DFS Namespace Access from foreign Domains (external Laptop User)

Discussion in 'File Systems' started by Jens kleinhans, Aug 24, 2007.

  1. Hello,

    we have got a DFS Implementation running on W2k3 SP1. Our domain is
    contoso.local
    We have some external colleagues who are using their own laptop in their own
    domain. The external colleagues are loging on tu our Domain (contoso.local)
    with their domain credentials.

    We figured out that drive mapping to our DFS Namespace, e.g.
    \\contoso.local\dfs does not run for those colleagues who are logged on to
    our domain from foreign domains.
    When we try an net use we get the error code 59.
    we can map a physical share without any problem.

    Thank you for your help.
    Jens
     
    Jens kleinhans, Aug 24, 2007
    #1
    1. Advertisements

  2. Jens kleinhans

    Anthony Guest

    Jens,
    You have to look at how they would resolve the server names in the
    referrals. You can work around it with a shared WINS, or changes to their
    DNS to refer to your servers. You could even set up a DFS namespace in their
    domain to link to your shares,
    Anthony,
    http://www.airdesk.co.uk
     
    Anthony, Aug 24, 2007
    #2
    1. Advertisements

  3. Hello,

    we have got hundrets of external collegues and all of them are in ther home
    domain.
    it´s not possible to set a namespace in their domain, because we are not
    responsible in these domains (remember their are external).
    DNS one there external latops is working fine, the can resolve links
    directly to servers but they can´t connect to an dfs link.

    Regards,
    jens
     
    Jens kleinhans, Aug 24, 2007
    #3
  4. Jens kleinhans

    Anthony Guest

    Jens,
    How are they resolving your Netbios server names at present? WINS, local
    browsing? They are logged on to their domain but using your resources: where
    are they logging on from (local, remote) and where do they get their DHCP
    settings from?
    Anthony,
    http://www.airdesk.co.uk
     
    Anthony, Aug 24, 2007
    #4
  5. Hello,

    all Clients (internal and external) are getting their ip adresses from dhcp
    server. usually the externals are logged on to their own domain (which is
    not available). the Clients are able to ping the netbios name of a server
    and also can ping the fqdn. The externals resolving the local servers via
    DNS, they don´t use HOSTS etc.

    Cheers,
    Jens
     
    Jens kleinhans, Aug 24, 2007
    #5
  6. Jens kleinhans

    Anthony Guest

    Jens,
    Have a look at this:
    http://www.microsoft.com/windowsserver2003/techinfo/overview/dfsfaq.mspx#ECRAE
    Does it describe your situation?
    "DFS clients periodically discover new domains in the local forest and in
    trusted forests. This discovery process, which occurs every 15 minutes by
    default, runs against a domain controller from the domain that hosts the
    client's computer account. To avoid real-time queries to domain controllers
    in the domain, the referrals received during the discovery process are
    stored in a special table, called the domain cache or SPC cache. As a result
    of this process, clients can more quickly distinguish queries for fully
    qualified domain names from fully qualified computer names.
    To determine the domains and forests in which a client can access
    domain-based namespaces, you can view the domain cache on a client computer
    by using the Dfsutil.exe command-line tool with the /spcinfo parameter. The
    following text illustrates the output displayed when you use this command."
    It sounds from what you say as though the external clients are logging on to
    their laptops with cached credentials, so they are not connecting to their
    DC at all.
    Anthony,
    http://www.airdesk.co.uk
     
    Anthony, Aug 24, 2007
    #6
  7. Good mornin,

    yes, this is my problem. The laptops don´t discover my domain, they only try
    to discover the foreign (machine) domain. is there are possibility that the
    laptops discover our domain?
    I think that would be the solution.
    Thank you in advance for your help.

    Jens
     
    Jens kleinhans, Aug 27, 2007
    #7
  8. Jens kleinhans

    Anthony Guest

    Jens,
    Can you describe the situation a little more? I think you said there is a
    Trust between the domains, but the laptops are logging on with cached
    credentials. Is that right?
    If the other network is connected (by VPN?) then they can change the Slow
    Link detection on the laptops to make sure they do log on to the domain.
    Then they will be able to see the DFS in your domain. However this will slow
    up their logon and they may not want to do it.
    If the other network is not connected, then I don't know what you mean by
    the Trust between the domains. You can't have a Trust between two
    disconnected networks, and they won't be able to use your DFS links.
    The laptop can only be in one domain at a time, so they would need to leave
    their domain and join yours. They probably won't want to do that. You can't
    "discover" a domain and use it. You have to join it or have a trust
    relationship with it.
    Have you looked at other ways to achieve what you are trying to do? You
    could publish resources over IIS (webfolders) or SharePoint for example,
    Hope that helps,
    Anthony,
    http://www.airdesk.co.uk/identity.aspx
     
    Anthony, Aug 27, 2007
    #8
  9. Hi,

    there is no trust between the forest.
    Imagine: you are going to a new customer,connect your laptop (in your
    domain) to the network. Your custumer sends you a link and you have to
    access to the link (his domain). the link is a link to dfs.

    greetings,
    jens
     
    Jens kleinhans, Aug 27, 2007
    #9
  10. Jens kleinhans

    Anthony Guest

    Anthony, Aug 27, 2007
    #10
  11. Fortunately its not quite that final, but there are known issues with
    Windows XP and Windows 2003, and Vista which we are addressing in SP1.

    Please contact your local Microsoft CSS and raise a case. You can reference
    two specific bugs, Windows SE 205448 (Windows 2003) and Windows SE 205497
    (Windows XP), which should hook you and your customers up with the fix as
    soon as it is available.

    Thanks.
     
    Dan Lovinger [MSFT], Aug 27, 2007
    #11
  12. Jens kleinhans

    DaveMills Guest

    I have found that a PC in a workgroup or different domain can access the DFS
    namespace if it uses \\dfs-server\namespace rather than \\domain-name\namespace

    OK you loose the fault tolerance of the namespace and have to "translate" the
    url but it does connect without needing to know all the different shared folder
    paths and there is only one re mapping to learn.
     
    DaveMills, Aug 28, 2007
    #12
  13. Hello Dan,

    i haved searched for "Windows SE 205448", but i didn´t find anything. What
    kind of number should this be, a KB Article?
    Thank you for assistance.

    Greetings,
    Jens
     
    Jens kleinhans, Aug 28, 2007
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.