DFS shares not available over VPN
Posted by bluecopp3r@reddit | sysadmin | View on Reddit | 16 comments
Greetings all.
I recently set up DFS in an environment and noticed that the shares aren't accessible over VPN. Interestingly though if I browse the share on the specific server that is accessible. So for clarity:
\\domain.local\namespace\share - not accessible
\\server\share - accessible
Any ideas about what might be causing this? Could it be DNS-related? I'm trying to locate the log files for the error for the failed connect attempt to see if that sheds some light.
Draptor@reddit
Sounds like a name resolution issue. Like the DFS nameservers (like DNS for DFS) aren't being passed along, or not accessible.
Basically, there's nothing to say "Hey computer, when someone selects \domain.local\namespace\share route them to \server.domain.local\share"
bluecopp3r@reddit (OP)
Interestingly, when I connect to the vpn and immediately try accessing the mapped drive it opens. After a few seconds its no longer accessible
Draptor@reddit
Are you still on the company LAN when you perform that test? It can take a few seconds for the VPN to fully... engage.
bluecopp3r@reddit (OP)
No all the testing has been done from home
tysonisarapist@reddit
did you ever resolve this? I am experiencing the same thing
bluecopp3r@reddit (OP)
Not as yet. Still troubleshooting. Seeing that its only affecting vpn users I'm suspecting dns resolution
bluecopp3r@reddit (OP)
UPDATE: Unfortunately, I still haven't resolved this issue, at least the way I want it. I did find a workaround. So the domain for this environment is in a subdomain format, sub.domain.local. as expressed before while in office there is no issue accessing shares with \sub.domain.local\folder but when connected externally over the vpn it doesn't work. I realized the other day that shares are accessible over the vpn if I only use \sub\folder. So I have updated all shares in group policy to this format and all is working. That to everyone who took the time to help me troubleshooting.
Unable-Entrance3110@reddit
This could have something to do with IPv6 and local routing tables.
Try turning off IPv6 on the local interface and test again.
I have been noticing that users who utilize hotspots have been having a disproportionately higher amount of problems mapping network drives over our VPN solution.
I found that it came down to split tunnel routing issues with IPv6. As in, the interface is preferring IPv6 over IPv4.
There is a registry work-around that you can use. I have found that using the 0xFF setting is most reliable, YMMV.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
bluecopp3r@reddit (OP)
I disabled IPv6 in the local interface but no change.
Unable-Entrance3110@reddit
Lame. Sorry it didn't work.
ithium@reddit
whne you created the DFS share, you have an option for NTFS permissions (i can't recall the name) but you can choose between new NTFS permissions (DFS management) or local ones (ie, the ones from your local share)
bluecopp3r@reddit (OP)
Yes I recall choosing the option to inherit the permissions from the local share. When I'm in the office the drives are accessible as expected. I'm just having the issue when I'm out of the office and connected over the VPN. "Network path not found"
TrippTrappTrinn@reddit
Are the namespace servers available over VPN?
bluecopp3r@reddit (OP)
Yes. I can access the namespace using \\server.domain.local\namespace\ but I can't access the namespace via \\domain.local\namespace\
TrippTrappTrinn@reddit
When you use the server name you are not using the namespace. You need to ensure that all namespace servers can be accessed from VPN.
bluecopp3r@reddit (OP)
Using dfsutil it shows the referral server as \\server.domain.local\namespace\. However when I check the properties of the mapped drive the DFS tab as the referral list as \\server\share. I would expect it to show \\server.domain.local\namespace\share