solution worked. – mfinni May 28 '13 at 18:32
  • It looks to be correct according to the GUI. The NIC is above the RAS connections but not sure that affects DNS priority - only routing priority? – NickG May 30 '13 at 08:40
0

I had a similar issue where DNS resolved, but could not ping or tracert the IP. The way I solved my problem was by re-checking the IP settings on the server. Turns out it did not have a default gateway and setting it resolved the issue.

AWippler
  • 1,055
  • 1
  • 12
  • 32
0

If you are only not able to connect to the share using the "short" name, IE NetBIOS name, then I would recommend using a WINS server as it will allow you to resolve NetBIOS names over the VPN, as long as your VPN adapter allows you to specify a WINS server. For me, I have our internal AD DNS server also configured as a WINS server and our VPN server (Sonicwall) publishes both a DNS and WINS server to our VPN clients. With this configuration we are able to resolve both the NetBIOS names as well as the FQDN.

The other thing you can do is change your DNS suffices in the advance TCP properties on your network adapter. This will have your Name resolution of short names:

  1. WINS
  2. DNS using suffix 1
  3. DNS using suffix 2
  4. DNS using suffix N

Hope that helps

mageos
  • 466
  • 3
  • 5
0

I think you need to set the firewall to use the PDC as its DNS so that it gives out that DNS server to the VPN clients. Or you could forward VPN requests to the PDC and make it a RAS server to use SSTP so that the clients are definitely going to have a consistent experience regarding DNS whether on VPN or LAN.

sircles
  • 9
  • 1
0

If you can PING the remote destination - (try using ip / or its dns name).

I had to delete all existing network drives by using the following command from command prompt: net use * /delete Then I rebooted the computer, connected to the vpn and mapped the network drive again using different credentials- and voilà, it works!

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
DoComputing
  • 1
  • 1
0

I found I had to reset the password and do an unlock for the user's account from within users and accounts on the server.

The workstation does not show credentials for domain accounts.

The password was somehow saved incorrectly for the user when the user logged in with an incorrect password.

Changing the password cleared out the cache and all is working.

Thomas
  • 1