Announcement

Collapse
No announcement yet.

Problem connecting to DFS shares across domains.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem connecting to DFS shares across domains.

    Please read CAREFULLY before replying. I tried to be concise in my testing description. I need this resolved and I've hit a dead end and need some recommendations.

    I have two domains, A and B that have two-way transitive trusts. I need the computers in DomainA to connect to DFS shares in DomainB

    OU1 and OU2 are at the same level and inheriting policies. OU2 has a sub-ou OU3

    Both Computers and Users are in DomainA and DFS shares are in DomainB

    I've done the following testing and CAN'T, for the life of me understand my users can't connect to DFS from the problematic OU. My testing was an attempt to rule out user rights and narrow it down to a GPO issue, but I still can't find the culprit. I ruled out USER rights issues by flipping users and computers. Below is how everything played out.


    User1 on Computer1 in OU1 (won't connect to DFS)

    User2 on Computer1 in OU1 (won't connect to DFS)

    User1 on Computer2 in OU1 (won't connect to DFS)

    User2 on Computer2 in OU1 (won't connect to DFS)

    User1 on Computer1 in OU2 (Connects to DFS)

    User2 on Computer1 in OU2 (Connects to DFS)

    User1 on Computer2 in OU2 (Connects to DFS)

    User2 on Computer2 in OU2 (Connects to DFS)

    User2 on Computer2 in OU3 with policy inheritance (Connects to DFS)


    User2 on Computer2 in OU3 with BLOCKED inheritance and linked GPO's from OU1 (Connects to DFS)

  • #2
    A couple of questions:
    1) What OS is DFS using
    2) Domain or Standalone DFS
    3) I presume (but please confirm) the two domains are in separate forests, not in the same AD forest
    4) What are your Domain and Forest FLs?
    5) Are all the GPOs from OU1 linked to OU3?

    If you run a GPResult from OU1, do you see anything that might help?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Are computers in OU1 in the same subnet as OU2?

      Do both OU's receive the exact same GPO??

      Comment


      • #4
        1. DFS running on Windows 2008r2
        2. Domain DFS
        3. Separate Forests
        4. ??
        5. Yes. I blocked inheritance to OU3 and then linked ALL the GPO's from OU1 to OU3

        I run a GPRESULT on the users desktop and I see 'local policy' listed as an applied GPO.
        I compared the local security policies of Computer1 and Computer2 while in their ORIGINAL OU's and saw nothing that
        would indicate a conflict of security that could cause this issue.

        One item of note, User1 on Computer1 was accessing a standard share in DomainB on a Windows 2003 server. We decommissioned that share to migrate away from 2003 in favor of DFS. There were no other changes to her environment, but now she can't get to the DFS shares whereas before, she was able to access a regular Windows share in DOMAINB
        Last edited by ingram59; 23rd March 2018, 14:06.

        Comment


        • #5
          Originally posted by wullieb1 View Post
          Are computers in OU1 in the same subnet as OU2?

          Do both OU's receive the exact same GPO??
          Different subnets (xx.xx.138.xx, xx.xx.140.xx) but same vlan
          Yes, I blocked inheritance and applied the SAME GPO's to OU3 as on OU1

          Firewall is NOT blocking any of this traffic.

          Comment


          • #6
            I moved the computer to MULTIPLE department OU's. the only one in which it works is the one for our Infrastructure team.

            Comment


            • #7
              Whats different about the GPO's that you receive to the ones that other OU's receive?

              I'm thinking it might be a DNS suffix problem??

              Comment

              Working...
              X