DBA Sensation

March 3, 2009

How complicated a windows share could be?

Filed under: 6. MISC — Tags: , , , , , — zhefeng @ 11:28 am

Setting up a windows shares is pretty straighforward, just right clicking the folder and give the proper permissions for sharing/security then you done!
But when things come together if you are using a VM machine plus dns alias for machine name, to access the share is not that easy any more. Lots of tricky part need to be done
in the windows registry.

Here is the full story about that.

Background:
Machine name:        vmwin056 (windows 2003 server VM on ESX server)
DNS alias(cname):    dbrepl
share folder path:    C:\dbrepl_source
Share name:        \\dbrepl\dbrepl_source
domain name:        test
Account name:        service.acc

It seems everything is ok and you can access \\dbrepl\dbrepl_source. But life is not that easy as you expected.

###Issue 1: when you try to connect the shared folder remotely, you may get some invalid account error information EVEN you’ve given the correct account/password.
This will happen especially when you did some rollbacks for your VM images. if you take a look at the share permission tab,
the account here will be some weird number like: s178453728.

The reason is in windows 2003 domain, the workstation and PDC exchange password every 7 days. if you rollback the VM machine back, the password are not sync up any more so
you’re screwed.

Solution(MS reference:http://support.microsoft.com/default.aspx?scid=kb;en-us;q175468):
1). quit the domain on your workstation and re-join the domain, in this way you will get a new copy from PDC so they are sync up again.
2). in order to avoiding this happend again, disable the passwd changing by editing this registry entry to:
HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=1 (REG_DWORD)

###Issue 2: You get error like “Access denied” or “No network provider accepted the given network path”
The reason is because Windows Server 2003 (starts from SP1) includes a new security feature named loopback check functionality. By default, loopback check functionality is turned on in Windows Server 2003 SP1, and the value of the DisableLoopbackCheck registry entry is set to 0 (zero).

Solution(MS reference:http://support.microsoft.com/kb/926642):
Re-enable the behaviour that exists in Windows Server 2003 by setting the DisableLoopbackCheck registry entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey to 1. To set the DisableLoopbackCheck registry entry to 1, follow these steps on the client computer:
1).Click Start, click Run, type regedit, and then click OK.
2).Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3).Right-click Lsa, point to New, and then click DWORD Value.
4).Type DisableLoopbackCheck, and then press ENTER.
5).Right-click DisableLoopbackCheck, and then click Modify.
6).In the Value data box, type 1, and then click OK.
7).Exit Registry Editor.

###Issue 3: After these tuned up above, you think you are ok to go, but you may still get error like this “A duplicate name exists on the network”
The reason is windows 2003 has problem with cname access.This problem can occur when you try to connect to the server by using a CNAME alias that is created in the DNS zone.

Solution(MS reference:http://support.microsoft.com/kb/281308):
To resolve this problem in Windows Server 2003, complete the following steps:
Create the CNAME record for the file server on the appropriate DNS server, if the CNAME record is not already present.
Apply the following registry change to the file server. To do so, follow these steps:
1).Start Registry Editor (Regedt32.exe).
2).Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
3).On the Edit menu, click Add Value, and then add the following registry value:
Value name: DisableStrictNameChecking
Data type: REG_DWORD
Radix: Decimal
Value: 1
4).Quit Registry Editor.
5).Restart your compute

Now everything is really ok. Enjoy the sharing:

C:\>net use w: \\dbrepl\dbrepl_source /user:test\service.acc *
Type the password for \\dbrepl\dbrepl_source:
The command completed successfully.

C:\>dir w:
Volume in drive W has no label.
Volume Serial Number is 98DF-E535

Directory of W:\

02/24/2009  11:20 AM    <DIR>          .
02/24/2009  11:20 AM    <DIR>          ..
02/24/2009  11:20 AM                 7 firstlevel_file.txt
02/17/2009  10:11 AM    <DIR>          test
02/24/2009  11:19 AM    <DIR>          testfolder200902231150am
1 File(s)              7 bytes
4 Dir(s)  29,964,087,296 bytes free

C:\>

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: