ingram59MemberMarch 22, 2018 at 2:32 pm #167475
Please read CAREFULLY before replying. I tried to be concise in my testing description. I need this resolved and I’ve hit a dead end and need some recommendations.
I have two domains, A and B that have two-way transitive trusts. I need the computers in DomainA to connect to DFS shares in DomainB
OU1 and OU2 are at the same level and inheriting policies. OU2 has a sub-ou OU3
Both Computers and Users are in DomainA and DFS shares are in DomainB
I’ve done the following testing and CAN’T, for the life of me understand my users can’t connect to DFS from the problematic OU. My testing was an attempt to rule out user rights and narrow it down to a GPO issue, but I still can’t find the culprit. I ruled out USER rights issues by flipping users and computers. Below is how everything played out.
User1 on Computer1 in OU1 (won’t connect to DFS)
User2 on Computer1 in OU1 (won’t connect to DFS)
User1 on Computer2 in OU1 (won’t connect to DFS)
User2 on Computer2 in OU1 (won’t connect to DFS)
User1 on Computer1 in OU2 (Connects to DFS)
User2 on Computer1 in OU2 (Connects to DFS)
User1 on Computer2 in OU2 (Connects to DFS)
User2 on Computer2 in OU2 (Connects to DFS)
User2 on Computer2 in OU3 with policy inheritance (Connects to DFS)
User2 on Computer2 in OU3 with BLOCKED inheritance and linked GPO’s from OU1 (Connects to DFS)
OssianModeratorMarch 23, 2018 at 1:18 am #191959
A couple of questions:
1) What OS is DFS using
2) Domain or Standalone DFS
3) I presume (but please confirm) the two domains are in separate forests, not in the same AD forest
4) What are your Domain and Forest FLs?
5) Are all the GPOs from OU1 linked to OU3?
If you run a GPResult from OU1, do you see anything that might help?
wullieb1ModeratorMarch 23, 2018 at 3:30 am #245748
Are computers in OU1 in the same subnet as OU2?
Do both OU’s receive the exact same GPO??March 23, 2018 at 7:00 am #391461
1. DFS running on Windows 2008r2
2. Domain DFS
3. Separate Forests
5. Yes. I blocked inheritance to OU3 and then linked ALL the GPO’s from OU1 to OU3
I run a GPRESULT on the users desktop and I see ‘local policy’ listed as an applied GPO.
I compared the local security policies of Computer1 and Computer2 while in their ORIGINAL OU’s and saw nothing that
would indicate a conflict of security that could cause this issue.
One item of note, User1 on Computer1 was accessing a standard share in DomainB on a Windows 2003 server. We decommissioned that share to migrate away from 2003 in favor of DFS. There were no other changes to her environment, but now she can’t get to the DFS shares whereas before, she was able to access a regular Windows share in DOMAINBMarch 23, 2018 at 7:58 am #391462wullieb1;n516551 wrote:Are computers in OU1 in the same subnet as OU2?
Do both OU’s receive the exact same GPO??
Different subnets (xx.xx.138.xx, xx.xx.140.xx) but same vlan
Yes, I blocked inheritance and applied the SAME GPO’s to OU3 as on OU1
Firewall is NOT blocking any of this traffic.March 26, 2018 at 7:34 am #391463
I moved the computer to MULTIPLE department OU’s. the only one in which it works is the one for our Infrastructure team.
You must be logged in to reply to this topic.