Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can not see other domains anymore

Posted on 2008-10-17
19
Medium Priority
?
340 Views
Last Modified: 2012-05-05
Our Network is 1 forest with 3 (disjointed) domains; A.com, B.com. C.com. Each area has 2 DCs .Until recently all 3 domains have been able to see all other domains in My Network Places and browse. I have checked all the trusts, DNS, and WINS, all appear fine with no errors in the event log. I can ping and resolve names from the other 3 areas. Im believe that I have looked over everything, but can someone point out something I missed.
0
Comment
Question by:chadeaux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 8
19 Comments
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22743486
0
 

Author Comment

by:chadeaux
ID: 22743585
I currently have push/pull Replication with all other DCs. Am I missing something?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22746316
HMM, interesting:

Ok:
So, this is what I think is going on. It sounds like the domain PDCe's are conflicting wht the Forest PDCe for rights as the domain master browser. Do, you have any 8032 or 8021 events in event logs?
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 39

Expert Comment

by:ChiefIT
ID: 22746323
I should have specified what event logs. The event logs we want to look at are the Domain and forest PDCe's.
0
 

Author Comment

by:chadeaux
ID: 22759560
I do not see any with those 2 events, what you are saying make sense. Just need to figure out which domain PDCs and screwing up the forest PDCs
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22774396
"I currently have push/pull Replication with all other DCs. Am I missing something?"

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true

So, this is what I am thinking:
WINS isnt' working because of port blockage through your tunnel to the other LAN.

WINS replciation uses port: 42
WINS uses port 137 and the browser services uses netbios datagram ports 138, and 139.

So, Wins replication might be fine and dandy, but not WINS itself.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22774440
By the way, SMB could do this as well. That uses ports 445 and 139.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22774490
So, here it is:

http://packetstormsecurity.org/papers/win/Sharing_mechanism_in_windows.pdf

Though I disagree a little with this article because you can use WINS and Netbios for SMB shares on 137, 138 and 139 ports, SMB is the latest protocol to share over a VPN. However, many filter or block the SMB ports 139 and 445 because of IT security.

If you have a VPN connection, you should use a security protocol to encrypt the tunnel for these ports. and make sure they have a path between sites by preventing these from being blocked.
0
 

Author Comment

by:chadeaux
ID: 22776421
OK, our WAN is setup with Private point to point T1s between A.com B.com and C.com (A.com is the forest root) There are no port blocking between sites.
A.com can only see C.com
C.com and only see A.com
B.com can only see itself

Each site can directly access other sites, but you can not see nor browse to them in Network Places.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22902200
Sorry, I haven't replied in a while. I had to put out a bunch of fires after a domain server refresh.

Is there any progress on your situation?
0
 

Author Comment

by:chadeaux
ID: 22903885
No progress, we are going to redo the existing trusts, and go from there.
0
 

Author Comment

by:chadeaux
ID: 22922001
Re-established trusts no changes.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22923721
Can you run a port query between sites to see if the path is open>

here is the syntax:
portqry -n xxx.xxx.xxx.xxx -o 445.137,138,139 -p both

If these sites are on different subnets, that could cause this issue. You might have a problem with your WINS connection between sites.
0
 

Author Comment

by:chadeaux
ID: 22924335
Yes each site is a different subnet, it is now making more sense.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22924457
This might clear things up a bit for you:

There are concurrently two methods to file and print share to remote sites.

1) through SMB sharing
2) through WINS

Each of these require their own prerequisites.

The browser service is responsible for populating a list of computers in "My Network Places". The browser service rides on the backs of Netbios over TCP/IP or SMB sharing.

Netbios is a broadcast system that sends netbios broadcasts to the PDCe. The PDCe takes broadcasts from the client and populates the Browselist through an election. This is done on WINS/Netbios port 137 and netbios datagram ports 138 and 139. This is the old school method of populating the browselist. The old school method to share it between sites it to set up a WINS connection between the site's PDC emulators. The PDCe's of these sites will be the domain master browser.

At the same time netbios broadcasts are sent out. so are elections to SMB sharing. SMB sharing is the latest protocol for sharing the browselist. It uses Netbios datagram port 139 and SMB port 445. Often the problem with SMB shares is many ISPs see access to the SMB shares as a security violation. So, they block access to the SMB shares. Some routers that create a point to point VPN connection will change port 445 to a different encrypted port for this very reason. So, the default port may not work right.

My guess is, you have SMB shares blocked on port 445. Then, you may not have a WINS connection between the ports working properly. So, neither method of file and print sharing are working for you.  
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22924595
With that said, there are a couple of things to look at:

Not long ago, a new method of netbios broadcasts was introduced and is now the default protocol. It is called Netbios over DHCP.

What this does for that one computer, is points that computer to the DHCP server for the browse list.

But, let's say the DHCP server is not the PDCe. So, it will not carry the browselist. In this case, you have to have Netbios over TCP/IP enabled.

So, here are the services and protocols to look out for:

1) netbios over TCP/IP (instead of Netbios over DHCP)
2) File and printer sharing for SMB traffic over TCP/IP
3) a solid connection between ports ((137, 138, 139)) for the old school method and {139, 445} for SMB sharing
4) If using the old school method, a WINS connection between the PDCe of the sites.
5) No configured LMhost files that could interfere with WINS traffic.
0
 

Author Comment

by:chadeaux
ID: 22925467
Here is the result of the scan you suggested

FROM LIBERTY TO ROUNDTOP
PortQry Version 2.0 Log File
System Date: Mon Nov 10 14:15:26 2008
Command run:
 PortQry -n 192.168.6.254 -o 445.137,138,139 -p both -l Roundtop.txt
Local computer name:
 SLIT108
Querying target system called:
 192.168.6.254
Attempting to resolve IP address to a name..
IP address resolved to MINUTEMAN
querying...
TCP port 445 (microsoft-ds service): LISTENING
UDP port 445 (microsoft-ds service): LISTENING or FILTERED
TCP port 138 (unknown service): NOT LISTENING
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
TCP port 139 (netbios-ssn service): LISTENING
UDP port 139 (unknown service): NOT LISTENING
========= end of log file =========

FROM LIBERTY TO WHITETAIL
PortQry Version 2.0 Log File
System Date: Mon Nov 10 14:15:26 2008
Command run:
 PortQry -n 192.168.6.254 -o 445.137,138,139 -p both -l Roundtop.txt
Local computer name:
 SLIT108
Querying target system called:
 192.168.6.254
Attempting to resolve IP address to a name...
IP address resolved to MINUTEMAN
querying...
TCP port 445 (microsoft-ds service): LISTENING
UDP port 445 (microsoft-ds service): LISTENING or FILTERED
TCP port 138 (unknown service): NOT LISTENING
UDP port 138 (netbios-dgm service): LISTENING or FILTERED
TCP port 139 (netbios-ssn service): LISTENING
UDP port 139 (unknown service): NOT LISTENING
========= end of log file =========
0
 

Author Comment

by:chadeaux
ID: 22925505
Sorry, Here is the 2nd part of the scan,

PortQry Version 2.0 Log File

System Date: Mon Nov 10 15:57:25 2008

Command run:
 PortQry -n 192.168.0.254 -o 445.137,138,139 -p both -l Whitetail2.txt

Local computer name:

 SLIT108

Querying target system called:

 192.168.0.254

Attempting to resolve IP address to a name...


IP address resolved to STALKER

querying...

TCP port 445 (microsoft-ds service): LISTENING

UDP port 445 (microsoft-ds service): LISTENING or FILTERED

TCP port 138 (unknown service): NOT LISTENING

UDP port 138 (netbios-dgm service): LISTENING or FILTERED

TCP port 139 (netbios-ssn service): LISTENING

UDP port 139 (unknown service): NOT LISTENING


========= end of log file =========
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 22926473
Those paths are perfect:

There is no port blockage, but there still are a lot of things this could be.

One the problem child site, let's check a few things.

A) Services
Let's make sure the Workstation, Server, and Browser services are enabled and started.

B) make sure that PDCe is the browsemaster
On that problem site, go to the command prompt of the PDCe and type Browstat /status

C) Make sure we are using the right protocols: (on the problem child site PDCe)
Make sure File and print sharing are enabled
Then, also make sure you are using netbios over TCP/IP on that domain server.

D)Make sure there is NO WINS cache record, bad WINS record or LMhost file configured on the PDCe of the problem child site>
1) Go to the command prompt and type NBTstat -rr
2) Go into WINS and remove any wins records to a second NIC. Also register that PDCe to the WINS service if you have WINS servers enabled.
3) Locat this file. (it is editable with a text editor like notepad).
C:\WINDOWS\system32\drivers\etc\lmhosts.sam
delete all entries out of it.




0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hyper-convergence systems have taken the IT world by storm and have quickly started to change our point of view of how the data center should and could be architected. In this article, I’ll explain the benefits of employing a hyper-converged system …
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question