This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 6%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Dear community,
TL;DR: two problems: Unable to contact Active Directory to access or verify claim types & central policy tab missing. Servers can reach each other when for example I ping them or search for AD users.
I'm setting up an environment with (a.o.) a Domain Controller and File Server and am running into an issue I hope you can help with. I'm trying to use Claim Types to specify access to SMB shares but keep running into the error 'Unable to contact Active Directory to access or verify claim types'. This occurs when I try to set a condition on a folder which is used as an SMB share.
My test setup looks as follows:
I've followed the steps as outlined on https://learn.microsoft.com/nl-nl/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-and also consulted https://learn.microsoft.com/nl-nl/windows-server/identity/solution-guides/appendix-b--setting-up-the-test-environment
I've set up a Department Claim type, for now left the resource properties as they are as the departments I needed for now were already present. I created a Central Access Rule and Central Access Policy, applied the CAP through group policy, enabled support for claims, and deployed the policy.
In the advanced security settings > add screen for my SMB share, I can reach the DC without any issues to select a principal, but in the bottom under conditions I'm getting the error 'Unable to contact Active Directory to access or verify claim types'. Oddly enough, in the advanced security settings screen of the folder also the central policy tab is missing.
For good measure I ran gpupdate /force again, rebooted the servers, disabled the firewall on the DC, but still no luck. Does anyone have an idea where I'm going wrong?
ps: tried to add tags that better described this topic, but anything related to smb, file server, dc seemed to not work.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 46%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYD%3C/text%3E%3C/svg%3E)
Hi,
I would like to check if the issue has been fixed? If yes, please help accept answer, so that others meet a similar issue can find useful information quickly. If you have any other concerns or questions, please feel free to feedback.
Best Regards,
Danny
Hi,
I would like to check if the issue has been fixed? If yes, please help accept answer, so that others meet a similar issue can find useful information quickly. If you have any other concerns or questions, please feel free to feedback.
Best Regards,
Danny
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 87%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELB%3C/text%3E%3C/svg%3E)
I don't know if this pertains to your instance or not. We had an on premise domain controller issue, so we updated the DNS to a different domain controller/AD. The VM's we have in Azure had network security per VM set with custom DNS. Although we updated the IP to the new domain controller and applied changes, IPCONFIG /FLUSHDNS did not enable the VM to see the new domain controller IP for DNS. Our file share was throwing the same error. Then I saw a brief message in Azure that in order for the server to take the DNS changes, the server had to be rebooted. After was able to perform a server reboot, the error went away and we could share the folder via IP. The new IP was reflecting in the server DNS. It's possible your DNS on the server is pointing to an old/invalid DNS server. Thus unable to connect to your AD. I hope this helps someone.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more