I have two separate Windows Domains in different LANs. Between both I have established a site-to-site VPN. Red is a Windows 2003 Domain Controller of Domain Dom_a. Blue an Windows 2008 R2 Domain Member of Domain Dom_b. I want to mount a Red shared folder from Blue.
[Red] --- [Gateway A] === [Gateway B] --- [Blue]
Share NAT / Router Router
--------------------- ----------------------
A B
Blue can ping Red, execute an RDP connection or access any server in A. The routing is done with static routes on Red and Blue. If I enter \\red.domain\ in blue's explorer I get a passwort promt. After submit I get the error message that the user is not allowed to connect from this station. Credentials should be okay. "Net use" on the machine gives me a system error 2240 (user is not permitted to connect from this station).
Next I configured Gateway A to work as a NAT towards Red. So all traffic from B seems to come from A's local network. Still the same situation.
The only specialty is that the first part of both domains is identical. The later part is not. Usernames are different too. I think it should be no problem.
To me it looks like the DC does not permit connection from a non Domain Computer. Maybe some kind of network isolation? I do not have direct access to Red.
Best Answer
I just solved the problem. I will summarize some notable aspects:
Now hostnames, FQDN and IP can be used to access Red.
Update regarding the system error 2240
This is a separate Problem caused by the user account. The account has been configured to allow login only from specific Computers. It worked as soon as Blue's hostname was added to the user. This is done in the AD. See unrelated question Change list of allowed logon computers from batch file.