I have a remote office network which is part of my domain, but when the link to the main office is broken they cant access their local resources, because DC is inaccessible and so the kerberos service.

I don't sure if these resources cannot be accessible due of missing DC. I quess that the reason is - name resolution. When DC is down you can still use network resources using NTLM credentials (that clients receives with kerberos tickets). Make sure if your group policy allow cached credentials usage.Better solution is to install additional DC to remote office and make it as AD site:http://technet.microsoft.com/en-us/library/cc782048(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc787284(WS.10).aspxhttp://www.sysadmins.lv

Name resolution is not the problem, because then computer can not resolve name using DNS, it starting to use NETBIOS, and successfully resolve IP address of another computer in its network, but at the same time it cant authorize to use local network resources, because kerberos service is inaccessible. NetMon says that when computer 1 try to connect to computer 2, the first thing it is trying to resolve DNS name of comp2, after that it is try to resolve location of kerberos service. Additional DC is not a solution, there are only 3 computers in the network . I tried to enable guest account and allow to connect guests to computer from network in local security policy, but with no success. And I have allow cached credentials usage enabled.

Hi, I’m afraid if there is no DC, we cannot resolve this problem. To workaround it, you could try to create two local user accounts with same user name and same password on clients and server. Use this local account to visit the resource so that NTLM should allow the visit. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

The solution with local user accounts on client and server is working(actually it is enough to create them on client), but is it possible not to create them and use instead combination of guest accounts and domain accounts? MCITP: Enterprise Administrator

you cannot use your domain accounts outside of domain. When DCs aren't available, you switch your work on workgroup-based model with NTLM authentication. This means that you MUST manually create all users account with the same set of passwords on all servers, which resources might be accessed by users. This means that you should know users passwords — this is security fault. It is strongly not recomended to use guest access mode due of security reasons.http://www.sysadmins.lv

Thanks for your help, so as far as I understand If I use domain accounts in remote network, and link to DC become broken, the only possible way to continue usage of local resources is to log off and log on using local account, or just all the time use local accounts? And there are now way for computers in the network to accept domain accounts (without possibility to authenticate them using DC) like guests?MCITP: Enterprise Administrator

> the only possible way to continue usage of local resources is to log off and log on using local account, or just all the time use local accounts?exactly.> And there are now way for computers in the network to accept domain accounts (without possibility to authenticate them using DC) like guests?there is a way. As I sayed, on network servers that will accessed by users MUST have the same local accounts as used on clients computers. Actually you CAN continue to use domain accounts, because they have NTLM token that is used in workgroup. In any way servers MUST have the same accounts with the same domain passwords. However this is not recomended due of fact that in domains passwords occasionally changed and after each password change you will HAVE TO change these passwords on server local accounts. Guest accounts aren't recommended due of security reasons. Therefore you have 2 solutions:1) use local accounts only2) install additional DC at remote office. http://www.sysadmins.lv