Server 2016 share access error "Windows cannot access ....."

[dbwillis]

I have a handful of servers I was handed by my boss to look at, Ive been poking at them over the past week, but Im finally out of straws to grasp at.

Server 2016, fully patched, running Symantec AV, user is logged in with admin rights (machine auto logs on at startup)
- HP Server with 10Gb fiber teamed network connection
- all servers in the same OU, but problem machines are in 2 different rooms, among 2 different subnets
There is a network storage share they try to get to, lets call it big a$$ storage system, bass for short, then nas...BASSNAS, this is made up of a few nodes...BASS2NAS... and 3/4/5/6
I made a test HyperV VM, same name, same OU, same autologon user, different subnet, 1Gb connection, different AV (Crowdstrike instead of Symantec, but I dont think that matters) and can get to all the nodes without error.
(I aso repeated the test with an ESX VM with the same results)
These problem servers can get to some, but not all of the nodes, they get the following error for some nodes:

I can ping all the nodes aok and get good replies, also tried by IP of the node with no luck.
Ive compared registry settings and they seem to be OK, here is what Ive checked:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa \ lmcompatibilitylevel is the same on the machines (5)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation \ AllowInsecureGuestAuth is the same on the machines (1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters \ SMB1 shows as (0)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
-- subkeys look to match among both machines.

Neither PC has SMB 1.0/CIFS feature enabled

Anyone else think of something I can check?

 

[mvmiller12]

I have a handful of servers I was handed by my boss to look at, Ive been poking at them over the past week, but Im finally out of straws to grasp at.

Server 2016, fully patched, running Symantec AV, user is logged in with admin rights (machine auto logs on at startup)
- HP Server with 10Gb fiber teamed network connection
- all servers in the same OU, but problem machines are in 2 different rooms, among 2 different subnets
There is a network storage share they try to get to, lets call it big a$$ storage system, bass for short, then nas...BASSNAS, this is made up of a few nodes...BASS2NAS... and 3/4/5/6
I made a test HyperV VM, same name, same OU, same autologon user, different subnet, 1Gb connection, different AV (Crowdstrike instead of Symantec, but I dont think that matters) and can get to all the nodes without error.
(I aso repeated the test with an ESX VM with the same results)
These problem servers can get to some, but not all of the nodes, they get the following error for some nodes:
View attachment 423942
I can ping all the nodes aok and get good replies, also tried by IP of the node with no luck.
Ive compared registry settings and they seem to be OK, here is what Ive checked:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa \ lmcompatibilitylevel is the same on the machines (5)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation \ AllowInsecureGuestAuth is the same on the machines (1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters \ SMB1 shows as (0)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
-- subkeys look to match among both machines.

Neither PC has SMB 1.0/CIFS feature enabled

Anyone else think of something I can check?

Well, if you can ping the IPs from the problem machines, it's not a routing issue. It almost certainly has to be being blocked at the protocol level - you can verify this by setting one of your working test machines to use the exact same IP as one of the problem machine; if the test machine still works, it is definitely not anything with routing.

That being said... I have a similar issue where I have a Pi Hole (on a Pi) on my network, but am unable to access the web interface from most other machines on the network. I have the GUI installed on it where I normally would not so I can log in locally to it for the few things I need to do from the GUI. It's annoying, for sure.