I have a 3 site network A, B, and C. Each site has its own DC, that replicates to the others. Each site also has a local NAS (Thecus) device. The NAS devices should be accessible from every other site.
I'm having an issue where the NAS device at site A cannot be reached from A's DC, but every other machine everywhere else(and with any login account) can reach the shares.
From site A's DC, we can ping that NAS device and we can browse to the admin page.
My thought, is there must be some type of group policy restricting that machine from accessing that NAS device. I say the machine, because the login account can access it from the same site, on different machines, and from other sites as well. If we use another login on site A's DC, we still cannot browse to the share.
Where is this type of restriction defined in group policy? I haven't had a whole lot of experience with group policy.
Thanks!
EDIT:
I guess I forgot about an error we had received in the event logs. It's error 5722:
"The session setup from the computer failed to authenticate. The name of the account referenced in the security database is . The following error occurred: Access is Denied.
Update
This was resolved by applying a SMB patch for Windows Server 2008
Best Answer
Any Group Policy would likely apply to all Domain Controllers, not just the one in Site A. Troubleshooting why one machine can't get to another machine when everything else seems to work just find can get tricky. I don't know those NAS devices at all, so I don't know if they have any useful logging on them; if this were a Windows machine I'd ask to have the security-log turned on and see what it catches for this problem.
If there are no useful logging functions to exploit in the NAS, my next step is to try and see what a connection looks like on the wire. Microsoft error reporting is not always useful, and frequently the reason for a connection failure will show up on a network trace. That does take some skill for interpretation, though.
One thing to check before delving into packets is the Local Security Policy on that DC. Make sure it looks the same as your other DC's. When talking to non-Windows devices, sometimes that can have a very big effect on connectivity over SMB.