We recently blocked NTLM using Group Policy, and this caused our SMB connections to fail. Afterward, we removed the policy and even created a new one to explicitly allow NTLM. Despite running gpupdate /force multiple times, we still can't access our network shares. Additionally, we're facing issues browsing to the share using its DNS alias. What could be going wrong here?
2 Answers
If your DNS aliases aren't working, it’s likely due to NTLM needing to be enabled for that to function correctly. Make sure your SPN settings for Kerberos are properly configured. Also, check if affected clients can access \yourdomain.comSYSVOL—if they can, then at least that part of the domain functionality is intact. If all else fails, try rebooting the servers hosting these services.
It sounds like the problem is related to Kerberos not functioning properly in your setup. If your clients can't connect to the SYSVOL share via SMB, they won't be able to download updated Group Policies. You might want to troubleshoot your Kerberos settings or reset the Policies registry key on the affected clients to restore default settings. It’s crucial to enable logging and test changes on a smaller group before wide deployment next time!
That’s a solid point! Having a controlled testing phase would definitely help catch these issues early. Curious if there are any specific logs you recommend checking for Kerberos?
I can confirm that I can reach SYSVOL, so that’s at least looking okay. The bigger issue seems to be the trust relationship with our older domain; RPC issues are making it tricky.