Authentication Errors when accessing Win2k domain across VPN

[Guest]

The domain consists of a Win2k domain controller acting as a global catalog
server, holding all the FSMO rolls, and running DNS. An Exchange 2003 server
exists at this central site. A second domain controller running Win Server
2003 exists on the other side of a network-to-network VPN. It is also a DNS
server. The domain is in Windows 2000 native mode. Additional individual
clients access the domain through VPNs.

Recently, all clients connecting through a VPN, whether the
network-to-network or an individual, started failing to access network shares
on the domain. When they try to access mapped drives they get an error
indicating "The local device name is already in use." When they try to access
the resource directly through net use or the Run command, they are prompted
for credentials. When they reenter their domain username and password, they
get an error meesage indicating "The user name you typed is the same as the
user name you logged in with. That user name has already been tried. A domain
controller cannot be found." Using the administrator account also fails. This
happens even after waiting 20 or 30 minutes after a reboot for the PC to find
a domain controller in the background.

The clients are configured with the ip address of the domain controller for
DNS. They can ping the domain controller by name and browse the Internet.
They can also successfully send and receive email from the Exchange server.
No WINS services are configured. No entries in the Hosts or LMHosts files.
Workstations on the same subnet as the Win2k domain controller are working
fine.

Any ideas on what to check?

Thanks in advance for any help.

 

[fcasco]

The domain consists of a Win2k domain controller acting as a global catalog
server, holding all the FSMO rolls, and running DNS. An Exchange 2003 server
exists at this central site. A second domain controller running Win Server
2003 exists on the other side of a network-to-network VPN. It is also a DNS
server. The domain is in Windows 2000 native mode. Additional individual
clients access the domain through VPNs.

Recently, all clients connecting through a VPN, whether the
network-to-network or an individual, started failing to access network shares
on the domain. When they try to access mapped drives they get an error
indicating "The local device name is already in use." When they try to access
the resource directly through net use or the Run command, they are prompted
for credentials. When they reenter their domain username and password, they
get an error meesage indicating "The user name you typed is the same as the
user name you logged in with. That user name has already been tried. A domain
controller cannot be found." Using the administrator account also fails. This
happens even after waiting 20 or 30 minutes after a reboot for the PC to find
a domain controller in the background.

The clients are configured with the ip address of the domain controller for
DNS. They can ping the domain controller by name and browse the Internet.
They can also successfully send and receive email from the Exchange server.
No WINS services are configured. No entries in the Hosts or LMHosts files.
Workstations on the same subnet as the Win2k domain controller are working
fine.

Any ideas on what to check?

Thanks in advance for any help.

Hi Deb, have you tried to map the network share as \\ip_number
\networkshare.
Do the DC on each side of the VPN have different network addressing
ex. Site A: 192.168.0.x / 24
Site B: 192.168.1.x / 24 ?
As i understand the DC are both from the same Domain, same tree, etc.
Correct me if i missunderstood.
Let me now. C u

 

[Paul Bergson [MVP-DS]]

If this used to work and all of a sudden quit, it sounds like your network
folks might be blocking some ports on you. I would look at downloading
portqryui. Run this port analyzer and select "Domains and Trusts" for the
query and do this from both sides of the network to validate that the
required ports are open and available.

http://www.microsoft.com/downloads/...37-1ea6-4569-aabb-f248f4bd91d0&DisplayLang=en

Additional info on portqry, the backend for portqryui
http://support.microsoft.com/kb/832919/

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Hi Deb, have you tried to map the network share as \\ip_number

\networkshare.

Yes, we have tried mapping by IP address, this also fails.

Do the DC on each side of the VPN have different network addressing
ex. Site A: 192.168.0.x / 24
Site B: 192.168.1.x / 24 ?

Correct, we currently have them on separate subnets

As i understand the DC are both from the same Domain, same tree, etc.

Yes, we have a single domain forest. Thanks for your response.