W2K3 Shares Missing if connecting via VPN or WiFi

[grncomputing]

Hi,

We have a slightly weird problem that has been kicking about MS support for about 4 weeks now without resolution so I am looking for an inspired suggestion !

We have 4x 2K3 servers on this site, all of which are "domain controllers" for our AD. We also have some NT4 servers which are legacy machines running Exchange 5.5 until we are ready to migrate to Exchange 2003. All the clients are XP SP2 and SP1. The problem occurs about 4 times in every 10 logins.

The issue is as follows. If a computer connects via VPN into a router, or into one of the servers running the VPN service, or connects via wireless into the LAN. Intermitantly shares on the Servers are missing. When this occurs a "net view servername" return no results. But it is possible to ping the servers by name and i.p address.

This also does not afflict one of the servers i.e it's shares are always visable, this happens to be the first one installed and the master DNS server - is this related?

Microsoft have taken lots of logs, run tests on DNS etc. supplied various hotfixes and registary fixes for both the clients and the servers to no avail. Nothing appears to be wrong.

My observation is that the problem occurs if the user logs on to their computer before connecting to the network. i.e in the case of a VPN the user logs on to their laptop, then creates a VPN to the Network. With WiFi the connection is created after the user logs on. Also if a user logs on with the network cable disconnected then the cable is conected the same symptoms can occur.

I am wondering if this is to do with cached login credentials, though no Access Denied Errors are returned, just resouce not available.

Any suggestions would be greatfully received, and free brownie points for beating MS support !!

Cheers

 

[compuveg]

Is there one of your machines in the domain that's not got a route to the VPN user's subnet? I can imagine that if you've got 3 DCs and one doesn't know how to talk with the VPN users, that 33% (almost 4 in 10) of the time the VPN users are going to be hitting that server for their login script, not getting it, and not mapping drives as a result.

Please have Microsoft forward their support fees to Tek-Tips if this is the fix and they couldn't find it. Also let me know and I'll send in my resume to them.

 

[grncomputing]

Thanks for your suggestion Compuveg,

Sorry, should of mentioned this in my original post, all the machines in question are on the same subnet.

Just to clarify, the drives appear in "my computer" as though they are mapped, but they do this even when the XP machines are off the network. The issue is that if the user trys to view the contents they just get a blank window. If you try to map to a share from a comand prompt then you get resouce not available error. Doing a DIR of a mapped drive letter also results in resource not available errors.

Cheers

 

[compuveg]

If the users are coming in via a VPN they are most likely not on the same subnet.

I would expect the same to be true for well-configured wireless, though my home network has wired/wireless on the same subnet.

 

[MTVW]

how many VPN appliances? Are they load balanced? Do they both have the correct ports open for Kerberos auth?

 

[grncomputing]

Hi and thanks for your comment.

The VPN's used to be creatd by a pair of "dumb" draytek routers. One of which also handles the Wifi (only about 3 people use it in the building). However they are now managed by a Single Windows 2k3 Member Server, with the remote access component installed. The Remote users are allocated an ip address using an IP relay and the VPN's are definatly on the same subnet as the servers. I have checked using ipconfig on the remote computer.

The following ports are open for Active Directory and Kerberos. 389/TCP ,389/UDP, 3268/TCP, 88/TCP, 88/UDP.

This was also the case with the Drayteks. However, as I mentioned, but perhaps didn't explain clearly, the fault can be duplicated in the following way :-

1) Take any normal desktop in the same building, connectd to the same (non managed) switch as the servers.
2) Disconnect the network cable.
3) Switch on the PC, and login.
4) After a few minuites reconnect the network cable without doing anything else.

About 70% of the time shares will start working correctly as soon as the cable is connected. However the remainder of the time the "resouce not available" error will occur. Even though it is possible to ping the server by name or ip address. In this case VPN or WiFi is not involved so I'm not convinced that they are the source of the problem.

We have seen this MS Hotfix

http://support.microsoft.com/default.aspx?scid=kb;en-us;898060

but this did not help.

I would welcome your further thoughts !

 

[teckystuff]

Ok this problem has been bugging me (and you I'm sure) since I first read it. This is what I think - it may be way off but I'm sure you are open to all suggestions at this stage.

I think it may have to do with the Global Catalog server!
Are you using one or many domains?
Are you using Universal Groups? Are the users trying to connect to these shares part of universal groups assigned to the shares?

Unless you have changed it manually the only server that is not having problems with shares is also running the Global Catalog Server - its gets installed by default on the first server. I think that when you try and connect to a share after you have already logged into the machine and it tries to authenticate you it sometimes cant contact the GC server and therefore the share fails to display.

One thing you can try is to move the GC to another one of your Domain Controllers and see if that then becomes the only DC to work OK.

Just a thought.