[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Problems Browsing Computers Across WAN

Posted on 2009-12-17
16
Medium Priority
?
1,089 Views
Last Modified: 2013-11-25
We recently moved one of our remote offices to a new building and after doing so, we can no longer browse computers in that subnet (via net view, search for computers). The domain controller with the PDC Emulator role is in our primary office. There is a domain controller in the remote office. There is also a WINS server in the remote office, but it's not joined to the domain. Originally, the domain controller in the remote office had its WINS server address set to the WINS server there. I removed the entry (set it not to use a WINS server) and I was able to browse computers after that, but the problem has returned. The domain controller in the remote office can browse computers in all subnets including its own. Any ideas?
0
Comment
Question by:ProUAdmin
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 24

Expert Comment

by:Awinish
ID: 26078926
Check the primary & secondary dns has been configured to the remote dc which is not able to browse the domain pc's.
You are able to ping the remote dc,replication is working fine,nslookup is working.
In sites & services,the subnet is mapped to their respective site.
Ports are open & you are able to telnet.
Wins is not required in active directory environment,it is used in local Area network,whose purpose is resolve host to netbios name. But now dns is followed as internet naming standard.
So,the wins load is taken care by dns in active directory environment.
http://technet.microsoft.com/en-us/library/cc784180(WS.10).aspx 
http://www.iss.net/security_center/advice/Services/Directory/WINS/default.htm 
0
 
LVL 11

Expert Comment

by:enriquecadalso
ID: 26084219
Computer browser in the network relays in the computer browser service. You have to find what computer is acting as the master browser in your LAN. I use dameware to find them but there are other ways.

Also prevent other workstations to take the master browser role. See how here

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22135295.html
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 26113603
The first thing you should understand is there is nothing wrong with your system. Microsoft attempted to replace Netbios/WINS with DNS. They couldn't replicate the scalability of Netbios and WINS broadcasts with DNS. So, you end up with a combination by using both. Think of DNS as point to point communications and WINS/Netbios as broadcast communications and you will pretty much get the big picture.

SMB/CIFS shares (network shares), domain/group policies, printer sharing, the master browser service (to include My network places), computer management services are all done by broadcasts. So, what Microsoft tried to do is set up replication between sites for group policies. They use the File replication service and DNS to share the policies between replication partners. Then, the replication partners share these policies out on their broadcast domain using Netbios broadcasts.

The problem with DNS is it uses the point to point communications. So, things like group policies are shared out via Netbios broadcasts. I hope that point is clear.
___________________________________________________________________________
Look at all the Key Windows services that are still stuck at using Netbios as its main protocol.

All you have to do is look at what uses Netbios/WINS port 137, and netbios datagram port 138, and 139. All of these functions require netbios.

http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx

1) DFS (Distributive file shares will share out Group policies)
2) Browser service (The browser service internally uses netbios broadcasts and going to different subnets uses WINS)
3) Fax service
4) license logging service
5) netlogon
6) messenger
7) performance logs and alerts
8) Print spooler
9) RPC locater
10) server service
11) system management server
12) WINS of course

With that said, you might be able to route most everything over DNS. For instance DFS (distributive file service) can use DNS.
http://support.microsoft.com/kb/244380

____________________________________________________________________

Bottom line:
Netbios is not routeable, as DNS is. Netbios needs your help. It requires a WINS, or LMHOST connection between the domain master browsers. (now when speaking of a domain master browser, you should think of a BROADCAST DOMAIN, not a windows domain).

You are on two sites. This means you are probably on two subnets, and divided by a router. The term "not routeable" means that Netbios broadcasts will NOT go over NAT, through a VPN tunnel, use an IPv6 tunnel, or propogate some software firewalls.

You provided the WINS link and saw that work for probably five minutes. Well that's the time it takes for a netbios broadcast to renew its "Hello, I am here" election packets. This means that you probably have a software firewall that is blocking netbios or WINS. If you reboot, I'll bet things work for about five minutes again.

I have an NT4 article that shows you how to configure the Browser service using the WINS/WAN topology. It also shows you all about elections.

1) For this to work, you must have a designated Domain master browser, (the PDCe for site 1 and a DC for site 2), with NO OTHER node on the network winning the election.
2) Then, you need a WINS or LMHOST record to connect these two together.
3) Then, you need to make sure the netbios broadcasts are NOT blocked by a software firewall.

I think you are at stage three already.

Here is how the browser service works. This is an NT4 article. The only difference is a registry key you may want to look at:
For NT4, the key is:
"Isdomainmasterbrowser"
For XP,2000, vista, 2003 server, 2008 server and windows 7, that same key is:
"Isdomainmaster"

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true

Below is a pic on how these two sites should be interconnected.
 
browser-interaction.JPG
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 

Author Comment

by:ProUAdmin
ID: 26195572
Can someone tell me how to accurately determine what the master browser is on a given subnet?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 26207622
Go to to a domain controller and type "Browstat status"
0
 
LVL 11

Expert Comment

by:enriquecadalso
ID: 26209257
Browstat is part of the Support tools. If you don't have it installed here are the instructions to install. http://technet.microsoft.com/en-us/library/cc755948%28WS.10%29.aspx
0
 

Author Comment

by:ProUAdmin
ID: 26211893
Everytime I run browstat status, it says the computer I'm running browstat from is the master browser. For example, if I run it on computer1 it says computer1 is the master browser. If I run it on computer2 it says computer2 is the master browser.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 26214647
Ok, so both computers think they are domain master browsers???

I assume computer 1 and computer 2 are your domain servers?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 26214659
Please NOTE:
There is a difference between domain master browser and master browser. So, look at browstat very carefully to see who the domain master browser is. We don't care who the master browsers are at this time.
0
 

Author Comment

by:ProUAdmin
ID: 26223904
The code below is what I get when I run browstat status.
C:\>browstat status


Status for domain EXAMPLE on transport \Device\NetBT_Tcpip_{4205AAEF-DB28-47C5-B050-F7BC5EBB0405}
    Browsing is active on domain.
    Master browser name is: COMPUTER1
        Master browser is running build 2600
    1 backup servers retrieved from master COMPUTER1
        \\COMPUTER1
    There are 1 servers in domain EXAMPLE on transport \Device\NetBT_Tcpip_{4205AAEF-DB28-47C5-B050-F7BC5EBB0504}
    There are 1 domains in domain EXAMPLE on transport \Device\NetBT_Tcpip_{4205AAEF-DB28-47C5-B050-F7BC5EBB0504}


Status for domain EXAMPLE on transport \Device\NetBT_Tcpip_{D3E52B07-EF96-439D-
AC1C-F386BA3D7B1F}
    Browsing is active on domain.
    Master browser name is: COMPUTER1
        Master browser is running build 2600
    1 backup servers retrieved from master COMPUTER1
        \\COMPUTER1
    There are 1 servers in domain EXAMPLE on transport \Device\NetBT_Tcpip_{D3E52B07-EF96-439D-AC1C-F386BA3D7F1B}
    There are 1 domains in domain EXAMPLE on transport \Device\NetBT_Tcpip_{D3E52B07-EF96-439D-AC1C-F386BA3D7F1B}


Status for domain EXAMPLE on transport \Device\NetBT_Tcpip_{940D49C9-17A0-44C1-A789-2C5B07E87991}
    Browsing is active on domain.
    Master browser name is: COMPUTER1
        Master browser is running build 2600
    3 backup servers retrieved from master COMPUTER1
        \\RANDOM_SRV1
        \\RANDOM_SRV2
        \\RANDOM_SRV3
    Unable to retrieve server list from COMPUTER1: 71

Open in new window

0
 
LVL 11

Expert Comment

by:enriquecadalso
ID: 26282922
With too many master browsers you never know where the problem is. The best is to have only one domain master browser and one master browser in each network segment if they exist. So when there is a problem restarting the Computer browser service on the domain master browser is enough solve any browsing problem. To achieve this you have to prevent the rest of servers and workstations from becoming master browsers (See my post of 12/18/09).
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 26290921
When working on the browser service, you need to think of a domain in a different point of view>

Instead of thinking of it as a Domain controller based domain, you need to view it as a broadcast domain.

A broadcast domain stops at the router.

When you type Browstat status, and come up with Computer1 as the master browser for that domain. That is the master browser for that broadcast domain.

Computer1 needs a LMhost connection or WINS connection to the OTHER LANS broadcast domain master browser.
0
 

Author Comment

by:ProUAdmin
ID: 26412543
We have one domain with several sites. Each site is its own subnet. Doesn't that make it its own broadcast domain as well?

I will set our machines to not become the master browser.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 26431758
No, you are correct. Each broadcast domain, needs a site master browser. In other words, that site needs to be able to hold a browselist.

Then, your main site needs to have the domain master browser.

The WINS or LMHOST connection should be between the Domain master browser and all site master browsers.

Then, all PCs will register to their respective site master, and the domain master will get a copy of each site master browser's browse list.
0
 

Author Comment

by:ProUAdmin
ID: 26432191
In a Windows Server 2003 Active Directory domain, doesn't the domain controller with the PDC FSMO role become the master browser and the other domain controllers in the backup browsers in their respective subnet and don't the backup browsers collect the NetBIOS broadcasts in their subnet and forward them back to the master brwoser?

By the way, we don't have, nor do we want a WINS server.

Here's some links I found awhile back:

http://www.faughnan.com/netbios.html
http://support.microsoft.com/kb/188001
http://support.microsoft.com/kb/q117633/
http://technet.microsoft.com/en-us/library/cc940106.aspx
http://support.microsoft.com/kb/q134304/
http://support.microsoft.com/kb/q150800/
http://support.microsoft.com/kb/q155501/
http://support.microsoft.com/kb/188305
http://technet.microsoft.com/en-us/library/bb726989.aspx
http://www.cisl.ucar.edu/nets/docs/procs/troubleshooting-ms-windows-networking.html
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 26448228
Here's the problem:

Netbios translation is done by netbios broadcasts. These broadcasts are held on your broadcast domain. This means netbios is NOT routeable without help. WINS was the traditional method to route netbios broadcasts.

However, if you enable LMHOST lookups and configure each master browser within that LMHOST file, it acts as a sudo WINS server without configuring WINS.

It's much like configuring the HOST file for DNS resolution.

You are right that remote sites will have an ELECTED master browser and they all report to the DOMAIN MASTER BROWSER.

Even though this is an NT4 article, netbios translation and the master browser services still work the EXACT same.

If you read this article, it has all your answers. If you don't want to configure WINS, you can use the LMHOST method to route netbios translation.

OR, there are some routers that will do Server Master Boot to remote domains on a secure connection. Even then, you risk your ISP blocking this data.

SMB shares/ CIFS shares/ Netbios shares all work the same.

Anyway, here is that NT4 article on Browser elections, Site to Site browselist sharing, WINS/WAN configuration of the master browser service.

http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true

You should be aware that some nodes can win the master browser election unless they are told not to be a master browser. Those are typically Linux/Unix boxes, Vista machines, MAC computers, or Unix based mass storage devices.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question