• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 849
  • Last Modified:

Cannot see computers at remote sites in my network places

I recently upgraded all my firewalls.  I have Sonicwall TZ 150s at the remotes and a TZ170 at the main site.  I have remote sites connected to the main site via site to site VPN.  I have internal WINS and DNS servers at the main site.

The tcp/ip configs are as folllows

main:
192.168.20.xx
255.255.255.0
192.168.20.254

dns:
192.168.20.2
192.168.20.3
wins:
192.168.20.2
192.168.20.3

remotes
192.168.60.xx
255.255.255.0
192.168.60.254
dns:
primary is dns of isp
secondary is dns of isp
third is 192.168.20.2
wins:
192.168.20.2
192.168.20.2

Enable NetBios over TCP/IP is enabled

Netbios broadcasts are enabled in the firewall and in the vpn connection

I did not set our internal dns servers at the main site as the primary and secondary dns for the remotes as I understand dns over a vpn is not recommended.  I set the primary as the third in hopes that this would resolve.

However, when I browse the network, open my domain (all computers are in the same domain and are either W2Ksp4 or XP Pro SP2) i cannot see the computers at the remote sites.  

the browser service and all that jazz is enabled on all pcs

when i browse my domain from one of the remote pcs, i can only see the pcs at the main site.  

When I set the primary dns for the remotes to 192.168.20.2 i am able to see them when i browse my domain, however i don't want to use dns over the vpn

why isn't wins and netbios working?

do i need to rejoin the computer accounts to the domain?

0
David Scott, MCSE
Asked:
David Scott, MCSE
  • 7
  • 6
  • 4
2 Solutions
 
Rob WilliamsCommented:
If you want your remote workstations to use corporates network resources the Internal/corporate DNS server should be first.
It eould be a good idea to run NetDiag on a PC at the remote site and check for any errors, especially related to WINS. It is available from the Windows resource kit or:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/netdiag.exe
0
 
rickyclourencoCommented:
You do not have to rejoin them to the Domain...

I agree with RobWill.......I dont think you mentioned WINS servers at both sites, so if you have not installed a WINS server at both sites, then do so, and set the WINS servers up as Replication partners....

also make sure that DHCP is sending out the PROPER WINS servers IP address(es).....
0
 
Rob WilliamsCommented:
Should even find the WINS server at the remote site if all is configured properly. WINS works quite well over a VPN usually. Fine to use DNS but may not give you browsing capability, and better geared toward domain functionality.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
David Scott, MCSENetwork AdministratorAuthor Commented:
Ok, i ran the netdiag with the current ip config and it failed on the domain tests.  i then changed the internal dns to the primary and secondary and ran it again and it passed on all tests.  

My only concern is that when they are using the internet they have to go to the dns server back and forth across the vpn.  Won't this slow down browsing?

I don't have any servers at the remotes, the two wins servers are setup on the two dns servers and are setup for replication
0
 
rickyclourencoCommented:
I see, well, it MAY slow things down, but then again, it may not be noticeable, that is something you will have to monitor.  I mean, the users at the remote offices are still using their own gateway, so it may not be much of an issue, the only thing happening over the VPN connect is the DNS request itself, not the browsing or downloading.....

are the users at remote sites are already authenticating across the VPN?  I'm assuming you don't have  a DC at their site...the MAIN problem is that you are always depending on the VPN connection being up, if it ever goes down, then they wouldn't be able to login, and might have some issues with DNS, even though you could just make their Secondary DNS the ISP one.....in case the VPN ever went down it would failover to that..
0
 
David Scott, MCSENetwork AdministratorAuthor Commented:
yeah, i just did a speed test and the upload speed was significantly effected.  i am going to try making the isp the secondary and test again.

No DC at the remotes.  These are very small offices 2,3,4 people.  Really does not justify servers at their locations.

The vpn rarely goes down.  

Our main application is web based so they wouldn't lose that if the vpn went down

i'll report back on the test

0
 
rickyclourencoCommented:
I see, well, good luck, I mean, if its a domain, you kinda have to have them pointing to your DNS.....
0
 
David Scott, MCSENetwork AdministratorAuthor Commented:
thanks guys for your help.  i don't think the dns going over the vpn is going to have much of an effect on the bandwidth
0
 
rickyclourencoCommented:
I don't think so either, because its only making the REQUEST, its not affecting the bandwidth, so the DNS request will slow down....but the actual connection once established should be fine....besides its only 2-5 users....
0
 
Rob WilliamsCommented:
Thanks opie6373.
As for DNS issue I think you will find there is no problem. If you add the computers to the domain you should really only have the corporate DNS server listed, no ISP DNS at all. The ISP would only be listed as forwarder on your DNS server. I have this in many locations, and oddly enough works great.
Cheers,
--Rob
0
 
David Scott, MCSENetwork AdministratorAuthor Commented:
i listed both corporate dns servers and i put the dns isp as the third in case the vpn went down they would still be able surf using the isp dns...

oh ps, i do have the dns isp setup as forwarders in my corporate dns

0
 
Rob WilliamsCommented:
>>"i put the dns isp as the third in case the vpn went down they would still be able surf using the isp dns..."
I agree with the theory, but if you join the computers to the domain for some reason it doesn't work that way. It is as if the lookup doesn't always choose the 1st DNS server first. You end up with very slow logons. Rule of thumb, if the computers are a member of the Domain, and the users log onto the Domain, only your private DNS server should be listed on the PC's. The workaround for a dead private DNS server is a another private DNS server at the second site.

>>"i do have the dns isp setup as forwarders in my corporate dns"
Good.
0
 
David Scott, MCSENetwork AdministratorAuthor Commented:
ok thanks
0
 
David Scott, MCSENetwork AdministratorAuthor Commented:
ok they have the two corporate dsn and wins servers only, no isp

and i did a ipconfig/renew on one of the workstations and when i browse my network places and open my domain they are still not listed.  

i don't get it.

i can ping them by name, i can open them by start, run \\name

why wouldn't they show up in net places????
0
 
Rob WilliamsCommented:
Network places and network neighborhood often do not work over a VPN. It uses NetBIOS names rather than DNS names, which are not broadcast over a VPN. Usually though, if you have a proper WINS server it will work. Make sure on the routers if there is an "enable NetBIOS broadcast" option it is checked.
There actually are not too many cases where you need to browse a remote network.
0
 
David Scott, MCSENetwork AdministratorAuthor Commented:
yeah, the netbios is enabled.

apparently it takes some time for the net places to refresh as i just checked again and now the pc i did the ipconfig/renew on is showing in there.

you're right though, not something i really need i'm just anal and it was bugging me for some reason

0
 
Rob WilliamsCommented:
Yes sorry it does take a while for all computers to "report in".
I agree there are a few time where it is very nice to have. Once shares and such are set up, it is not necessary but sometimes when you can't remember the name of a PC, it is convenient.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

  • 7
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now