Interesting call this week.  It was really quick fix.  Really quick for 2 reasons:

  • I know the default behavior of a "clean" install of SBS.
  • I ran into the same issue here at my machine at Microsoft (not SBS, actually on the Microsoft corporate network...you'll understand later).

Visio would really help in this description!

Site A
SBS2003 with a single NIC
10.0.0.2 is the IP
Multiple clients on the 10.0.0.x network

Site B
Several clients on the 10.0.1.x network

Site C
Several clients on the 10.0.2.x network

Here are the facts:

  • The server and clients on Site A cannot access shares on Site B or Site C.
  • The clients on Site B cannot access shares on Site C.
  • The clients on Site C cannot access shares on Site B.
  • Clients on Site B and Site C cannot access shares on client computers on Site A.
  • Clients on Site B and Site C can access shares on the server itself located in Site A.
  • All clients and server can access shares on their own site.
  • All clients and server can ping all other clients by both FQDN and IP.
  • Site A, Site B and Site C are all connected via dedicated T1 links.
  • All the clients were configured correctly regarding their default gateways and DNS settings.
  • All clients are joined to the SBS domain.

The error when trying to access shares was:
---------------------------
\\ClientComputer

No network provider accepted the given network path.
---------------------------
OK  
---------------------------

 

Here's the solution:  SBS configures via Group Policy the Windows Firewall on Windows XP SP2 machines.  There are exceptions for File and Printer Sharing in the policy that lock down File and Printer Sharing access to the local subnet of the client.  I edited the Windows Firewall Group Policy (Opened Group Policy Management, navigated to Forest -> Company.local -> Small Business Server Windows Firewall.  Right clicked on Small Business Server Windows Firewall and clicked Edit.  This brought up the Group Policy Object Editor for the Small Business Server Windows Firewall policy.)  Navigated to Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile.  On the right, opened the properties for "Windows Firewall:  Allow file and printer sharing exceptions".  The default configuration for "Allow unsolicited incoming messages from:  LocalSubnet".  I changed this to the following:  10.0.0.0/24,10.0.1.0/24,10.0.2.0/24.  I then did a "gpupdate /force" on a test client and was then able to access shares.  A quick test on clients on the different subnets was successful as well.  This policy does not apply to the SBS server itself, thus clients could access shares on the SBS box.

I had the same issue here on my machine on the Microsoft corporate network.  I would share something out and would get complaints from some people saying "you NOOB, give me access" (or some other choice words).  My computer's Windows Firewall is not managed via Group Policy.  I had to edit the Windows Firewall configuration on my local machine to allow access from other subnets.  Here's the location for the manual configuration on the client:  Properties of the Local Area Connection -> Properties -> Advanced -> Settings -> Exceptions -> File and Printer Sharing -> Edit -> Change Scope -> Any computer.

 

Have a good weekend!

Petergal