Tuesday, October 15, 2019

Semi-canonical list for errors 0x80070035 and 0x80004005 on Synology NAS

Unfortunately, network problems can have a hundred causes.  This is a consolidation of the solutions found here, here, here, here and here.

I did not get them all, so if the list below fails, you may need to root through the threads yourself.  This will at least give you a head start.

Note:  These solutions are largely aimed at the situation where one (or more) network machines can browse the share properly, and one (or more) machines can't. 

These solutions do not cover Windows Server or Active Directory (AD) issues.


Error 0x80004005: Unspecified error

For this error, you can (usually) browse to the affected share via IP address (i.e. \\192.168.1.xx\share) but not by name (i.e. \\NAS\share).  It may or may not show up in Network.

This is (usually) a local DNS problem.  If you have other machines that work, your router / DNS server is OK, and there is something wrong with the DNS on the affected machine.

For this reason, I recommend you edit the hosts file first.  If that fixes it, and you only have one problem machine, you're done.


Error 0x80070035:  The network path was not found

With this, you usually can't see the NAS in "Network", or browse to it at all.

Possible solutions:

P:   NetBIOS service needed but not starting.

A:  Network and Sharing Center:
-  Check network is "Private" (either Work or Home).
-  Go to "Change Adapter Settings"
-  Right-click on network adapter, select "Properties"
-  Double-click "Internet Protocol Version 4 (TCP/IPv4)"
-  Click "Advanced" button
-  Click "WINS" tab
-  Change from "Default" to "Enable NetBIOS over TCP/IP"

Note:  It is best to ensure this is done on all of the network adapters - even if they are not currently being used.

---------------

P:  SMB 1.0 is needed but not available.

A:   Enable SMB 1.0 as follows:
-  Control Panel / Turn Windows Features  On and Off (or Win + R, "optionalfeatures")
-  Check one of these:
  -  SMB 1.0/CIFS File Sharing Support
  or
  -  SMB 1.0/CIFS File Sharing Support / SMB 1.0/CIFS Client

You can also try checking / unchecking "SMB 1.0/CIFS Server" and "SMB 1.0/CIFS Automatic Removal".

Note:  SMB 1.0 is insecure and has been depreciated, and is not needed by most devices.  However, older Android boxen and the like might still need SMB 1.0 enabled in order to access the NAS.

Tip:  If you can log in to the NAS by IP address, do so and check the NAS logs to see what protocol was used.  If the problem machine can reach the NAS using SMB2 or higher, you might not need to enable SMB 1.0 support.

 ---------------

P:  Synology NAS SMB service not enabled.

A:  In DSM, go to Control Panel / File Services / SMB/APF/NAS and check "Enable SMB service".

---------------

P:  Synology NAS not handling SMB correctly.

A: Disable SMB 1.0 on NAS.
-  In DSM, go to Control Panel / File Services / SMB/APF/NAS.
-  Click "Advanced Settings"
-  Reset Maximum SMB protocol to "SMB3".
-  Reset Minimum SMB protocol to "SMB2".
-  Click "Apply".

Note:  Setting Maximum above SMB2 does not seem to do the trick.  The best combo seems to be setting Minimum SMB above SMB 1.0 and disabling SMB 1.0 on the affected PC.

Tip:  If you can log in to the NAS by IP address, do so and check the NAS logs to see what protocol was used.  If the problem machine can reach the NAS using SMB2 or higher, and can log in via IP address with SMB 1.0 disabled, you do not need SMB 1.0 support on either the NAS or the PC.

---------------

P:  IPv6 not working.

A:  Network and Sharing Center:

-  Go to "Change Adapter Settings"
-  Right-click on network adapter, select "Properties"
-  Uncheck "Internet Protocol Version 6 (TCP/IPv6)"

---------------

P:  "Client for Microsoft Networks" disabled or not installed.

A:  Network and Sharing Center:
-  Go to "Change Adapter Settings"-  Right-click on network adapter, select "Properties"
-  Ensure "Client for Microsoft Networks" is present and checked (enabled)

If not present, click "Install", then "Client for Microsoft Networks".

Note:  It is best to ensure this is present and enabled on all of the network adapters - even if they are not currently being used.
 
---------------

P:  "File and Printer Sharing for Microsoft Networks" disabled or not installed.

A:  Network and Sharing Center:
-  Go to "Change Adapter Settings"-  Right-click on network adapter, select "Properties"
-  Ensure "File and Printer Sharing for Microsoft Networks" is present and checked (enabled)

If not present, click "Install", then "File and Printer Sharing for Microsoft Networks".

Note:  It is best to ensure this is present and enabled on all of the network adapters - even if they are not currently being used. 

 ---------------

P:  Out of date network drivers.

A:   Device Manager / Network Adapters / Update driver

---------------

P:  Network adapter driver corrupt.

A:  As follows:
 -  Network and Sharing Center \ Change Advanced Sharing Settings, turn everything to OFF on all profiles and options.  Save changes and close.
-  Device Manager \ Network Adapters \ Uninstall Ethernet and Wireless adapters
-  Scan for Hardware Changes to reinstall these devices and close Device Manger.
-  Network and Sharing Center \ Change Advanced Sharing Settings \ Turn everything to ON for all profiles and options - Save changes and close.


---------------

P:  Microsoft Virtual WiFi Miniport Adapter not set for proper NetBIOS operation.

A:  Network and Sharing Center:

-  Go to "Change Adapter Settings"
-  Right-click on Microsoft Virtual WiFi Miniport Adapter, select "Properties"
-  Double-click "Internet Protocol Version 4 (TCP/IPv4)"
-  Click "Advanced" button
-  Click "WINS" tab
-  Change from "Default" to "Enable NetBIOS over TCP/IP".

 Note:  It is best to ensure this is done on all of the network adapters - even if they are not currently being used.

---------------

P:  Windows Firewall is blocking NAS.

A:  Temporarily disable Windows Firewall.  If this works, you'll have to figure out how to permanently fix it.

---------------

P:  Bad login credentials stored in Credential Manager.

A:  Navigate to Credential Manager in Control Panel, or run keymgr.dll.
-  Go to Windows Credentials.
-  Remove stored credentials for affected NAS.

Note:  The NAS credentials might be incorrectly stored in "Generic credentials".

---------------

P:  Windows using outdated login information.

A:  Map NAS to a drive letter:
-  Right-click "My Computer" (or "Computer")
-  Map network drive
-  Enter NAS share using IP address
-  Check "Log in with different credentials"
-  Open mapped drive letter

This will hopefully force Windows to refresh outdated cached login information for the NAS.

---------------

P:  Bad / incorrect "Microsoft 6to4 adapter" or "6to4 adapter" drivers

A:  Device Manager / Network adapters:  Remove all "6to4" adapters.

---------------

P:  Necessary services not running.

A:  Using "services.msc", check that the following services are running:
-  Server
-  TCP/IP NetBIOS Helper
-  Workstation


---------------

P:  Network provider order wrong / Network provider registry key corrupt

A:  Check the following keys:
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\HWOrder\Provider orderHKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\Provider order

Should be set to one of the following:
   RDPNP,LanmanWorkstation
  or
  RDPNP,LanmanWorkstation, webclient

Also check:
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\ProviderOrder\Provider order
  and ensure RDPNP has a number lower than Lanmanworkstation


Also check:
-  Control Panel \ Network and Sharing Center \ Change adaper settings
-  Tap Alt key to unhide menu bar
-  Click "Advanced \ Advanced Settings" in menu bar
-  Tab "Provider Order"
-  Ensure  the order is:
  -  Microsoft Remote Desktop Session Host Server
  - Microsoft Windows Network
  - Web Client Network (optional, may be missing)



---------------

P:  NAS is using Guest account access.

A:  In Registry Editor (regedit):

-  HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
-  AllowInsecureGuestAuth = 1
-  RequireSecuritySignature = 0

Note:  It is not recommended that the NAS allow insecure Guest account access.

---------------

P:  Time sync issue is preventing NAS and PC from talking.

A:  Set clock on PC.
-   On NAS:  Control Panel \ Regional Options
-  Check "Synchronize with NTP server", server to time.google.com
-  Click "Update Now".

---------------

P:  Corrupt registry keys.

A:  In Registry Editor (regedit.exe):

-  Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-  For a 64-bit system, create a QWORD called LocalAccountTokenFilterPolicy
-  For a 32-bit system, create a DWORD called LocalAccountTokenFilterPolicy
-  Set  LocalAccountTokenFilterPolicy to 1.


---------------

P:  Jumbo frames not working.

A:  Network and Sharing Center:
-  Click Change adapter settings.
-  Right-click adapter, select Properties.
-  Networking tab
-  Click "Configure" button
-  Advanced tab
-  Select Jumbo Frame and disable


---------------

P:  NAS name not resolving to IP address.

A:  Edit the hosts file to link the NAS name and IP address manually.

---------------

P:  Security policy options incorrect.

A:  Using GPEdit.msc or secpol.msc:

-  Local Computer Policy -> Windows Settings -> Security Settings -> Local Policies -> Security Options

    Microsoft Network Client:
        Digitally sign communications (always)    DISABLED
        Digitally sign communications (if server agrees) DISABLED

    Microsoft Network Sesrver:
        Digitally sign communications (always)    DISABLED
        Digitally sign communications (if client agrees) DISABLED

Note:  gpedit.msc and secpol.msc do not exist in Windows 10 Home Edition by design.

---------------

P:  Bad files / settings in Sync Center.

A:  Start the "Sync Center".
-  Click on Manage Offline Files
-  Click View your offline files
-  Under computers, select the server and hit delete to remove it.

Note: If you've never messed with Sync Center, it is likely that there will be no offline file settings to delete / modify.

---------------

P:  HomeGroup not managing connections correctly.

A:  In Network and Sharing Center \ Change Advanced Sharing Settings\HomeGroup connections, turn off "Allow Windows to manage homegroup connections (recommended)".

Note:  If you're not using a Homegroup type network, Homegroup settings will not be shown, and this is not your problem.

---------------

P:  Two computers with the same hostname.

A:  Event Viewer
-  System logs
-  Search for Event ID 4321. It will tell you another computer with IP address x.x.x.x does not allow you to use the same hostname.

If there is no such event logged, this is not your problem.

---------------

P:   Client for Microsoft Networks corrupt.

A:  Uninstall Client for Microsoft Networks, reboot, reinstall, and reboot.

Note:  Windows 10 prevents this from being done via the GUI, and this could mess up your system worse than it already is.  For this reason I have not done it and I don't know the correct process, you'll have to find it yourself.

---------------

P:   File and Printer Sharing for Microsoft Networks corrupt.

A:  Uninstall File and Printer Sharing for Microsoft Networks, reboot, reinstall, and reboot.

Note:  Windows 10 prevents this from being done via the GUI, and this could mess up your system worse than it already is.  For this reason I have not done it and I don't know the correct process, you'll have to find it yourself.




Sunday, October 13, 2019

The telephone company analogy for understanding your network

Networking using Phone Number Analogy

This is a simple guide to understanding basic networking, firewalls, port forwarding, servers and VPNs, using the analogy of telephone numbers at a small business.

I hope this will be useful to anyone who is troubleshooting connectivity issues in their network.


Single PC

You're a small business owner, with a 1-room office (computer).  You set up a phone number with you phone company (internet service provider, ISP) to get calls.  Your phone number (internet IP address) is publicly available and you accept all incoming calls.

Single PC Security

Things are not ideal since bad actors are tying up your phone line and trying to mislead your employees into sabotage.

So, you hire a security guard (firewall) who screens all incoming and outgoing calls (packets) at the office door.  He stops anything that looks wrong, and lets the rest through.

Obviously, the guard needs to be told when new employees (programs) are added.  Otherwise he will block their calls by accident.  This is usually done by flagging new outgoing calls as they happen and asking for a confirmation they are OK.

Note that all modern computers include a built-in software firewall.



Multiple PCs (Network)

Your business grows to multiple offices (computers) in one building.

You still only have one phone number, so calls no longer go directly to each office.  You hire a receptionist (router) that has a switchboard.  These handle all incoming and outgoing calls (packets) for the entire business (network).

The reception system (router) usually has three parts:

-  A receptionist that routes each incoming call to the right office;
-  A switchboard that allows calls to be connected through; and
-  A security guard that watches for bad incoming and outgoing calls (firewall).




Your receptionist/switchboard (router) will obviously connect any outbound calls (ougoing requests / outgoing packets) without any instructions.  There means there is no need to set up anything special for calls you initiate.

This includes things like normal web browsing, FTP, e-mail, etc.  This is the reason most people don't need to worry about setting up special settings in their routers for "ordinary" computer stuff.

Note this includes torrenting.  Torrenting software both makes outgoing calls, and listens for incoming calls.  Just doing outgoing calls is not ideal, but it is enough to make it work.




However, all incoming calls come through the single main number.  Your receptionist (router) does not know which office to connect it to.  Anyone calling for a specific office (accounting, finance, etc.) will not get connected.
 
Therefore, anyone looking for any of your services where they call you (incoming connections / incoming packets) will not automatically find the correct office (computer) in your business (network).

This applies to any service that you provide from inside your own network.  Examples include:
-  Web services (web server)
-  File transfer services (FTP server)
-  Media streaming services (Plex server, etc.)
-  Game servers (Minecraft server, etc.)
-  Torrenting software (uTorrent, qbitorrent, etc.)

Basically, if it has "server" in the name, and it's within your network, the outside world can't find it.

Again, the exception is torrenting.  Most torrenting software will work without port forwarding using just outgoing calls.  But it works better when you also allow incoming calls to connect through, because you get more connections faster.



To solve this and let others connect to you, you need several things:

1.  You assign local phone numbers (local ip addresses) to your offices (computers).  This allows calls into your business phone number (internet IP address)  can be connected to the right office (computer).

2.  These local numbers can be changeable (dynamic) or unchanging (static).  To keep calls from going to the wrong offices, we obviously want fixed local numbers (static ip addresses).


3.  You have to give your reception (router)  instructions on what to do with each kind of call.

Nobody outside your office knows your local numbers.  However, there is a default list of extensions (ports) that usually correspond to each kind of office.

So:
-  To call your web site, they dial your phone number (internet IP address) plus extension 80 (port 80, http);
-  To call your FTP site, they dial your phone number (internet IP address) plus extension 21 (port 21, ftp);
-  To call your email, they dial your phone number (internet IP address) plus extension 110 (port 110, pop3)

and so on.

This lets your reception connect each kind of incoming call to the right local phone number

Unfortunately, there is no way to use just your internal phone numbers - they are hidden behind your switchboard, and are not standardized.  As callers can't dial direct, they have to use the extension numbers (port numbers) instead.




This process of matching the incoming call extension (port) to the right internal office number (internal ip address) is called port forwarding.

As you might imagine, port forwarding is very simple.  It's just a table that says this extension number (port number) gets connected to that internal phone number (internal IP address), which is permanently assigned to a specific office (computer).


From this, it is obviously a bad idea to have two offices (computers) that have the same extension (port forwarding).

For example, say you get a call for extension 80 (web server), but two offices (computers) have that extension (port).  What does your receptionist (router) do?

-  Connect only one office?  What if it's the wrong one?
-  Connect it randomly to one or the other? That doesn't work!
-  Connect it to both? How will the customer know which to listen to?

For these reasons, you can only designate each extension (port) to one office (computer).  (In other words, you can only port forward each type of packet to a single internal IP address.)


This means that if you have a web site office (web server), all of the web sites will need to live in that office (on that computer).  Similarly, you can only have one FTP server, one Plex server, etc.

Of course, some businesses have more than one.  Figuring out how to deal with this restriction is, arguably, a significant part of network administration.


There are cases where two different programs, on two different machines, want to use the same extension (port).  This can be a big problem.

Fortunately, most software makes outgoing calls, which are always OK.  It's only software that receives incoming calls that's a problem.  And having a semi-standardized list of extensions (ports) mitigates this problem.


Network Security

Of course, you also obviously have to tell all of the security guards (firewalls) in the chain to let the calls through.  This includes any guard in each office (local software firewall) plus the guard at reception (router firewall).

When you give your reception (router) the port forwarding instructions, the guard at reception (router firewall) will naturally see it and will let through any such calls automatically.  However, the guards in the offices (local software firewalls) don't get to see this, and so have to be told separately.

From this, it is tempting to turn off one or more firewalls, since they are theoretically redundant.  This is not a great idea since more firewalls mean more protection, but it can be done. 

If any given guard (firewall) is stopping the call from connecting, that port is said to be closed (blocked).  If all the guards are allowing the call through, the port is open.  Open ports ring through - blocked ports do not.



VPN

There may come a time when you no longer want the world to know your phone number (external IP address).

This is usually done for privacy reasons.  If your phone number is public, it is possible for your phone company (internet service provider) to listen in.  Some people don't like this.

To prevent this, you hire a call forwarding service (virtual private network, VPN).  From then on, all calls go through them.

To facilitate this, you change your published phone number (internet IP address) from your real number to the number of the call forwarding service (VPN).  Anyone trying to call you will be calling them instead, hiding your real phone number.


Forwarding can be handled at one of two places:


-   At the phone in each individual office (computer).  You need to place a special forwarding agent (VPN program / application) in each office (computer) to accomplish this.

-  At your main reception (router).  You just instruct your reception (router) to connect all outgoing calls to the forwarding service (VPN).  This covers your entire business (network) in a single step.

You can also tell reception to route only a block of internal offices through the VPN, and connect all other calls normally.



After setup, the process for outgoing calls is:

-  You call a special encrypted phone line at the forwarder (VPN).
-  They connect you through to the external number.
-  The call ID at the other end shows the number of the forwarder (VPN), not your real phone number.


As the forwarder handles calls for thousands of businesses, this process ensures that nobody can tell which outgoing calls are yours.  And as calls are encrypted, nobody can listen in.

This obviously works fine for all outgoing calls.  Aside from setting up the VPN service itself, nothing more is usually needed.


Incoming calls, however, are a different story.

Remember, you changed your phone number (internet IP address).  Customers are now calling your call forwarding service (VPN), and not you.



The forwarder handles thousands of customers.  So if they get a call at their own phone number to any given extension (port), they do not know who it is for.

For example, say they get a call for extension 80 (port 80).  Out of their thousands of clients, who is this for?  They can't know, so the call fails to connect.


Remember, the caller does not know your number - they only known the number of the VPN.  That is the point.  So the caller can't identify you to the VPN either.

This occurs from outside, and randomly, so you can't handle these with an outgoing call.  There is also no way to call them back since you never saw the incoming call in the first place, plus they might not even be listening anymore.

This means that if you use a VPN, any services you offer - web, FTP, game, etc. - will automatically be blocked, even if everything else is OK.  This is obviously a big issue.


To fix this, you have a few options.

1.  You can specifically tell your call forwarder to send extension calls to you.  This is known as VPN port forwarding.

Obviously, connecting specific calls to you is at odds with making you anonymous, and is technically challenging.  So not every VPN provider offers port forwarding, and those that do often require special setups.  Sometimes you have to manually reconfigure the VPN client daily (or so), which can be a pain.

Note that is not usually possible to set up VPN port forwarding at your reception (router), because it won't support it.  It's just too complex for consumer-grade routers.  You usually must use the software VPN application on the affected machine.


2.  You can stop using the VPN for the affected machines.  That is, your servers will have to live outside the VPN.

This is why you will often hear of people that have excluded certain machines from VPN service.  These machines are typically servers that can't work behind the VPN.

This works well if your server is separate from your working machine.  The server can live outside the VPN, but your personal machine can stay in, keeping your personal web traffic anonymous.

As most services are really simple, it is very easy to get a separate machine to use as your server.  For web and other simple stuff, almost anything will do.

Game and media servers are more complex.  However, these benefit from being outside the VPN since VPNs slow you down.


3.  For intermittent operation only, you can turn off the software VPN client on the affected machine.  This leaves you outside the VPN to do what you need to do, after which you can turn it back on.

This is cumbersome but is OK for some things.  For example, if you need to use a specific application that does not work well behind the VPN - maybe video conferencing - but only sometimes, turning off the VPN can be an easy solution.


4.  You can move your services to a machine outside your network.

For example, you can move your web hosting from a local network machine to a hosting service.  This outside service will not using a VPN, so no problem.

This obviously doesn't work well for game servers, and not at all for remote access, media or file services.  Those services need access to your local files by definition, and can't readily be moved to an offsite service.


5.  You can install the affected software on a separate machine that lives outside the VPN.

For example, maybe you set up video conferencing only on your laptop, and move it outside the VPN.  You keep your workstation on the VPN.

This means that you have to do all your video conferencing on your laptop, which may be inconvenient.  But your workstation is still protected by the VPN full-time, which is convenient.


At the end of it all, remember that VPNs just ensure privacy.  You will need to decide how important that privacy is, relative to the difficulty of setting up the software you need.