Discussion:
access denied on dfs link on XP client
(too old to reply)
late
2005-07-03 19:07:42 UTC
Permalink
Hi,

I am setting up DFS for 2 sites. Site 1 contains the only (W03-SP1) DC
that also hosts the DFS root \\mydomain\user. The link
\\mydomain\user\home points to 2 targets:
\\DC\home1 is located on the DC, and \\xp\home2 is located on an XP-SP2
domain client in site 2.

Problem: when logged on to that XP client as domain admin, I can only
access the target on site 1 but not the local one on site 2 even though
it points to a share on itself and I can access the share by \\xp\home2
just fine. If I force the selection of the local target (by \insite), I
get a "\\mydomain\user\home is not accessible. You might not have
permission to use this network resource...The network path was not
found."

This problem does not occur when logged on to the DC (where I can
activate any of the 2 targets as longs as \insite is disabled) or, when
I replace the XP client by a W03 member server in site 2. I opened up
all shares and file access to everyone just to be sure that it is not a
trivial permission problem and tunred off all Firewalls.

Any idea?
late
2005-07-04 16:01:55 UTC
Permalink
Hi again,

let me rephrase the problem: Domain DFS shares pointing to a target
that sits on a Windows XP Prof client are inaccessible locally.

That has a fairly dramatic implication: when you log on to that XP
machine, you cannot access the share by its DFS name, only by its local
share name. This problem is nonexistent on a member server.

Does anybody know how to solve it?

Thanks,
Paul Williams [MVP]
2005-07-04 17:17:02 UTC
Permalink
I'm wondering if the XP client isn't registering in DNS. Can you check? I
would expect to see a registration under _msdcs under the site name? Can you
clarify? I've never tried using a client as a link member, and haven't
played with non-SYSVOL Dfs for some time...

Otherwise, are you certain this is supposed to work on a client? Have you
verified whether the Dfs service is running (there are configurable options
in the registry for it)?
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
late
2005-07-04 19:46:46 UTC
Permalink
Paul, many thanks for responding, I greatly appreciate your help.

Let me make sure we consider a well-defined case: single W03 domain
with single site, one DC, 2 W03 member servers (MS1,MS2) and 2 XP
domain clients (XP1, XP2). I start the Dfs service on MS1 that hosts
the domain-based root target \\mydomain\home with link
\\mydomain\home\user that points to \\XP1\localshare1 and to
\\XP2\localshare2.

The Dfs service is not running on XP1 nor XP2, but XPs can host target
links and act as Dfs clients. Indeed, on XP2, \\mydomain\home\user
takes me to the active link \\XP1\localshare1 just fine but *not* to
\\XP2\localshare2, i.e. the Dfs link fails locally. To be precise, I
cannot activate the link \\XP2\localshare2 in the Dfs-property tag of
\\mydomain\home when logged on to XP2.

On MS2, Dfs is not running either but I can repeat this procedure and
can access a local referral without any problem.

XP1 and XP2 register ok with DNS, if I run nslookup on them for
_ldap._tcp.dc._msdcs.mydomain, it returns my DC = DNS server OK, if
this is what you were asking. All machines are well connected, dcdiag
on DC shows green.

Are you saying I need to get Dfs started on XP2?

Thanks, Peter
Glenn LeCheminant
2005-07-05 02:37:39 UTC
Permalink
Late,

I just did some tests.
W2K3 server SP1 does not have this problem.
There does not seem to be anything wrong with the referral.
The caches look the same in comparison with XP and W2K3.
This is probably a limitation in mup.sys in XP SP2.
It appears the lastest mup.sys bits are in KB893231.
I'll get a copy of this and test on my XP VM.
--
Glenn LeCheminant
CCNA, MCSE 2000/2003 + Security
Post by late
Paul, many thanks for responding, I greatly appreciate your help.
Let me make sure we consider a well-defined case: single W03 domain
with single site, one DC, 2 W03 member servers (MS1,MS2) and 2 XP
domain clients (XP1, XP2). I start the Dfs service on MS1 that hosts
the domain-based root target \\mydomain\home with link
\\mydomain\home\user that points to \\XP1\localshare1 and to
\\XP2\localshare2.
The Dfs service is not running on XP1 nor XP2, but XPs can host target
links and act as Dfs clients. Indeed, on XP2, \\mydomain\home\user
takes me to the active link \\XP1\localshare1 just fine but *not* to
\\XP2\localshare2, i.e. the Dfs link fails locally. To be precise, I
cannot activate the link \\XP2\localshare2 in the Dfs-property tag of
\\mydomain\home when logged on to XP2.
On MS2, Dfs is not running either but I can repeat this procedure and
can access a local referral without any problem.
XP1 and XP2 register ok with DNS, if I run nslookup on them for
_ldap._tcp.dc._msdcs.mydomain, it returns my DC = DNS server OK, if
this is what you were asking. All machines are well connected, dcdiag
on DC shows green.
Are you saying I need to get Dfs started on XP2?
Thanks, Peter
late
2005-07-05 13:39:02 UTC
Permalink
Glenn, thanks for pointing to this hotfix KB893231.

I installed it on my XP1 and XP2 (to stick to my example above),
unfortunately to no avail. No local share can be accessed via its dfs
path on any XP-SP2 box.

All of my servers are W2K3-SP1. I agree there is no problem on any
server, DC or member server, and local as well as remote referrals work
just fine there. The problem is only on XP-SP2 but this is very
relevant for small, serverless offices with slow links. I am getting
this problem in 3 different environments so its either a bug or I am
doing something consistently wrong.

Peter
Glenn LeCheminant
2005-07-05 17:24:25 UTC
Permalink
I installed the fix on my XP VM.
No change.
So either I am doing the same thing wrong that you are, or you have
uncovered a bug.
Probably a bug.
--
Glenn LeCheminant
CCNA, MCSE 2000/2003 + Security
Post by late
Glenn, thanks for pointing to this hotfix KB893231.
I installed it on my XP1 and XP2 (to stick to my example above),
unfortunately to no avail. No local share can be accessed via its dfs
path on any XP-SP2 box.
All of my servers are W2K3-SP1. I agree there is no problem on any
server, DC or member server, and local as well as remote referrals work
just fine there. The problem is only on XP-SP2 but this is very
relevant for small, serverless offices with slow links. I am getting
this problem in 3 different environments so its either a bug or I am
doing something consistently wrong.
Peter
late
2005-07-08 18:56:09 UTC
Permalink
It's not a bug but said to be a security feature. Jill Zoeller has
found a solution in this very newsgroup last Sep: under the key
HKLM/System/CurrentControlSet/­Services/Mup/Parameters, one must set a
registry value "EnableDfsLoopbackTargets" to 1. Sorry about not finding
out earlier.
Paul Williams [MVP]
2005-07-11 22:22:30 UTC
Permalink
Nice follow up. Thanks!
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Continue reading on narkive:
Loading...