Solved

Can not see other domains anymore

Posted on 2008-10-17
19
321 Views
Last Modified: 2012-05-05
Our Network is 1 forest with 3 (disjointed) domains; A.com, B.com. C.com. Each area has 2 DCs .Until recently all 3 domains have been able to see all other domains in My Network Places and browse. I have checked all the trusts, DNS, and WINS, all appear fine with no errors in the event log. I can ping and resolve names from the other 3 areas. Im believe that I have looked over everything, but can someone point out something I missed.
0
Comment
Question by:chadeaux
  • 11
  • 8
19 Comments
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
0
 

Author Comment

by:chadeaux
Comment Utility
I currently have push/pull Replication with all other DCs. Am I missing something?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
HMM, interesting:

Ok:
So, this is what I think is going on. It sounds like the domain PDCe's are conflicting wht the Forest PDCe for rights as the domain master browser. Do, you have any 8032 or 8021 events in event logs?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I should have specified what event logs. The event logs we want to look at are the Domain and forest PDCe's.
0
 

Author Comment

by:chadeaux
Comment Utility
I do not see any with those 2 events, what you are saying make sense. Just need to figure out which domain PDCs and screwing up the forest PDCs
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
"I currently have push/pull Replication with all other DCs. Am I missing something?"

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true

So, this is what I am thinking:
WINS isnt' working because of port blockage through your tunnel to the other LAN.

WINS replciation uses port: 42
WINS uses port 137 and the browser services uses netbios datagram ports 138, and 139.

So, Wins replication might be fine and dandy, but not WINS itself.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
By the way, SMB could do this as well. That uses ports 445 and 139.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
So, here it is:

http://packetstormsecurity.org/papers/win/Sharing_mechanism_in_windows.pdf

Though I disagree a little with this article because you can use WINS and Netbios for SMB shares on 137, 138 and 139 ports, SMB is the latest protocol to share over a VPN. However, many filter or block the SMB ports 139 and 445 because of IT security.

If you have a VPN connection, you should use a security protocol to encrypt the tunnel for these ports. and make sure they have a path between sites by preventing these from being blocked.
0
 

Author Comment

by:chadeaux
Comment Utility
OK, our WAN is setup with Private point to point T1s between A.com B.com and C.com (A.com is the forest root) There are no port blocking between sites.
A.com can only see C.com
C.com and only see A.com
B.com can only see itself

Each site can directly access other sites, but you can not see nor browse to them in Network Places.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Sorry, I haven't replied in a while. I had to put out a bunch of fires after a domain server refresh.

Is there any progress on your situation?
0
 

Author Comment

by:chadeaux
Comment Utility
No progress, we are going to redo the existing trusts, and go from there.
0
 

Author Comment

by:chadeaux
Comment Utility
Re-established trusts no changes.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Can you run a port query between sites to see if the path is open>

here is the syntax:
portqry -n xxx.xxx.xxx.xxx -o 445.137,138,139 -p both

If these sites are on different subnets, that could cause this issue. You might have a problem with your WINS connection between sites.
0
 

Author Comment

by:chadeaux
Comment Utility
Yes each site is a different subnet, it is now making more sense.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
This might clear things up a bit for you:

There are concurrently two methods to file and print share to remote sites.

1) through SMB sharing
2) through WINS

Each of these require their own prerequisites.

The browser service is responsible for populating a list of computers in "My Network Places". The browser service rides on the backs of Netbios over TCP/IP or SMB sharing.

Netbios is a broadcast system that sends netbios broadcasts to the PDCe. The PDCe takes broadcasts from the client and populates the Browselist through an election. This is done on WINS/Netbios port 137 and netbios datagram ports 138 and 139. This is the old school method of populating the browselist. The old school method to share it between sites it to set up a WINS connection between the site's PDC emulators. The PDCe's of these sites will be the domain master browser.

At the same time netbios broadcasts are sent out. so are elections to SMB sharing. SMB sharing is the latest protocol for sharing the browselist. It uses Netbios datagram port 139 and SMB port 445. Often the problem with SMB shares is many ISPs see access to the SMB shares as a security violation. So, they block access to the SMB shares. Some routers that create a point to point VPN connection will change port 445 to a different encrypted port for this very reason. So, the default port may not work right.

My guess is, you have SMB shares blocked on port 445. Then, you may not have a WINS connection between the ports working properly. So, neither method of file and print sharing are working for you.  
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
With that said, there are a couple of things to look at:

Not long ago, a new method of netbios broadcasts was introduced and is now the default protocol. It is called Netbios over DHCP.

What this does for that one computer, is points that computer to the DHCP server for the browse list.

But, let's say the DHCP server is not the PDCe. So, it will not carry the browselist. In this case, you have to have Netbios over TCP/IP enabled.

So, here are the services and protocols to look out for:

1) netbios over TCP/IP (instead of Netbios over DHCP)
2) File and printer sharing for SMB traffic over TCP/IP
3) a solid connection between ports ((137, 138, 139)) for the old school method and {139, 445} for SMB sharing
4) If using the old school method, a WINS connection between the PDCe of the sites.
5) No configured LMhost files that could interfere with WINS traffic.
0
 

Author Comment

by:chadeaux
Comment Utility
Here is the result of the scan you suggested

FROM LIBERTY TO ROUNDTOP
PortQry Version 2.0 Log File
System Date: Mon Nov 10 14:15:26 2008
Command run:
 PortQry -n 192.168.6.254 -o 445.137,138,139 -p both -l Roundtop.txt
Local computer name:
 SLIT108
Querying target system called:
 192.168.6.254
Attempting to resolve IP address to a name..
IP address resolved to MINUTEMAN
querying...
TCP port 445 (microsoft-ds service): LISTENING
UDP port 445 (microsoft-ds service): LISTENING or FILTERED
TCP port 138 (unknown service): NOT LISTENING
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
TCP port 139 (netbios-ssn service): LISTENING
UDP port 139 (unknown service): NOT LISTENING
========= end of log file =========

FROM LIBERTY TO WHITETAIL
PortQry Version 2.0 Log File
System Date: Mon Nov 10 14:15:26 2008
Command run:
 PortQry -n 192.168.6.254 -o 445.137,138,139 -p both -l Roundtop.txt
Local computer name:
 SLIT108
Querying target system called:
 192.168.6.254
Attempting to resolve IP address to a name...
IP address resolved to MINUTEMAN
querying...
TCP port 445 (microsoft-ds service): LISTENING
UDP port 445 (microsoft-ds service): LISTENING or FILTERED
TCP port 138 (unknown service): NOT LISTENING
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
TCP port 139 (netbios-ssn service): LISTENING
UDP port 139 (unknown service): NOT LISTENING
========= end of log file =========
0
 

Author Comment

by:chadeaux
Comment Utility
Sorry, Here is the 2nd part of the scan,

PortQry Version 2.0 Log File

System Date: Mon Nov 10 15:57:25 2008

Command run:
 PortQry -n 192.168.0.254 -o 445.137,138,139 -p both -l Whitetail2.txt

Local computer name:

 SLIT108

Querying target system called:

 192.168.0.254

Attempting to resolve IP address to a name...


IP address resolved to STALKER

querying...

TCP port 445 (microsoft-ds service): LISTENING

UDP port 445 (microsoft-ds service): LISTENING or FILTERED

TCP port 138 (unknown service): NOT LISTENING

UDP port 138 (netbios-dgm service): LISTENING or FILTERED

TCP port 139 (netbios-ssn service): LISTENING

UDP port 139 (unknown service): NOT LISTENING


========= end of log file =========
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
Comment Utility
Those paths are perfect:

There is no port blockage, but there still are a lot of things this could be.

One the problem child site, let's check a few things.

A) Services
Let's make sure the Workstation, Server, and Browser services are enabled and started.

B) make sure that PDCe is the browsemaster
On that problem site, go to the command prompt of the PDCe and type Browstat /status

C) Make sure we are using the right protocols: (on the problem child site PDCe)
Make sure File and print sharing are enabled
Then, also make sure you are using netbios over TCP/IP on that domain server.

D)Make sure there is NO WINS cache record, bad WINS record or LMhost file configured on the PDCe of the problem child site>
1) Go to the command prompt and type NBTstat -rr
2) Go into WINS and remove any wins records to a second NIC. Also register that PDCe to the WINS service if you have WINS servers enabled.
3) Locat this file. (it is editable with a text editor like notepad).
C:\WINDOWS\system32\drivers\etc\lmhosts.sam
delete all entries out of it.




0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now