Cannot access share when DC not available 1

[fabsnabs]

Hello,

I have two offices..
Office A has a Win2k3 domain controller, office B has a member 2003 Server with shares on.

Both offices are connected via always on VPN. All computers and servers are connected to a single AD domain/forest.

When the VPN goes down, the users in office B cannot access the shares on the server in office B.
They get the "You might not have permission to access this network resource, No logon servers available" error.

The Server in office B is a secondary DNS zone which serves DNS requests for users in Office B.

All clients in office B have their primary DNS pointing to the server in Office B, and secondary to the DC in office A.

I am stumped.

Any ideas or advice would greatly appreciated, thanks in advance.

 

[Davetoo]

Without the DC, there is nothing to authenticate your users.

DCPROMO the server in office B.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[Roadki11]

After you make the office B server a DC make sure its a GC also.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[Roadki11]

And since the two DC's are geographically separated you will probably want to setup sites and services and subnetting as well.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[fabsnabs]

Thanks for the replies.

I'm not keen on making the server a DC for security reasons.
I want to keep it a member file server only.

The users are ok logging on as per cached credentials. I thought cached credentials or something similar would allow them to open the shared files also?

Thanks
Phil

 

[Davetoo]

Nope. If you don't make it a DC/GC, then you're stuck dealing with your current problem. You can't have it both ways.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[teqmod]

If you do not want a DC in your remote office you should at least think about a second DC in office A for when the one DC is down. This of course will not help office B if the connection goes down for any reason.

 

[kythri]

If your file server in office B is promoted to a DC/GC, isn't that going to wonk things up severely due to disabling write-caching?

 

[pagy]

What exactly are your security concerns with making the server in your remote office a DC? Perhaps we can offer some suggestions that might negate your concerns..

Paul
VCP4

https://www.mcpvirtualbusinesscard.com/VBCServer/PaulP/profile

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

http://www.faqs.org/rfcs/rfc2795.html

Difficult takes a day, impossible takes a week

 

[fabsnabs]

Hi all,

Thanks for your replies.

The branch office is in a very remote location, internet access is intermittant so the VPN between them and us goes down regular. When this happens they cant access any shares on their local file/print server.

I dont want to promote tghe lcoal file server to a DC as the actual physical server itself is not very secure, anybody can get to it, and if they obtain access they could potentially get access to AD objects.

I am thinking of replacing it with a NAS box, that can connect to a windows domain, and deploy the same shares locally, but after hearing that I need a local DC/GC to access any shares on a device on the local LAN then im unsure.

I was unaware of such an awkward limitation to Microsoft Windows networking, for branch offices with unreliable internet connections you would think Microsoft would have a mechanism in place to support this???

Thanks

 

[Davetoo]

Why is it always Microsoft's fault when users try to do something the software is not designed to do?

That one always gets me.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[pagy]

For security you could encrypt the server's drive using truecrypt (I don't know if there any issues using truecrypt on a DC), or if you could move to 2008 you could use bitlocker encryption, also if using 2008 you could have a read only domain controller at the remote site..

The problem is here is that the users in the remote office have nothing to authenticate to if that WAN link is down, if they can't authenticate then they can't access the shares..

You'll have the same problem with a domain joined NAS device

You either need a DC locally to them to do the authentication or have a reliable WAN connection

Paul
VCP4

https://www.mcpvirtualbusinesscard.com/VBCServer/PaulP/profile

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

http://www.faqs.org/rfcs/rfc2795.html

Difficult takes a day, impossible takes a week

 

[fabsnabs]

Thanks again, all ...

Read only DC! fab! that'll do the trick, forgot about that one. thanks Pagy.

Davetoo - It seems Microsoft did address those concerns users might have with physical security of a DC in a branch office, and created Read Only DC's in 2008. It's easy to see a weakness in any application, and "label" blame on the manufacturer, Microsoft or not, but more often than not a solution or workaround will be made available.