locked
File Sharing / Network Resources RRS feed

  • Question

  • We have a Windows 2008 server acting as a read only domain controller  and file sharing server at a branch office. When the office loses their Internet connection, users can no longer access the shares on this server. As soon as the Internet connection is back, the resources are once again available. No error message is provided at all. It simply creates a blank white window and never populates with anything. Any ideas would be greatly appreciated!

    Their shortcuts to these shares are setup as \\IP Address\Share so it is not a DNS issue.

    Thank you
    Wednesday, February 4, 2009 7:45 PM

Answers

  • Hi mpapier,

     

    According to the description, I personally suspect this issue may be related to the default behavior of password replication policy on RODC, which results in the failure authentication of the user credentials.

     

    Analysis:

     

    By default, an RODC does not store account credentials except for its own computer account and a special krbtgt account for that RODC.

     

    When only users from the branch are encompassed by the allow list, the RODC is not able to satisfy requests for service tickets locally, and it relies on access to a writable domain controller to do so. In a wide area network (WAN) offline scenario, this condition probably leads to a service outage. Since the accessing share folder on the file server attempt to authenticate their users credential, this may be the reason why the users in the branch office fail to access share in the case.

     

    Suggestion:

     

    You may need to explicitly allow any other credentials to be cached on that RODC, including the appropriate user, computer, and service accounts, in order to allow the RODC to satisfy authentication and service ticket requests locally so that the users can be authenticated on the RODC in the event of WAN link failure.

     

    If the Password Replication Policy allows the user account can be replicated from the writable domain controller to the RODC, and the RODC caches them, after the credentials are cached on the RODC, the RODC can directly service logon requests for that account until the credentials change.

     

    For more detailed steps, please refer to:

     

    Password Replication Policy Administration

    http://technet.microsoft.com/en-us/library/cc753470.aspx

     

    For your reference, I have also included some online document


    Reference:
     

    RODC Features

    http://technet.microsoft.com/en-us/library/cc753223.aspx#bkmk_pwdcache

     

    RODC Frequently Asked Questions

    http://technet.microsoft.com/en-us/library/cc754956.aspx

     

    Hope it helps.


    David Shen - MSFT
    • Marked as answer by David Shen Monday, February 9, 2009 2:52 AM
    Thursday, February 5, 2009 10:14 AM

All replies

  • Hi mpapier,

     

    According to the description, I personally suspect this issue may be related to the default behavior of password replication policy on RODC, which results in the failure authentication of the user credentials.

     

    Analysis:

     

    By default, an RODC does not store account credentials except for its own computer account and a special krbtgt account for that RODC.

     

    When only users from the branch are encompassed by the allow list, the RODC is not able to satisfy requests for service tickets locally, and it relies on access to a writable domain controller to do so. In a wide area network (WAN) offline scenario, this condition probably leads to a service outage. Since the accessing share folder on the file server attempt to authenticate their users credential, this may be the reason why the users in the branch office fail to access share in the case.

     

    Suggestion:

     

    You may need to explicitly allow any other credentials to be cached on that RODC, including the appropriate user, computer, and service accounts, in order to allow the RODC to satisfy authentication and service ticket requests locally so that the users can be authenticated on the RODC in the event of WAN link failure.

     

    If the Password Replication Policy allows the user account can be replicated from the writable domain controller to the RODC, and the RODC caches them, after the credentials are cached on the RODC, the RODC can directly service logon requests for that account until the credentials change.

     

    For more detailed steps, please refer to:

     

    Password Replication Policy Administration

    http://technet.microsoft.com/en-us/library/cc753470.aspx

     

    For your reference, I have also included some online document


    Reference:
     

    RODC Features

    http://technet.microsoft.com/en-us/library/cc753223.aspx#bkmk_pwdcache

     

    RODC Frequently Asked Questions

    http://technet.microsoft.com/en-us/library/cc754956.aspx

     

    Hope it helps.


    David Shen - MSFT
    • Marked as answer by David Shen Monday, February 9, 2009 2:52 AM
    Thursday, February 5, 2009 10:14 AM
  • Thank you. After following the information in the article you sent, the user who is logged on does have their credentials stored on the RODC and replication to the Writable DC is configured properly.
    Monday, February 9, 2009 9:34 PM
  • I found the following in my system log on the RODC/File Sharing server during the time without internet connection when the share was trying be accessed:

    Log Name:      System
    Source:        NETLOGON
    Date:          1/29/2009 7:44:10 AM
    Event ID:      5805
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      GW-SERVER.domain.com
    Description:
    The session setup from the computer GW-REG-2 failed to authenticate. The following error occurred:
    Access is denied.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="NETLOGON" />
        <EventID Qualifiers="0">5805</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2009-01-29T12:44:10.000Z" />
        <EventRecordID>17730</EventRecordID>
        <Channel>System</Channel>
        <Computer>GW-SERVER.domain.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data>GW-REG-2</Data>
        <Data>%%5</Data>
        <Binary>220000C0</Binary>
      </EventData>
    </Event>

    ---------------------------------------------

    Log Name:      System
    Source:        NETLOGON
    Date:          1/29/2009 7:27:13 AM
    Event ID:      5723
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      GW-SERVER.domain.com
    Description:
    The session setup from computer 'GW-REG-2' failed because the security database does not contain a trust account 'GW-REG-2$' referenced by the specified computer. 

    USER ACTION 
    If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: 

    If 'GW-REG-2$' is a legitimate machine account for the computer 'GW-REG-2', then 'GW-REG-2' should be rejoined to the domain. 

    If 'GW-REG-2$' is a legitimate interdomain trust account, then the trust should be recreated. 

    Otherwise, assuming that 'GW-REG-2$' is not a legitimate account, the following action should be taken on 'GW-REG-2': 

    If 'GW-REG-2' is a Domain Controller, then the trust associated with 'GW-REG-2$' should be deleted. 

    If 'GW-REG-2' is not a Domain Controller, it should be disjoined from the domain.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="NETLOGON" />
        <EventID Qualifiers="0">5723</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2009-01-29T12:27:13.000Z" />
        <EventRecordID>17727</EventRecordID>
        <Channel>System</Channel>
        <Computer>GW-SERVER.domain.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data>GW-REG-2</Data>
        <Data>GW-REG-2$</Data>
        <Binary>8B0100C0</Binary>
      </EventData>
    </Event>

    Tuesday, February 10, 2009 8:14 PM
  • I am having a similar issue. By User and Computer accounts are cached on the RODC however i have access to no resources/file shares when the WAN link is down.  I cannot even get to a file share by using the IP address of the file server so it does not seem like a DNS issue. As soon as the WAN link is back online all access is again available. It is like the RODC is not authenicating requests from the user.
    Tuesday, February 12, 2013 1:21 PM
  • I had same problem with my network.

    while WAN was offline,file sharing didn't work.

    finally i could fix this problem by make map network drive in command line environment.

    create a map network using use net  command from your shared resource.it's worked perfectly for all PCs my network (windows XP and win 7)

    Saturday, May 24, 2014 7:14 AM