Working on setting up a new DFS Namespace today. Ran directly into this issue. When you sign in to Windows by using an account that belongs to the Domain Admins group, and then you try to create a domain-based namespace on any Distributed File System (DFS) namespace server, the operation fails. Windows returns an error message that resembles the following:
\\domainname.com\Public The namespace cannot be queried. Access is denied.
However, when this error occurs, you can still successfully create a standalone namespace.
The fix is to remove your account from the Protected Users group.
If you're curious, here's why it doesn't work: When you create a new domain-based namespace, the computer queries the Domain Name System (DNS) server for domain information. The DNS server responds by sending a list of the A records of the domain controllers for that domain. The computer then contacts one of the domain controllers and tries to use your account credentials to authenticate by using NTLM authentication.
If your account belongs to the Protected Users group, your account can't use NTLM authentication. In this situation, authentication fails and generates a STATUS_ACCOUNT_RESTRICTION error.
No comments:
Post a Comment