VPN + Domain Cached Profiles

[Deque]

Hey everyone,

This is an incredibly strange situation, and I am not a network guru or a Windows Server 2003 guru, so I'm unsure of where to focus my troubleshooting efforts, or if I should get Microsoft involvement.

We have three sites and a hosting facility where all of our central servers are located. Let's call the sites A, B, and C. A, B, and the hosting facility are all on the same WAN. You can login to the domain, access domain network resources (file shares) and everything is good. Site 'C' is not connected to the WAN, but they have domain user accounts and computers that have previously been logged into the domain while the users were on site. They login with their "cached" domain accounts perfectly fine. Then they connect to the VPN with the same domain accounts. They are connected, because the VPN connection says so, and they are able to ping network resources by name and by IP address. They cannot access network shares. Running "net view \\SERVERNAME" gives an Access Denied message, even though the user should have rights to read/write. For example, if SERVERNAME was the name of one of our domain controllers, they should at the very least see the sysvol and netlogon shares, but they are unable to do so. They receive the Access Denied message.

To further complicate matters, this all works fine from everywhere other than Site 'C'. If they take their laptops home, they can connect fine with no issues.

Now here comes the strange part that I cannot explain: If I setup a WebEx to try to troubleshoot this issue remotely, it works fine every single time. I've verified that it's not an end user error because I had the user type the command "net view \\SERVERNAME" in the command prompt before I setup the WebEx, get the error and leave it on the screen. After I connected to WebEx, I saw the command they typed, saw the error and typed the command again but I see the listed shares fine. This happens every single time, and it makes it incredibly difficult for me to troubleshoot the issue if I cannot even see the error first hand.

In two months, they will be relocated to a different location that will be a part of our WAN, and our hope is that this same issue will not exist there. We have about 50 users who access our resources using VPN every single day, and we have never had an issue other than issues with the users at site 'C'.

Has anyone seen a similar issue, or have any ideas for troubleshooting steps so that I can test to narrow down the problem?

I apologize in advance for any terminology that I may be using incorrectly. If you need clarification on anything, just let me know. Thanks!

 

[annaconda]

So you are saying Site C people cannot access resources through VPN ? It is one person or every one ?

If every one, then you should check your Server's setting. I mean check that if Site C is authorize to Dial in. How you have setup your users accounts ? Do you have seperate OU (Organizational Unit for Site C with all the users in it) ?

 

[Deque]

So you are saying Site C people cannot access resources through VPN ? It is one person or every one ?

If every one, then you should check your Server's setting. I mean check that if Site C is authorize to Dial in. How you have setup your users accounts ? Do you have seperate OU (Organizational Unit for Site C with all the users in it) ?

Hey annaconda,

Site C people cannot access resources consistently. From their responses, it seems as though that more often than not, they are unable to access network shares. It's not just network shares though, they get an error trying trying to connect to a server using remote desktop ('mstsc'). The error is as follows:

"The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, contact your administrator."

Remote Connections are certainly enabled, and I get the feeling that the issue lies with the third reason.

They are able to access shares and use Remote Desktop fine after I connect to them with WebEx. I can then disconnect from the WebEx session and they can use the resources perfectly fine until they reboot their computers.

If every one, then you should check your Server's setting. I mean check that if Site C is authorize to Dial in.

When you say check the servers settings to ensure that 'Site C' is authorized to dial in, what do you mean?

How you have setup your users accounts ? Do you have seperate OU (Organizational Unit for Site C with all the users in it) ?

The users exist in the same domain forest, but in a separate OU. I haven't done much troubleshooting on the group policy settings in that OU because like I said, they can connect fine after I connect with WebEx, but if you have any suggestions on where to look, I'll be more than happy to look into it.

 

[Demon10000]

How is your VPN setup?

Are your clients going through a server that has the RRAS on it, and connecting to another server back at your HQ? Or do each of the clients connect back to HQ directly?


If you've got an RRAS server in the middle, make sure that you are using the proper username and passwords for rules. You'll also want to make sure each of the users have the proper rights to initiate the connection.

It almost sounds like once the VPN is established, they're good to go. But until the VPN is established, they have problems.

I'm thinking your network looks something like this:

[(Site A,B) RRAS Server] ================== [(Site C)RRas Server)

If Site A,B can connect and talk to Site C, but site C can't initiate the connection, you might not have defined the on demand rules properly. Check the username that you specified to connect. I don't remember what the "gotcha" was, but there was something regarding the username that made it easy to break at this point. Then check to make sure that your users at Site C have rights to initiate the dial rule to establish the connection.

Of course, I could be totally wrong on the setup as there are 50 bazillion ways to configure VPN.

 

[annaconda]

Now you have said Site C can access some times, it means they have dial in enable for each user. So forget about it, but when you mentioned this error massage.

The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, contact your administrator [/qoute]


I think the problem lies in your Router, because your router has limited NAT entries. It means when so many connections are enable, your router is running out of its limit to allow each new user new ip address. Correct me if i am wrong, please.

I hope no body is using P2P program e.g torrents on that site.

 

[BlownFuse]

I think the problem lies in your Router, because your router has limited NAT entries. It means when so many connections are enable, your router is running out of its limit to allow each new user new ip address.

Jason Isom, when the users told you they couldn't connect to the server, did you have them try to ping it?