Network Neighborhood in Domain Trust

Issues:  We are unable to always see the remote domain from the SiteA side when using Network Neighborhood.  If we can see it we are unable to open it to browse.  Currently we cant see the remote domain.  If we try to browse to the domain or a remote server by name or IP address we receive an error message station that "You might not have permission to use this network resource.  They are currently no logon servers available to service the logon request."  We are able to ping and resolve all the servers and the domain correctly.  SiteB can browse to SiteA correctly.

Domain Trust (two-way, external, not transitive)
2 domains at different locations
Site to site VPN
Setup was working fine until SiteB swapped out their servers for Server 2008 (they were running 2000 and 2003 previously).
Domain and Forest Level: 2003

SiteA: Single Server 2003 Standard (Domain Controller, DNS, DHCP, WINS)
      Server1 -
SiteB: 2x Server 2008 Standard Servers
      Server2 - (Domain Controller ("primary"), Primary DNS, DHCP)
      Server3 - (Domain Controller, Secondary DNS, WINS)

Firewall disabled on all serves, no AV currently on 2008 servers, Computer Browser service enabled on 2008 Servers, the domain trust was recreated from scratch and validated.
SiteB servers reference Server1 as the 3rd DNS Server and the second WINS Server in DHCP and network settings.
Server1 server refrences Server2 as the second DNS Server
Server1 server references Server3 as the second WINS Server
Server3 references Server as its WINS replications partner (Push/Pull) and says active.
Server1 server references Server3 as its WINS replication partner (Push/Pull) and says active.
In DNS Manager at both domains I can open up both forward lookup zones for both domains.
I have created reverse DNS lookup zone as well on both ends.
In all DNS and WINS zones I have setup the security so that all 3 of the servers "trust" each other for transferring, etc.

On Server1 DCDiag and NetDiag come back clean except for a couple warnings in the DNS section that say "Warning the DNS entries for this DC are not registered correctly on DNS server  Please wait for 30 minutes for DNS server replication."  It says this for both remote servers.

I am not sure where to go from here.  Please advise.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrej PirmanCommented:
If you go to Network And Sharing Center on Windows 2008 server, the "Network Type" should be listed as (Private Network) for LAN adapter, which is connected to LAN. First I'd check this.
aiscomAuthor Commented:
Labsy:  Thanks for the response.  I dont see a "Network Type" section though.
This is what it shows:
The domain name (Domain Network)
Access: Local and Internet
Connection: LAN
It appears you have a problem with both DNS and WINS:

For the browser service of 2008, is it registered in WINS? If so, go to the command prompt and type NBTstat -rr. You may also have to remove the WINS record of the old 2000 DC.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

aiscomAuthor Commented:
ChiefIT:  Thanks for the tips.  After those I can now see the other domain and can "browse" to some of the servers across the domain, but some still give the same original error message.  Any ideas?  Do I need to do the above steps on all the servers/workstations?
We need to separate your issues to best help you:

Remember the browser service uses Netbios broadcasts locally, then a WINS connection between remote sites to be able to browse.

For DNS, you just registered your SRV and HOST A records of the new 2008 server. That may have replicated to some domains, and not others. You can try to force replicate this data over to the other servers.

The trust issue will be accomodated if those remote servers are a part of the entire forest and the domains have a trust relationship betwen them.

What I would try to do is FORCE replicate from one site to another. The remote site servers will automatically do this. But it can take up to 12 hours per site without forcing the replication.

So, we still may be looking at a trust issue, inatility to propogate netbios over to other sites (meaning a WINS issue), or the inability to contact the remote site via DNS (also causing an inability to access a share using its kerberos ticket).
aiscomAuthor Commented:
Enough time has passed for the replication to take affect.
The main issue now is that *very randomly* users will be unable to browse with Network neighborhood and they receive the original error from above.  Once second they get the error, and then try again and are able to get in for a while.  Very strange.
Any idea on how to troubleshoot this?
You still may have a WINS record of the old server. Or, you could have a multihomed DC where both nics are bound in Netbios and DNS.

How many NICs do you have on the Site A WINS/DNS/AD server?

If multiple nics, you might check out this article:

Many thoughts are rolling through my head on this one. One is how DHCP passes down to the clients the default WINS and DNS server. In DHCP scope options, see if the preferred DNS server list and the WINS server list are configured correctly. Your DHCP clients may be having a problem with what is passed down to them from DHCP, and they may have the old server configured as a preferred DNS server and WINS server.

Here is an article on how to troubleshoot DNS by following the DNS query: This greatly helps in troubleshooting DNS.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aiscomAuthor Commented:
ChiefIT: I checked the WINS records and found none that are still pointing to the names of the old servers.
SiteA (including SiteB) server only has 1 NIC in operation.
I double-checked the DHCP options.  In SIteA DHCP hands the primary DNS addresses as Server1, with Server2 as a secondary DNS, and Server3 as a secondary WINS.
SiteB is the same but swapped around to reference the local resources first, and the SiteA as secondary.
aiscomAuthor Commented:
As a followup I worked with Microsoft and we found 2 issues.
We found that our site to site VPN was sending fragmented packets so a regsitry key was added on the 2003 side to get around this.
Also we found that the 2003 side was missing a B record in WINS.  We pointed SiteA only at Server1 for WINS, SiteB at Server3 only for WINS, deleted the WINS database on Server1, and had it recreated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.