Wired Windows XP clients constantly going offline in SBS 2003 network

We have a Windows SBS 2003 server and 12 Windows XP clients. Half of them are part of SBS domain, rest just have the same workgroup defined. Offline files work perfect on computers which aren't part of a domain. But on the computers, which are part of a domain, users can barelly work, since computers are constantly going into offline mode. Sometimes computer doesn't even want to reconnect even if they manually click on reconnect. In the meantime Outlook is happily Online.

What I've done so far:
1. updated the GPO:
Administrative Tempates\Network\Offline Files:
-Configure Slow link speed: Disabled
Administrative Tempates\System\Group Policy:
-Group Policy slow link detection: Enabled
-Connection speed: 0
Administrative Tempates\System\User Profiles:
-Do not detect slow network connection: Enabled
2. Changed the cabling and ports on the switch
All with the same success; domain computers falling offline, non-domain computers working without a problem.
3. Tried running ping for a long period of time, there we no dropped packets, and no noticable change in the ping reply during the transition from online to offline; although 1%-2% of ping replies experience prolonged trip times of 500-800ms (on both: domain and non-domain computers).

Is there any other solution besides stop using offline files? :)

Thanks in advance
zeldiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

johnb6767Commented:
Files that you add to the Offline Files folder on a Windows XP ...
http://support.microsoft.com/kb/811660

For a workaround, implement the reg mod under the Silent Forced Auto Reconnect heading.....

Systems will flip from Offline/Online for any minor blip in connections......

I believe you can actually set the reconnect action via GPO.....
0
johnb6767Commented:
Additionally, you can set your drive mappings via IP/FQDN, and they should always be able to access the shares, even when offline......

Im sorry, I dont have an answer as to why the SBS clients will drop and the WG machines will not......
0
zeldiAuthor Commented:
Hi johnb6767,

thanks for your suggestion. Unfortunatelly, this is not what I want, since I cannot force my users to map all network shares we have and AFAIK when you are offline you also cannot use printers, which is another issue.

Having a script which automatically goes back online does one third of a job, but as I have already mentioned, sometimes computer doesn't go online no matter what you try to do, you click reconnect, it goes throught the synchronization process, but afterwards, the offline icon is still there.
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

ChiefITCommented:
let me get this straight:

they go off line as if you pulled the network cord??

If so, this isn't a domain controller issue. Its a switch issue. Or networking issue.

When they go off line, can you ping your own IP? can you ping the switch, or router?

Check the Duplex settings on the NIC card.

0
zeldiAuthor Commented:
ChiefIT,

I am talking about offline files feature of Microsoft Windows (http://windows.microsoft.com/en-US/windows-vista/Understanding-offline-files), and yes, as I have described in my first post, ping to the server show no extraordinary long trip times when computer goes to offline files mode.
0
ChiefITCommented:
Go to the all domain server's command prompt and type:

DCdiag /v

and

DCdiag /test:DNS

I think you have a DNS related issue.

Post any errors on EE for us to evaluate.

0
zeldiAuthor Commented:
Hi,

I did run both test, but the only two errors I've found are:
-IsmServ Service is stopped
-Root hints list has invalid root hint server

Please find attached outputs from both outputs.
dcdiag.txt
dcdiag-dns.txt
0
ChiefITCommented:
Go to a problem child client PC's command prompt and type:

IPconfig /all.

The only preferred DNS server those clients should have is your internal DNS servers, not an outside server.

Let me know if this is the case.

If they are DHCP clients, change your DHCP scope options to point ONLY to your DNS servers. Then, go to the command prompt of the problem child computer and type, Ipconfig /release and IPconfig /renew.

0
ChiefITCommented:
In fact, if you could provide an IPconfig /all from one of the problem child clients, we might be able to track the communications issues.
0
zeldiAuthor Commented:
Hi,

I am not sure if we are going into the right direction, since these are pretty basic configuration options, which have already been ruled out. In fact, we have DHCP service running on SBS, and it gives the same scope options to domain and non-domain clients.

In fact, moving client out of a domain solves the issue with offline files, putting it back into domain brings back the issue.
C:\>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : backup
        Primary Dns Suffix  . . . . . . . : fin-pro.local
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : fin-pro.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : fin-pro.local
        Description . . . . . . . . . . . : Intel(R) 82567LF-2 Gigabit Network Connection
        Physical Address. . . . . . . . . : 00-1C-C0-71-37-46
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.234.114
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.234.254
        DHCP Server . . . . . . . . . . . : 192.168.234.3
        DNS Servers . . . . . . . . . . . : 192.168.234.3
                                            192.168.234.1
        Primary WINS Server . . . . . . . : 192.168.234.3
        Lease Obtained. . . . . . . . . . : 25. marec 2010 17:36:33
        Lease Expires . . . . . . . . . . : 26. marec 2010 17:36:33

Open in new window

0
Rob WilliamsCommented:
To confirm; you have the SBS (192.168.234.3) as a domain controller and a second DNS server 192.168.234.1 ? If not this is a problem.
One possibility; Might you have RRAS enabled and the VPN? If so check under interfaces in the DNS management console and make sure only the LAN adapter's IP is selected.
0
zeldiAuthor Commented:
Yes, SBS is on 192.168.234.3 and 192.168.234.1 is linux acting as a secondary DNS. I have RRAS enabled, currently it is set to listen on "All IP addresses", which means three IPs set on local ethernet card and one RRAS IP address. I did remove other the other IPs, and left only the primary IP.

Once again, DNSs seem to work OK, and moving client out of domain solves the offline files issue.
0
ChiefITCommented:
So, your clients are going to the Linux based DNS server for DNS.

I think all of our thoughts, all along, were that you are unable to locate the SRV records in DNS.

I am sure this is possible to transfer DNS SRV records to a Linux based system, but I don't know how to do so.  The problem with not seeing the SRV records in DNS is your clients may not be able to find the domain controller for authentication from time to time.

Your Domain client computers may need to be told that the only DNS server is the SBS server, Unless you can zone transfer the SRV records to the Linux based server. Check the Linux server's DNS to see if you have the Start of authority and SRV records exist within DNS.

The inability to authenticate or find the authentication servers is why Domain computers are having problems and not workgroup computers. Workgroup computers don't need to authenticate with the DC via kerberose. Instead they hold the credentials locally.

Checking your SRV records on the Linux server:
http://support.microsoft.com/kb/816587

In this case, maybe point all clients to the SBS server for DNS until you can figure out a way to make the Linux server see the SRV records of the domain controller.



0
zeldiAuthor Commented:
Hey,

I checked linux dns as suggested, and unfortunately I think everything seems OK, since both dns servers are returning the same data.

I can try removing linux as my secondary server, but I am affraid that it won't solve the issue.
> _ldap._tcp.dc._msdcs.fin-pro.local
Server:  fin-pro.si
Address:  192.168.234.1

Non-authoritative answer:
_ldap._tcp.dc._msdcs.fin-pro.local      SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = sbs.fin-pro.local

_msdcs.fin-pro.local    nameserver = sbs.fin-pro.local
sbs.fin-pro.local       internet address = 192.168.234.3

Open in new window

0
ChiefITCommented:
For one problem child client, manually configure the DNS for that client to be ONLY the SBS server. See if that makes a difference.
0
Rob WilliamsCommented:
I agree testing 1 problematic PC with only the SBS set fr DNS would rather quickly rule out the Linux server as the problem. There was a similar question here recently where the user had a second Windows DNS server. It turns out there were some replication issues with the second server causing the problem.
In a windows domain it is amazing how often issues that appear to be unrelated to DNS, actually are.
0
zeldiAuthor Commented:
OK, I have changed the DHCP to assign only SBS DNS to clients. Will report next week if the offline files work better.
0
Rob WilliamsCommented:
Sounds good. Make sure you reboot or run ipconfig /release & /renew, as the default for DHCP leases is 8 days.
0
zeldiAuthor Commented:
Don't worry.., with me, default is 24 hours, and the most problematic client got its lease manually renewed.
0
ChiefITCommented:
one other thing that came to mind in your case is if you have "Client Services for Netware" configured on the nic bindings. I have seen this slow a computer down on a microsoft domain, because the clients are looking for a Novell domain controller. The bind order was higher for Netware clients and therefore drug along for a few minutes before finding the Microsoft server.

 For workgroup computers, it really doesn't matter because it's not looking for a Microsoft DC to authenticate with.
0
zeldiAuthor Commented:
Still no luck. Compters are still going offline without reason, even after removing secondary DNS. Now I have disabled all other services on NIC, except: Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks, QoS Packet Scheduler, Internet Protocol (TCP/IP). Unfortunately Netware was not installed, but maybe some other did interfere with domain.
0
Rob WilliamsCommented:
Does it happen at a certain time of day, like over night, is it after a certain idle time, or is it random?
0
zeldiAuthor Commented:
Removing unnecessary services and clients on NIC has no effect on offline files. Computers go offline very sporadically. Some days it looks like everything is OK, then the next day it goes offline every 10-30 minutes, so far it looks like there is no real pattern on when it will happen. The only pattern is, if the computer is part of a domain it will have problems with online files, if it is part of a workgroup everything works as expected.
0
Rob WilliamsCommented:
Odd still sounds like DNS, but you seem to have ruled that out.
Do you have any mapped drives? If so do they loose connectivity as well.
Perhaps as a confirmation could you post an updated ipconfig /all
0
ChiefITCommented:
There are a LOT of things that can cause intermittent connectivity like this>

1) DNS is certainly one of them. Let's say you have a computer with your domain server as the primary DNS server, and an OUTSIDE server as the secondary preferred DNS server. That means from time to time your client machine will look outside your network for your domain services. When not found, It tries persistantly until it basically knocks you down.  ROB's reasoning is right along with what I am thinking.

2) Is your server using Service pack 1. There is a discrepancy in the code of Service pack 1 that causes this. It has to do with the TCP/IP stack incorectly coding the MTU settings.

3) If it were site wide (meaning infecting workgroup computers), I would look at the switches and router's duplex settings.

4) another problem is a multihomed Server. Multihomed is defined as a server with two different IP addresses. This is something I never recommended because if not configured correctly, you have problems.

Now, Intermittent can mean a couple things. Let's look at a couple different communications protocols and decide if we have problems with all of them, one of them, or a couple of them. This will considerably reduce troubleshooting. Ping is a good tool for all of these protocols:

DNS:
Try a ping by DNS name
Example:  Ping xxxcomputer.domain.name

Netbios:
Try to ping by netbios name:
Example: Ping XXXcomputer

ARP:
Try to ping by IP address. The IP address will be converted to a MAC address according to the ARP table. If you have a problem with Address resolution protocol, you will have problems with Netbios and DNS.

Ping xxx.xxx.xxx.xxx (where xxx.... is the IP of the node you are pinging).

MTU ping:
MTU ping determines the Maximum Transferable Unit size of your packet.
Example:  http://help.expedient.com/broadband/mtu_ping_test.shtml

Intermittent netbios, (meaning the browser service as well as file and print sharing and group policies), may mean you have a netbios problem or a master browser conflict. Symptoms would include loosing computers in "my network places" but you will be able to ping the computers via a arp ping or DNS ping.


My guess is, either DNS, (as Rob points out), or you are running Service pack 1 on your server and your server's nic is flooded, or you have a multihomed server.
0
zeldiAuthor Commented:
Hi guys, thanks for additional suggestions.

1. Hardware problem is ruled out, since moving the same computer out of domain eliminates the issue (but I think I will bring another switch, just in case),

2. DNS/ping/MTU will need to wait till tomorrow, since the problem computer has gone home :) But if I recall correctly, DNS and any flavour of ping works OK (no external DNS, resolving works OK ...),

3. Service pack on server is SP2

4. Server is multihomed! It has three IPs on the same NIC, but in the same subnet. Unfortunatelly this is due to Cisco not being able to correctly NAT incomming outside traffic (as answered by EE). Besides that, it also serves as VPN server and it has some IPs configured there. What could be the configuration issue with it?
-in DNS server properties, on Interfaces tab I had Listen on All IP addresses (I did remove all IPs, except primary one, but the same problem persists).
0
Rob WilliamsCommented:
>>"Server is multihomed!"
SBS does not handle this well.
Do the workgroup machines use only the SBS for DNS?
Make sure in the DNS management console on the SBS that only the correct LAN IP (192.168.234.3) is selected  under the interfaces tab. You say you did so but this is important.
0
ChiefITCommented:
After a little research::
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/csc_overview.mspx?mfr=true

OK, had to make sure, but Offline files are SMB (Server Message Block) files and fall under the Common Internet File Shares (CIFS shares). This means they use Netbios to communicate between the client computer and the server they synchronize with.

Bottom line is, you most likely have a Netbios problem. I would be willing to bet, you can ping by IP or DNS OK and also use Outlook fine, (beasue outlook uses DNS).

Look in your Window's server event logs for events in the 8000's, like 8021 and 8032 that says you have a master browser conflict. The message will look like this:
""XXXcomputer thinks it is the domain master browser, the browser service has stopped and an election has been forced."

We will need to tell that computer, it is not the domain master browser for CIFS shares.
0
zeldiAuthor Commented:
Master browser conflict might do the trick. We have quite some linux machines on the network, which usually have the same workgroup as SBS's domain name. And if I remember correctly, Linux Samba is quite stubborn about being the master browser. Unfortunatelly no errors as described have been found in event log, but a simmilar one is quite frequent:

The browser has forced an election on network \Device\NetBT_Tcpip_{06FDF212-855E-433C-839B-4C766421DA59} because a Windows Server (or domain master) browser is started.

And I do remember seeing some logs about some other Windows computer trying to force itself being the master browser. Will need to check how to manually disable this behaviour on Windows computers and will turn off samba on all linux machines I find.

Will report.
0
ChiefITCommented:
Also, go to the command prompt and type this command line:

net config redir. Let's see how many mac addresses we have the serve netbios translation:

You should get:

(000000000) for Server message block info
Mac 1
Mac 2

Netbios binds to both nics. If one MAC address is the inside nic and the other is an outside MAC address, you will experience intermittent comms.

Let's put it this way. Your client contacts the server using Netbios as the communications protocol. That nic is now busy. So, the server seeks another nic to try and communicate with. So, it chooses your VPN NIC if you route over the server. Now, your netbios reply is going to the internet cloud instead of your internal client, depending upon the netbios bind. You can prevent, (and should prevent), your outside nics from providing Netbios, Disable File and print sharing on the outside nic, as well as netbios over TCP/IP. Also make sure there is NO gateway set on the outside nic. Also make sure the outside nic is not providing DHCP.

If you read this full thread, it will tell you how to take care of DNS, DHCP and netbios:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23806816.html

After this you want to flush your cached communications:
For netbios: NBTStat -rr    and NBTstat -RR   (both of them, capitalization matters)
For DNS :    IPconfig /flushdns
For ARP: Arp -a   (displays the arp table) and Arp -d  (deletes bad entries)

Understanding the arp table is a bit difficult. The ARP table is what the switches use to communicate with.

Important:
So, let's talk about Cisco not able to NAT. Alway use a router to route with, even if it is a simple $40 dollar DSL home-based router, that you disable DHCP on. Somehow, I don't believe that your Cisco router can't NAT. You can also configure encrypted VPN tunnels using NAT. NATting over a server is detrimental to ITsec and communications, as you are seeing.
0
ChiefITCommented:
You are correct: Linux/Unix servers are persistant in taking over the domain master browser. So, is Vista and Windows 7. It all has to do with browser elections:

To prevent a computer from becoming Domain master browser, you will need to perform a registry edit:

This is an NT4 article. However, Nothing has changed with the browser service since NT4.
http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/chptr3.mspx?mfr=true

NOT ROUTEABLE without WINS.  (use the WINS/WAN configurations).
This article explains, how netbios is NOT routeable, meaning it will not go over VLANS, through a VPN tunnel or across NAT. Netbios is also blocked by many ISPs as well as most firewalls.

The Browser service elections is also on this article. It explains how to use a registry edit to control who is the domain master browser. There is one simple difference between NT4 and newer machines:
For NT4: the registry key is ((isdomainmasterbrowser)
For newer OS's, the registry key is: (Isdomainmaster)
they are the same key.

So, you have a couple things to fix:
1) multihomed servers are problematic at best. it needs to be configured correctly. Use "net config redir" to figure out the network bind order. Use Browstat Status to determine who is the domain master.
2) Use the NT4 article to route Netbios shares. Looks like you have a WINS server
3) Prevent other machines from winning the elections. For windows machines, it's a registry edit. For Linux??? I don't know.
0
zeldiAuthor Commented:

1) I must apologize myself. My server isn't really multihomed. The infrastructure is like this:
-SBS is running on ESXi4,
-it has one NIC with three IPs (in the same subnet), it has three IPs, because of the Cisco limitations,
-it also server as RAS, which means it has one dialin interface.
-output of "ipconfig /all" and "net config redir" is bellow
-if I see correctly there is only one NIC defined for netbios?
-I defined wins server (running on SBS) to help VPN users with browsing the network (although it doesn't work as expected)

2) on SBS IsDomainMaster registry was set to FALSE, I changed it to Yes.

3) what might be interesting is WINS->Active Registrations. There I can see entry __MSBROWSE__ which points to a non-domain Vista machine? Domain Master Browser and Domain Controller entries in WINS point to my SBS. Normal Group name for my domain points to XP domain computer which acts as a backup browser server

4) Domain clients usually have VMWare Server installed, which installs couple of virtual NICs, which make them multihomed clients?

5) Linux Samba services got set local master=no and domain master=no in its config files. This should prevent them from becoming master browser

7) regarding Cisco and its issues, here is my question and a workaround solution: http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_23090457.html

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : sbs
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : domain.local
                                       domain.si

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-53-45-00-00-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.234.110
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
   Physical Address. . . . . . . . . : 00-50-56-A6-3B-48
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.234.92
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 192.168.234.91
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 192.168.234.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.234.254
   DNS Servers . . . . . . . . . . . : 192.168.234.3
   Primary WINS Server . . . . . . . : 192.168.234.3

-------------------------------------------------------------------
C:\>net config redir
Computer name                        \\SBS
Full Computer name                   sbs.domain.local
User name                            my.username

Workstation active on
        NetbiosSmb (000000000000)
        NetBT_Tcpip_{06FDF212-855E-433C-839B-4C766421DA59} (005056A63B48)

Software version                     Microsoft Windows Server 2003

Workstation domain                   DOMAIN
Workstation Domain DNS Name          domain.local
Logon domain                         DOMAIN

COM Open Timeout (sec)               0
COM Send Count (byte)                16
COM Send Timeout (msec)              250
The command completed successfully.

Open in new window

0
zeldiAuthor Commented:
One interesting thing, I checked times, when client goes offline. Majority of times is around 12 minutes (+-1 minute), which I think has something to do with announcement times of browser.

I rechecked event log, and found some eventID 8003: The master browser has received a server announcement from the computer COMPUTERNAME that believes that it is the master browser for the domain on transport NetBT_Tcpip_{06FDF212-855E-433C-. The master browser is stopping or an election is being forced.

These errors are triggered by domain and nondomain computers.
0
ChiefITCommented:
CLIENTS and MEMBER SERVERS:
The browser will announce itself every 5 minutes. The clients will anounce themselves every 15 minutes. So, if there are two master browsers, the clients may hop from one to the other about every 15 minutes, and you may see them disappear and reappear from time to time in my network places.

Browser elections are done by netbios broadcast. SOOO, Workgroup computers as well as domain computers on the same broadcast domain will fight for winning the election. As that NT4 article states, The highest operating systems WINS, and also the FSMO role holder plays a part in electing a domain master browser. So, sometimes Vista, Linux, and Windows 7 will win over the domain FSMO role holder. That's when you see the event 8003, and then you have intermittent communications on the domain master browser. Use the registry edits to stop COMPUTERNAME from becomming a domain master browser. That computer can still hold the browse list. By holding the browse list it becomes a backup browser.

Another option is to create a group policy for domain computers to make sure it doesn't elect itself as a domain master browser. This can either be done by a script that changes that registry key, OR I actually think there is a group policy object for that. That will take the domain computers out of the equation. Of course you don't want the FSMO role holder to be a part of the GPO or script.

DOMAIN CONTROLLERS CONFIGURATION:
NOW, you still have a multihomed DC. Remember that you need to prevent any netbios communications on the outside binding. Net Config redir will tell you how many MAC addresses that Netbios is bound to. You need to make sure that is very explicit in what binding you are working with. IPconfig /all will tell you what MAC goes with what NIC. Disable the NIC that shouldn't be providing Netbios translation on your DC.

Typically, I configure the FSMO role holder as the domain master browser. If you have multiple sites, each should have a domain master. THIS IS NOT THE COMPUTER DOMAIN, THIS IS THE BROADCAST DOMAIN MASTER. So, each site is different.  Then, I elect two or three other computers as backup browsers, (meaning they hold the browselist but are told they are NOT the domain master through reg edits). I heard you want a backup browser per every 40 computers. All other PCs are told NOT to be a domain master or hold the browselist through group policy or manual registry edits.

That NT4 article is a really long read but well worth it.

Also, this might help discribe the different ways to control the master browser elections>
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21488701.html

0
ChiefITCommented:
1) I must apologize myself. My server isn't really multihomed. The infrastructure is like this:
-SBS is running on ESXi4,
-it has one NIC with three IPs (in the same subnet), it has three IPs, because of the Cisco limitations,
-it also server as RAS, which means it has one dialin interface.
-output of "ipconfig /all" and "net config redir" is bellow
-if I see correctly there is only one NIC defined for netbios?
-I defined wins server (running on SBS) to help VPN users with browsing the network (although it doesn't work as expected)

Additional IPs usually are not a problem unless on different subnets. Routing and remote access is a problem because the second network connection creates a netbios bind. You need to disable the RRAS interface's ability to provide netbios.

We will get to VPN users in a minute.

2) on SBS IsDomainMaster registry was set to FALSE, I changed it to Yes.
This reg key should be TRUE, not yes.

3) what might be interesting is WINS->Active Registrations. There I can see entry __MSBROWSE__ which points to a non-domain Vista machine? Domain Master Browser and Domain Controller entries in WINS point to my SBS. Normal Group name for my domain points to XP domain computer which acts as a backup browser server

You need to go to that Vista machine and prevent it from being the domain master using the REG edits.
Then, delete that record from the WINS database.

4) Domain clients usually have VMWare Server installed, which installs couple of virtual NICs, which make them multihomed clients?

I don't think the VMware clients will be an issue. Same NIC means Netbios will work on the same MAC address.

5) Linux Samba services got set local master=no and domain master=no in its config files. This should prevent them from becoming master browser

This is good. Linux clients as well as UNIX/Linux based mass storage devices will also love to try to take over as domain master. Vista and Windows 7 often do too. Vista and Windows 7 use the reg keys to correct themselves while Linux/Unix will be in the config file. I was thinking about that after I logged of, last night.  

7) regarding Cisco and its issues, here is my question and a workaround solution: http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_23090457.html

I am reviewing your cisco stuff now.


NOTE: IPconfig on the server and Net config redir all look real good.
1) Change the SBS registry key to TRUE,
2) prevent the vista client from becoming domain master,
3) and delet the WINS entry for master browser being the Vista client, as well as make Config changes to Linux and Unix clients and windows 7.
4)  Go to the SBS command prompt and type, NBTStat -rr and NBTstat -RR. To clean the netbios cache and re-register the WINS records as domain master.  
5) Replicate the WINS database to any replication partners.
6) how do we look now? Tell me how things have progressed.
0
ChiefITCommented:
The Cisco configuration is very complex. First off I noticed in your running configuration you XXX'd out the text passwords. You can encrypt those, so hackers can't see the CHAP clear text passwords. It will increase ITSEC>


With that said, you want to load balance between two ISPs. I didn't know serial data over frame relay would allow this. But, according to Cisco, it is OK to do as long as the Matric is the same on both interfaces.

Have you reviewed Cisco's documentation and configuration on this?
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml
0
zeldiAuthor Commented:
1) done
2) will need to get hands on that client (that's at least an annoyance, getting a guest Vista machine and it destroys my offline files configuration)
3) Linux was taken care of.
3a) I don't understand "WINS entry for master browser being the Vista client". What should that mean?
4) done
4a) "re-register the WINS records as domain master" I will need to dig in the WINS configuration little bit, so I will be more proficient with your terminology
5) I believe my SBS is sole WINS server
6) only time will tell :) Sometimes everything looks OK for couple of days, and then it starts making problems. But I think, that the hint with other computers taking over master browser control was the key one. Is there a way, I can check with simple steps, which computers believe are master browsers?

7) Cisco: I am still dissapointed that it cannot route response packets back to Internet via the right interface (statefull) without having multiple IPs on internal computers, outgoing load ballancing was taken care of.

ChiefIT, if this works out I believe I owe you a beer (and a large pizza:))
0
ChiefITCommented:
3a) I don't understand "WINS entry for master browser being the Vista client". What should that mean?

DNS and WINS are very similar in structure. The client can register itself in WINS or DNS. For WINS the client sends out a netbios broadcast and the WINS server picks that up, and a client is registered in WINS. But, there is an election process. During that election process, WINS picks a computer to be the broadcast domain master browser. In this case WINS things it's the Vista computer.

The domain master browser is to WINS as a NS record is to DNS. NS means Name server and is the start for DNS queries that reach the server.

How a query works for both DNS and WINS is:

The client will look at its own records first.
1) cache is the first place both systems look
WINS) it looks in the netbios cache
DNS) DNS cache
2) host files is the second place
WINS) LMHOST file
DNS) HOST file

Now, they look for the preferred server for resolution to the query:
WINS) WINS server
DNS) DNS server

The server will try to resolve either query by first looking in its Cache then in the In the respective database.

By having a record that pertains to the VISTA machine in the WINS server, you are telling all clients that need the server for Netbios resolution that the Vista machine manages the browselist. That's not true, the domain controller does.

So, that record in WINS should be deleted from WINS that says the Vista machine is the domain master.

The reason that record exists is because the Vista machine won the election at one point. (maybe when the DC was down for a minute)
0
zeldiAuthor Commented:
the problematic clients are now out of office for the week, so I will report when they come back.
0
rpremuzCommented:
On a MS Windows XP SP3 laptop with gigabit NIC there were problems with contacting domain controller during boot process. In the Event Log there were errors saying "There are currently no logon servers available to service the logon request." Some support articles suggested changing the following Registry value:

reg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableDHCPMediaSense" /t REG_DWORD /d 1 /f

But after that the XP client experienced the issue with constantly going into offline mode. After having the DisableDHCPMediaSense value reverted back to 0 (and Windows restarted), the issue disappeared.

So, I would suggest checking the DisableDHCPMediaSense value on the PCs in your network.

-- rpr.
0
zeldiAuthor Commented:
Hi all,

unfortunatelly clients are still going offline, even after trying all the ChiefIT's suggestions. I was thinking what if I disable WINS server? Could it make any difference?

rpremuz: will try your suggestion immediately.
0
martin2123Commented:
Hi

I do not want to gatecrash the party, I have just got back from a client with SBS 2003, as of a server reboot this a.m. nobody could connect. when asked if he had done anything new recently he admitted to trying to get RAS up and running. I stopped and disabled ras, rebooted and everything returned to normal. i have had this before, but do not understand why. If i am miles of base then sorry

0
zeldiAuthor Commented:
OK,

after couple of days, trying with different options, rpremuz solution and trying to disable WINS server, still without a success. Could disabling WINS server have any impact? Because it seems I don't know how to remove wins server association with clients. I disabled the service, removed it from dhcp definition, but clients still get wins server assigned when they .

I might try disabling RAS, although it sounds like a long shot.
0
zeldiAuthor Commented:
The computer is now online for the last four days without any issues. One of the issues I realized was the "Stored User Names and Passwords" under "User Management". There was saved password for SBS server, which definitely was different than the password assigned by the user. I also had WINS server disabled for couple of days, I enabled it today and will see if it makes any troubles.
0
zeldiAuthor Commented:
Hm..., computer is again going offline. I am running out of ideas what to do. Is there really no chance of getting some debug log of what is going on with the computer?
0
zeldiAuthor Commented:
Experts, I got some info, which might be usefull.  When executing "browstat status" command on problematic client I got the following output:
Status for domain DOMAIN on transport \Device\NetBT_Tcpip_{987D708E-7782-49D5-ABE0-8367937E8548}
    Browsing is active on domain.
    Master browser name is: TPCLIENT
        Master browser is running build 2600
    1 backup servers retrieved from master TPCLIENT
        \\TPCLIENT
    There are 1 servers in domain DOMAIN on transport \Device\NetBT_Tcpip_{987D708E-7782-49D5-ABE0-8367937E8548}
    There are 1 domains in domain DOMAIN on transport \Device\NetBT_Tcpip_{987D708E-7782-49D5-ABE0-8367937E8548}

Status for domain DOMAIN on transport \Device\NetBT_Tcpip_{5EA7E1F3-A521-4FD6-9C1D-778048816F09}
    Browsing is active on domain.
    Master browser name is: TPCLIENT
        Master browser is running build 2600
    1 backup servers retrieved from master TPCLIENT
        \\TPCLIENT
    There are 1 servers in domain DOMAIN on transport \Device\NetBT_Tcpip_{5EA7E1F3-A521-4FD6-9C1D-778048816F09}
    There are 1 domains in domain DOMAIN on transport \Device\NetBT_Tcpip_{5EA7E1F3-A521-4FD6-9C1D-778048816F09}

Status for domain DOMAIN on transport \Device\NetBT_Tcpip_{3A7F013C-03AF-4722-875D-3A04EC6DE0C7}
    Browsing is active on domain.
    Master browser name is: TPCLIENT
        Master browser is running build 2600
    3 backup servers retrieved from master TPCLIENT
        \\WSCLIENT1
        \\WSCLIENT2
        \\SBS (my domain controller)
    Unable to retrieve server list from TPCLIENT: 71

Open in new window

0
zeldiAuthor Commented:
Executing it on browstat status on server gives me the following output.

Is this normal, or is the reason, that TPCLIENT thinks it is a master browser, the culprit of all problems?
Status for domain DOMAIN on transport \Device\NetBT_Tcpip_06FDF212-855E-433C-839B-4C766421DA59}
    Browsing is active on domain.
    Master browser name is: SBS
        Master browser is running build 3790
    3 backup servers retrieved from master SBS
        \\SBS
        \\WSCLIENT1
        \\WSCLIENT2
    There are 15 servers in domain DOMAIN on transport \Device\NetBT_Tcpip_{06FDF212-855E-433C-839B-4C766421DA59}
    There are 5 domains in domain DOMAIN on transport \Device\NetBT_Tcpip_{06FDF212-855E-433C-839B-4C766421DA59}

Open in new window

0
zeldiAuthor Commented:
When I tried to query TPCLIENT with browstat view I got the following error. However, net session on that client shows empty list.
C:\Documents and Settings\administrator>browstat view \device\netbt_Tcpip_{06FDF212-855E-433C-839B-4C766421DA59} \\TPCLIENT

Remoting NetServerEnum to \\TPCLIENT on transport \device\netbt_Tcpip_{06FDF212-855E-433C-839B-4C766421DA59} with flags ffffffff
Unable to remote API to \\TPCLIENT on transport \device\netbt_Tcpip_{06FDF212-855E-433C-839B-4C766421DA59}: No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept.

Open in new window

0
Rob WilliamsCommented:
Have you seen the following hotfix regarding enabled Scalable Networking Pack causing connection issues on SBS 2003?
http://support.microsoft.com/kb/948496
0
bbaoIT ConsultantCommented:
please try changing the Node Type from "8" to "2" for DHCP Option 46 on the DHCP server running on SBS. client computers needs IPCONFG /RENEW or a restart to take effect.
0
Cris HannaSr IT Support EngineerCommented:
I don't know that you're every going to get this to work properly unless you make some major changes to you configuration.
1) SBS 2003 is not supported by Microsoft as a virtualized guest.  That's not to say that it can't work and there are people with this setup and it works but the rest of the of the environment needs to meet best practices for SBS and yours does not.
2)  You haven't said why you have a linux DNS server but my suspicion is that you're hosting a public website somewhere within your network?
3) Domain Controllers, in general do not do well with multiple IP Addresses assigned to a NIC.  My recommendation, pick an IP, then run the Change IP Address wizard in the SBS Console  Modify the port forwarding in Cisco to point to the selected IP.   If the Cisco firewall is not performing correctly to allow this, it needs to be replaced.
4) Why aren't all workstations part of the domain?   Were the workstations that are part of the domain, joined using the http://sbsservername/connectcomputer wizard?
5) on the SBS Server, download and run the SBS BPA (www.sbsbpa.com) and fix everything it finds, regardless of whether you think it applies.
6.  I may have missed it in all this but don't think you've ever posted the IPCONFIG /all from the SBS server
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChiefITCommented:
These clients are winning the master browser election over the domain master:

Master browser name is: TPCLIENT<<<<<< TCPClient is winning over the domain master
        Master browser is running build 2600
    1 backup servers retrieved from master TPCLIENT
        \\TPCLIENT

What you want to do is read this article on the master browser service and how elections are won. You can create a group policy to prevent ANY computer from being a master browser. But, you don't want to apply that policy to your domain servers. The PDCe will win the election over other Domain servers because it holds the FSMO roles.

How the master browser works: (read the NT4 article imbedded in the answer)
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_23652843.html

Group policy:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21488701.html

0
zeldiAuthor Commented:
@RobWill: I did install the patch, although checking the registry

@BBao: I did change from hibrid to p2p node, now I cannot access any non domain computers, but doesn't matter for a test

@CrisHanna_MVP:
1) not much I can do about virtualization :)
2) you're right, linux is for public web & public dns & since it has dns running it is also secondary for local domain (as far as we have checked the configuration, it should be OK, I even disabled dns for a week or so, withouth any success)
3) I will try and remove all secondary IP address tomorrow, although error existed before this config
4) because of the offline files issue people were reluctant to join domain, so the most problematic clients aren't part of a domain so people can work normally
5) SBSBPA downloaded and tested,  got 2 errors (tcp offloading & dns not pointing only to sbs; dns error is misreported, since the only dns used is sbs; maybe it has to do with multiple IPs on the NIC?)
6) it was posted before, I uploaded it as a file now too

@CheifIT: will do it tomorrow morning; but why does the TPCLIENT think it is a master browser if all other clients (and including sbs) think that sbs is master browser at the same time?
ipconfig.txt
0
zeldiAuthor Commented:
Experts,

now I moved my computer from workgroup to domain, via sbs wizzard and I started to experience offline problems. On this computer I have disabled all other NICs, except the wired one. I am starting to loose my mind.

browstat status gives me the following report (i am concerned about not being abke to determine masterbrowser from getadapterstatus):

Status for domain DOMAIN on transport \Device\NetBT_Tcpip_{AD4AA168-49E4-4C15-854F-DCC67631F607}
    Browsing is active on domain.
    Master name cannot be determined from GetAdapterStatus.  Using \\SBS
        Master browser is running build 3790
    1 backup servers retrieved from master SBS
        \\SBS
    There are 15 servers in domain DOMAIN on transport \Device\NetBT_Tcpip_{AD4AA168-49E4-4C15-854F-DCC67631F607}
    There are 3 domains in domain DOMAIN on transport \Device\NetBT_Tcpip_{AD4AA168-49E4-4C15-854F-DCC67631F607}

Open in new window

0
Cris HannaSr IT Support EngineerCommented:
So just to recap...
Your SBS server now has one nic with 1IP address?  The IP address on the nic is a Static ADDRESS, not assigned by DHCP.   In the DNS configuration of this nic  It has ONLY it's OWN IP?
Can the SBS server ping itself by IP and name?
Has DHCP been configured with Option 44 DNS (pretty sure that's the right option number)?   It the only address the IP you now have there, the IP Address assigned to the SBS NIC?
0
zeldiAuthor Commented:
My SBS has only one NIC, with only one static IP, and DNS is pointing to itself. SBS can ping itself by name, fqdn, ip ...

DHCP server has option 44 configured (WINS/NBNS server), pointing to SBS's only IP.

Interesting, running browstat status on server got me this (first time I ran it, I got the error; the second time I got normal response).
C:\Program Files\Support Tools>browstat status
Status for domain DOMAIN on transport \Device\NetBT_Tcpip_{06FDF212-855E-433C-839B-4C766421DA59}
    Browsing is active on domain.
    Master browser name is: SBS
        Master browser is running build 3790
    3 backup servers retrieved from master SBS
        \\CLIENT1
        \\SBS
        \\CLIENT2
    Unable to retrieve server list from SBS: 64

C:\Program Files\Support Tools>browstat status
Status for domain DOMAIN on transport \Device\NetBT_Tcpip_{06FDF212-855E-433C-839B-4C766421DA59}
    Browsing is active on domain.
    Master browser name is: SBS
        Master browser is running build 3790
    3 backup servers retrieved from master SBS
        \\CLIENT2
        \\CLIENT1
        \\SBS
    There are 15 servers in domain DOMAIN on transport \Device\NetBT_Tcpip_{06FDF212-855E-433C-839B-4C766421DA59}
    There are 3 domains in domain DOMAIN on transport \Device\NetBT_Tcpip_{06FDF212-855E-433C-839B-4C766421DA59}

Open in new window

0
Cris HannaSr IT Support EngineerCommented:
I should have gone and looked it up.  http://technet.microsoft.com/en-us/library/cc958941.aspx   I would configure option 6 and option 15 as well.
Then re-run the BPA and see what it finds.
Have you taken any steps to rule out hardware?
0
zeldiAuthor Commented:
It's been configured before. In DHCP I have 3,4,6,15,44 and 46 set up.

Cables and ports on the switch have been changed, I might try with a different switch. It's just misterious that when being a part of domain I have issues, going out of domain it works perfectly. I will try different switch tomorrow.
0
rpremuzCommented:
So, if an issue is not solved, the whole thread is deleted?

This issue is obviously quite difficult to solve. I'd say it would be useful to keep the comments although they don't provide a solution (at least they can serve as an evidence of problems experienced by admins of MS SBS domains ;-).

-- rpr.
0
zeldiAuthor Commented:
I agree, the problem is very complex, I would still close it as solved and split points.
0
zeldiAuthor Commented:
I would recommend solutions: http:#a32883984 & http:#a29267538
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.