question

EricGurevitz-0824 avatar image
0 Votes"
EricGurevitz-0824 asked mschiavon commented

"Network access is denied" when using DFS links

We have users who are receiving "Network access is denied" when trying certain DFS links.

  1. It works when on the office network.

  2. If the user starts at the office, puts their laptop to sleep, goes home and connects via VPN, it still works.

  3. If the user shutsdown and starts from power off at home, connects to the VPN, it fails with "Network access is denied".

  4. The users can connect directly to the NetApp hosting the share that the DFS link is pointing to at all times.

All of the denied links are pointing to one NetApp.

What does the error network access denied mean? What should we check ?

Thanks for all the help in advance.
Eric



windows-serverwindows-10-networkwindows-server-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

mschiavon avatar image
0 Votes"
mschiavon answered mschiavon commented

You have a DNS problem because by default, a Microsoft Distributed File System Namespace (DFSN) root referral reply to a DFS root referral query is in NetBIOS name format (\\<Server>\<Share>).

So, you have to enable FQDN DFS open a Powershell and do :

1)Obtain the list of all name spaces

Get-DfsnRoot - ComputerName YOURSERVERNAME |Where type -NotMatch "Standalone"

2) remove all DFS name spaces

Remove-DfsnRootTarget -TargetPath OBTAINEDInStep1

3) enable the FQDN

Set-DfsnServerConfiguration -ComputerName YOURSERVERNAME -UseFqdn $true

4) Restart the DFS service:

Stop-Service dfs; Start-Service dfs






· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Is 2016 still using Netbios referrals?
I also found ipsec errors on the client. Is IPsec used? This is working from the office and for others on the VPN. Only a few get the error.

0 Votes 0 ·

Yes, it is ... see this kb


by the way, if it works from office, and others from VPN, i think that it isn't a Netbios problem (i think) but probably a routing problems.
Have you check if who not works has the same subnet of your servers ? If it so, they can't reach your systems (DFS) because your users (some of them) have overlapped subnet.

To be clear, if at home i have 192.168.1.x/24 and your servers have also the same subnet, 192.168.1.x/24, in this case DFS doesn't work because the remote clients can't not reach the DFS's network .

You have only a way that is "force" to rotate all the traffic trough the VPN, but it is necessary that your firewall (who erogate the vpn service) do it. For example Watchguard do it (see this)


0 Votes 0 ·