Link to home
Start Free TrialLog in
Avatar of chadeaux
chadeauxFlag for United States of America

asked on

Can not see other domains anymore

Our Network is 1 forest with 3 (disjointed) domains; A.com, B.com. C.com. Each area has 2 DCs .Until recently all 3 domains have been able to see all other domains in My Network Places and browse. I have checked all the trusts, DNS, and WINS, all appear fine with no errors in the event log. I can ping and resolve names from the other 3 areas. Im believe that I have looked over everything, but can someone point out something I missed.
Avatar of ChiefIT
ChiefIT
Flag of United States of America image

You need a wins connection to the other domain master browsers:
https://www.experts-exchange.com/questions/23652843/Network-neigborhood.html
browser-interaction.jpg
Avatar of chadeaux

ASKER

I currently have push/pull Replication with all other DCs. Am I missing something?
HMM, interesting:

Ok:
So, this is what I think is going on. It sounds like the domain PDCe's are conflicting wht the Forest PDCe for rights as the domain master browser. Do, you have any 8032 or 8021 events in event logs?
I should have specified what event logs. The event logs we want to look at are the Domain and forest PDCe's.
I do not see any with those 2 events, what you are saying make sense. Just need to figure out which domain PDCs and screwing up the forest PDCs
"I currently have push/pull Replication with all other DCs. Am I missing something?"

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true

So, this is what I am thinking:
WINS isnt' working because of port blockage through your tunnel to the other LAN.

WINS replciation uses port: 42
WINS uses port 137 and the browser services uses netbios datagram ports 138, and 139.

So, Wins replication might be fine and dandy, but not WINS itself.
By the way, SMB could do this as well. That uses ports 445 and 139.
So, here it is:

http://packetstormsecurity.org/papers/win/Sharing_mechanism_in_windows.pdf

Though I disagree a little with this article because you can use WINS and Netbios for SMB shares on 137, 138 and 139 ports, SMB is the latest protocol to share over a VPN. However, many filter or block the SMB ports 139 and 445 because of IT security.

If you have a VPN connection, you should use a security protocol to encrypt the tunnel for these ports. and make sure they have a path between sites by preventing these from being blocked.
OK, our WAN is setup with Private point to point T1s between A.com B.com and C.com (A.com is the forest root) There are no port blocking between sites.
A.com can only see C.com
C.com and only see A.com
B.com can only see itself

Each site can directly access other sites, but you can not see nor browse to them in Network Places.
Sorry, I haven't replied in a while. I had to put out a bunch of fires after a domain server refresh.

Is there any progress on your situation?
No progress, we are going to redo the existing trusts, and go from there.
Re-established trusts no changes.
Can you run a port query between sites to see if the path is open>

here is the syntax:
portqry -n xxx.xxx.xxx.xxx -o 445.137,138,139 -p both

If these sites are on different subnets, that could cause this issue. You might have a problem with your WINS connection between sites.
Yes each site is a different subnet, it is now making more sense.
This might clear things up a bit for you:

There are concurrently two methods to file and print share to remote sites.

1) through SMB sharing
2) through WINS

Each of these require their own prerequisites.

The browser service is responsible for populating a list of computers in "My Network Places". The browser service rides on the backs of Netbios over TCP/IP or SMB sharing.

Netbios is a broadcast system that sends netbios broadcasts to the PDCe. The PDCe takes broadcasts from the client and populates the Browselist through an election. This is done on WINS/Netbios port 137 and netbios datagram ports 138 and 139. This is the old school method of populating the browselist. The old school method to share it between sites it to set up a WINS connection between the site's PDC emulators. The PDCe's of these sites will be the domain master browser.

At the same time netbios broadcasts are sent out. so are elections to SMB sharing. SMB sharing is the latest protocol for sharing the browselist. It uses Netbios datagram port 139 and SMB port 445. Often the problem with SMB shares is many ISPs see access to the SMB shares as a security violation. So, they block access to the SMB shares. Some routers that create a point to point VPN connection will change port 445 to a different encrypted port for this very reason. So, the default port may not work right.

My guess is, you have SMB shares blocked on port 445. Then, you may not have a WINS connection between the ports working properly. So, neither method of file and print sharing are working for you.  
With that said, there are a couple of things to look at:

Not long ago, a new method of netbios broadcasts was introduced and is now the default protocol. It is called Netbios over DHCP.

What this does for that one computer, is points that computer to the DHCP server for the browse list.

But, let's say the DHCP server is not the PDCe. So, it will not carry the browselist. In this case, you have to have Netbios over TCP/IP enabled.

So, here are the services and protocols to look out for:

1) netbios over TCP/IP (instead of Netbios over DHCP)
2) File and printer sharing for SMB traffic over TCP/IP
3) a solid connection between ports ((137, 138, 139)) for the old school method and {139, 445} for SMB sharing
4) If using the old school method, a WINS connection between the PDCe of the sites.
5) No configured LMhost files that could interfere with WINS traffic.
Here is the result of the scan you suggested

FROM LIBERTY TO ROUNDTOP
PortQry Version 2.0 Log File
System Date: Mon Nov 10 14:15:26 2008
Command run:
 PortQry -n 192.168.6.254 -o 445.137,138,139 -p both -l Roundtop.txt
Local computer name:
 SLIT108
Querying target system called:
 192.168.6.254
Attempting to resolve IP address to a name..
IP address resolved to MINUTEMAN
querying...
TCP port 445 (microsoft-ds service): LISTENING
UDP port 445 (microsoft-ds service): LISTENING or FILTERED
TCP port 138 (unknown service): NOT LISTENING
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
TCP port 139 (netbios-ssn service): LISTENING
UDP port 139 (unknown service): NOT LISTENING
========= end of log file =========

FROM LIBERTY TO WHITETAIL
PortQry Version 2.0 Log File
System Date: Mon Nov 10 14:15:26 2008
Command run:
 PortQry -n 192.168.6.254 -o 445.137,138,139 -p both -l Roundtop.txt
Local computer name:
 SLIT108
Querying target system called:
 192.168.6.254
Attempting to resolve IP address to a name...
IP address resolved to MINUTEMAN
querying...
TCP port 445 (microsoft-ds service): LISTENING
UDP port 445 (microsoft-ds service): LISTENING or FILTERED
TCP port 138 (unknown service): NOT LISTENING
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
TCP port 139 (netbios-ssn service): LISTENING
UDP port 139 (unknown service): NOT LISTENING
========= end of log file =========
Sorry, Here is the 2nd part of the scan,

PortQry Version 2.0 Log File

System Date: Mon Nov 10 15:57:25 2008

Command run:
 PortQry -n 192.168.0.254 -o 445.137,138,139 -p both -l Whitetail2.txt

Local computer name:

 SLIT108

Querying target system called:

 192.168.0.254

Attempting to resolve IP address to a name...


IP address resolved to STALKER

querying...

TCP port 445 (microsoft-ds service): LISTENING

UDP port 445 (microsoft-ds service): LISTENING or FILTERED

TCP port 138 (unknown service): NOT LISTENING

UDP port 138 (netbios-dgm service): LISTENING or FILTERED

TCP port 139 (netbios-ssn service): LISTENING

UDP port 139 (unknown service): NOT LISTENING


========= end of log file =========
ASKER CERTIFIED SOLUTION
Avatar of ChiefIT
ChiefIT
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial