Solved

Can not see other domains anymore

Posted on 2008-10-17
19
327 Views
Last Modified: 2012-05-05
Our Network is 1 forest with 3 (disjointed) domains; A.com, B.com. C.com. Each area has 2 DCs .Until recently all 3 domains have been able to see all other domains in My Network Places and browse. I have checked all the trusts, DNS, and WINS, all appear fine with no errors in the event log. I can ping and resolve names from the other 3 areas. Im believe that I have looked over everything, but can someone point out something I missed.
0
Comment
Question by:chadeaux
  • 11
  • 8
19 Comments
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22743486
0
 

Author Comment

by:chadeaux
ID: 22743585
I currently have push/pull Replication with all other DCs. Am I missing something?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22746316
HMM, interesting:

Ok:
So, this is what I think is going on. It sounds like the domain PDCe's are conflicting wht the Forest PDCe for rights as the domain master browser. Do, you have any 8032 or 8021 events in event logs?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22746323
I should have specified what event logs. The event logs we want to look at are the Domain and forest PDCe's.
0
 

Author Comment

by:chadeaux
ID: 22759560
I do not see any with those 2 events, what you are saying make sense. Just need to figure out which domain PDCs and screwing up the forest PDCs
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22774396
"I currently have push/pull Replication with all other DCs. Am I missing something?"

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true

So, this is what I am thinking:
WINS isnt' working because of port blockage through your tunnel to the other LAN.

WINS replciation uses port: 42
WINS uses port 137 and the browser services uses netbios datagram ports 138, and 139.

So, Wins replication might be fine and dandy, but not WINS itself.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22774440
By the way, SMB could do this as well. That uses ports 445 and 139.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22774490
So, here it is:

http://packetstormsecurity.org/papers/win/Sharing_mechanism_in_windows.pdf

Though I disagree a little with this article because you can use WINS and Netbios for SMB shares on 137, 138 and 139 ports, SMB is the latest protocol to share over a VPN. However, many filter or block the SMB ports 139 and 445 because of IT security.

If you have a VPN connection, you should use a security protocol to encrypt the tunnel for these ports. and make sure they have a path between sites by preventing these from being blocked.
0
 

Author Comment

by:chadeaux
ID: 22776421
OK, our WAN is setup with Private point to point T1s between A.com B.com and C.com (A.com is the forest root) There are no port blocking between sites.
A.com can only see C.com
C.com and only see A.com
B.com can only see itself

Each site can directly access other sites, but you can not see nor browse to them in Network Places.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 38

Expert Comment

by:ChiefIT
ID: 22902200
Sorry, I haven't replied in a while. I had to put out a bunch of fires after a domain server refresh.

Is there any progress on your situation?
0
 

Author Comment

by:chadeaux
ID: 22903885
No progress, we are going to redo the existing trusts, and go from there.
0
 

Author Comment

by:chadeaux
ID: 22922001
Re-established trusts no changes.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22923721
Can you run a port query between sites to see if the path is open>

here is the syntax:
portqry -n xxx.xxx.xxx.xxx -o 445.137,138,139 -p both

If these sites are on different subnets, that could cause this issue. You might have a problem with your WINS connection between sites.
0
 

Author Comment

by:chadeaux
ID: 22924335
Yes each site is a different subnet, it is now making more sense.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22924457
This might clear things up a bit for you:

There are concurrently two methods to file and print share to remote sites.

1) through SMB sharing
2) through WINS

Each of these require their own prerequisites.

The browser service is responsible for populating a list of computers in "My Network Places". The browser service rides on the backs of Netbios over TCP/IP or SMB sharing.

Netbios is a broadcast system that sends netbios broadcasts to the PDCe. The PDCe takes broadcasts from the client and populates the Browselist through an election. This is done on WINS/Netbios port 137 and netbios datagram ports 138 and 139. This is the old school method of populating the browselist. The old school method to share it between sites it to set up a WINS connection between the site's PDC emulators. The PDCe's of these sites will be the domain master browser.

At the same time netbios broadcasts are sent out. so are elections to SMB sharing. SMB sharing is the latest protocol for sharing the browselist. It uses Netbios datagram port 139 and SMB port 445. Often the problem with SMB shares is many ISPs see access to the SMB shares as a security violation. So, they block access to the SMB shares. Some routers that create a point to point VPN connection will change port 445 to a different encrypted port for this very reason. So, the default port may not work right.

My guess is, you have SMB shares blocked on port 445. Then, you may not have a WINS connection between the ports working properly. So, neither method of file and print sharing are working for you.  
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22924595
With that said, there are a couple of things to look at:

Not long ago, a new method of netbios broadcasts was introduced and is now the default protocol. It is called Netbios over DHCP.

What this does for that one computer, is points that computer to the DHCP server for the browse list.

But, let's say the DHCP server is not the PDCe. So, it will not carry the browselist. In this case, you have to have Netbios over TCP/IP enabled.

So, here are the services and protocols to look out for:

1) netbios over TCP/IP (instead of Netbios over DHCP)
2) File and printer sharing for SMB traffic over TCP/IP
3) a solid connection between ports ((137, 138, 139)) for the old school method and {139, 445} for SMB sharing
4) If using the old school method, a WINS connection between the PDCe of the sites.
5) No configured LMhost files that could interfere with WINS traffic.
0
 

Author Comment

by:chadeaux
ID: 22925467
Here is the result of the scan you suggested

FROM LIBERTY TO ROUNDTOP
PortQry Version 2.0 Log File
System Date: Mon Nov 10 14:15:26 2008
Command run:
 PortQry -n 192.168.6.254 -o 445.137,138,139 -p both -l Roundtop.txt
Local computer name:
 SLIT108
Querying target system called:
 192.168.6.254
Attempting to resolve IP address to a name..
IP address resolved to MINUTEMAN
querying...
TCP port 445 (microsoft-ds service): LISTENING
UDP port 445 (microsoft-ds service): LISTENING or FILTERED
TCP port 138 (unknown service): NOT LISTENING
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
TCP port 139 (netbios-ssn service): LISTENING
UDP port 139 (unknown service): NOT LISTENING
========= end of log file =========

FROM LIBERTY TO WHITETAIL
PortQry Version 2.0 Log File
System Date: Mon Nov 10 14:15:26 2008
Command run:
 PortQry -n 192.168.6.254 -o 445.137,138,139 -p both -l Roundtop.txt
Local computer name:
 SLIT108
Querying target system called:
 192.168.6.254
Attempting to resolve IP address to a name...
IP address resolved to MINUTEMAN
querying...
TCP port 445 (microsoft-ds service): LISTENING
UDP port 445 (microsoft-ds service): LISTENING or FILTERED
TCP port 138 (unknown service): NOT LISTENING
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
TCP port 139 (netbios-ssn service): LISTENING
UDP port 139 (unknown service): NOT LISTENING
========= end of log file =========
0
 

Author Comment

by:chadeaux
ID: 22925505
Sorry, Here is the 2nd part of the scan,

PortQry Version 2.0 Log File

System Date: Mon Nov 10 15:57:25 2008

Command run:
 PortQry -n 192.168.0.254 -o 445.137,138,139 -p both -l Whitetail2.txt

Local computer name:

 SLIT108

Querying target system called:

 192.168.0.254

Attempting to resolve IP address to a name...


IP address resolved to STALKER

querying...

TCP port 445 (microsoft-ds service): LISTENING

UDP port 445 (microsoft-ds service): LISTENING or FILTERED

TCP port 138 (unknown service): NOT LISTENING

UDP port 138 (netbios-dgm service): LISTENING or FILTERED

TCP port 139 (netbios-ssn service): LISTENING

UDP port 139 (unknown service): NOT LISTENING


========= end of log file =========
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 22926473
Those paths are perfect:

There is no port blockage, but there still are a lot of things this could be.

One the problem child site, let's check a few things.

A) Services
Let's make sure the Workstation, Server, and Browser services are enabled and started.

B) make sure that PDCe is the browsemaster
On that problem site, go to the command prompt of the PDCe and type Browstat /status

C) Make sure we are using the right protocols: (on the problem child site PDCe)
Make sure File and print sharing are enabled
Then, also make sure you are using netbios over TCP/IP on that domain server.

D)Make sure there is NO WINS cache record, bad WINS record or LMhost file configured on the PDCe of the problem child site>
1) Go to the command prompt and type NBTstat -rr
2) Go into WINS and remove any wins records to a second NIC. Also register that PDCe to the WINS service if you have WINS servers enabled.
3) Locat this file. (it is editable with a text editor like notepad).
C:\WINDOWS\system32\drivers\etc\lmhosts.sam
delete all entries out of it.




0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Screen Mirroring 7 55
need to clone a white copy of a linux device 2 76
File Server Migration from 2003 to 2008R2 3 63
Connecting two servers 30 76
this article is a guided solution for most of the common server issues in server hardware tasks we are facing in our routine job works. the topics in the following article covered are, 1) dell hardware raidlevel (Perc) 2) adding HDD 3) how t…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now