Shadowing to remote server over VPN

thomas62j5 · Post by **thomas62j5** » Thu Aug 19, 2004 6:58 pm

Hi guys,

We were going to just buy a license w/o Gold support, but we appreciate the responsiveness you provide even in the other forums, and we like to reward that, so I went GOLD!

Now on to the question...

I have Vault 2.0.5 configured on a Windows 2003 server connected to a SQL Server located on another Windows 2003 server. Both servers are on the same active directory, we'll call it LAN1. I installed Vault with a custom user, LAN1\VaultUser, and that is an AD user so it can access both of these servers.

These two servers are at a new colo facility, and so far we are just testing them for our upcoming move. Our existing live servers are miles away, connected to these servers with a pretty fast VPN connection.

What I would like to do is have Vault shadow changes to those servers, so we can stop using VSS completely. Those live servers are on a completely separate, NT4

domain, we'll call it LAN2.

I have tried a few different things, but right now I am logged into the server that is hosting Vault, as an admin user, and I have mapped two of our LAN2 drives as drives on the Vault machine. I am using LAN2\Administrator as the account for those mapped drives.

I can browse around the drives and copy files all day long. And with the Shadow folder dialog, I can browse to the folder I want on that remote drive, but when I try to press the Add button, I get a dialog error:

"The path that you specified is not accesible [sic] from the server machine. Association cannot be made"

I realize this is not really a Vault issue, but maybe you can give me some ideas on how to get this working?

Thanks!

Thomas

mskrobul · Post by **mskrobul** » Fri Aug 20, 2004 9:01 am

Hi Thomas,

Is your shadow folder service also running as LAN1\VaultUser?

In the web.config file in the VaultShadowService folder verify that the impersionation element is uncommented and LAN1\VaultUser configured as the impersonation account.

Verify that LAN1\VaultUser has permission to the shadow folder location. The permissions this user needs are listed in the following KB article:

http://support.sourcegear.com/viewtopic.php?t=188

Also make sure that LAN1\VaultUser has an application data folder (log onto the server machine as LAN1\VaultUser at least once). Shadow Folder Service keeps state information for the shadow folders here.

We typically recommend using a UNC path for the shadow folder location. Since you are using a mapped drive you will probably need to be logged on to the Vault Server machine as the user who mapped the drive in order for shadow folders to work. The mapping is likely not to exist when the user who mapped it is logged out.

thomas62j5 · Post by **thomas62j5** » Fri Aug 20, 2004 12:44 pm

mskrobul wrote:Hi Thomas,

Is your shadow folder service also running as LAN1\VaultUser?

In the web.config file in the VaultShadowService folder verify that the impersionation element is uncommented and LAN1\VaultUser configured as the impersonation account.

Verify that LAN1\VaultUser has permission to the shadow folder location.

Ahhh... I couldn't figure out where this service's configuration options were. The documentation with Vault is generally excellent, but I think maybe the help page regarding folder Shadowing could be updated with some of this helpful info. And also a note on the shadow folder help page about where to get to this option. (I searched for Shadow in the help index, pulled this page up, and spent quite a few minutes trying to locate the shadow dialog box in the admin tool.)

I have now set the shadow service to use our LAN1\VaultUser as the impersonation account, and I created a new app pool for the shadow service and have its identity set to the same account. I checked our local policies for that account, and it does have the permissions as specified. (The LAN1\VaultUser account is in the Administrators group for this server also.)

When I am trying to set the folder options in the admin tool on the server, I am logged in as the LAN1\VaultUser, and I can reach the remote folder via windows explorer, using both the mapped drive and UNC paths.

Yet two different errors occur when trying to add the shadow folder:

1) If I specify the remote folder using the mapped drive, e.g. h:\perl, I get an error dialog with some exceptions, which I will try to attach to this message.

2) If I specify the remote folder using UNC paths, such as \\REMOTEMACHINE\c\perl, I get that same error as before:

"The path that you specified is not accesible [sic] from the server machine. Association cannot be made"

Regards,
Thomas

mskrobul · Post by **mskrobul** » Fri Aug 20, 2004 1:17 pm

The documentation with Vault is generally excellent, but I think maybe the help page regarding folder Shadowing could be updated with some of this helpful info.

We do probably need a bit more information on configuring shadow folders in the help files. Sorry about that. I will add that to the list of things we need to do for 2.1.

Did you install 2.05 fresh install or did you upgrade from a previous version of Vault?

Can you email me (email link at the bottom of this message) your shadow folder web.config file located in your ShadowFolderService directory and your shadow folder log file (shadowfolder.log) located in the shadow folder user's temp directory (%temp% if you are logged on as the shadow user).

Thanks!

thomas62j5 · Post by **thomas62j5** » Fri Aug 20, 2004 1:30 pm

After further investigation, I don't think this is going to work. I think the big problem is that these two domains don't know about each other, and so neither domain recognizes the other domain's users. I found this error on our NT4 machine that I am trying to shadow to:

Code: Select all

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	VaultUser
 	Domain:		LAN1
 	Logon Type:	3
 	Logon Process:	KSecDD
 	Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 	Workstation Name:	\\WIN2K3SERVER1

I think the crucial point I forgot is that the mapped drive is logging into the NT4 machine as LAN2\Administrator. That is the only reason I am able to access those remote folders when I am logged into the machine running Vault. That probably explains the weird error I posted.

I think if we could get netbios information going back and forth between these two domains over the VPN, we might be able to get this to work...

I will let you know if we ever get netbios turned on on the vpn.

This is not a crucial problem for us because our goal is to get off the NT4 domain completely and just use our new colo servers with Vault...

Thanks for the help!

Thomas