JiiPS
asked on
Strange browsing problem / MxrSmb 8003 error
Hello,
I encountered a pretty strange network issue with one Windows 7 laptop.
Symptoms:
- Sometimes client cannot browse network (only this pc is visible in the list)
- There is a shared folder on another windows 7 laptop. When pinging this laptop with IP, I get reply. When pinging with host name, it is unreachable. If I check this PC with shared folder with nslookup, it returns wrong IP address.
- The client can ping all other PC's and servers in domain, with host name, except this one laptop.
I noticed there are also MxrSmb (8003) errors in server's event viewer, coming from this PC.
Have already added IsDomainMaster=FALSE to this laptop. No change what so ever.
Right now I am not able to check if the computer browser service is started on that PC, but maybe I should stop and disable it?
I also checked all the domain servers and all of thme have the" IsDomainMaster" set to FALSE in registry.
Shouldn't there be one server with it set to AUTO or TRUE?
Also tried the" browstat status" command and it returned answer that serverXX is the master browser (even though it is set to IsDomainMaster=FALSE).
Any ideas on how to proceed further on this problem would be great, since I am really running out of ideas.
I encountered a pretty strange network issue with one Windows 7 laptop.
Symptoms:
- Sometimes client cannot browse network (only this pc is visible in the list)
- There is a shared folder on another windows 7 laptop. When pinging this laptop with IP, I get reply. When pinging with host name, it is unreachable. If I check this PC with shared folder with nslookup, it returns wrong IP address.
- The client can ping all other PC's and servers in domain, with host name, except this one laptop.
I noticed there are also MxrSmb (8003) errors in server's event viewer, coming from this PC.
Have already added IsDomainMaster=FALSE to this laptop. No change what so ever.
Right now I am not able to check if the computer browser service is started on that PC, but maybe I should stop and disable it?
I also checked all the domain servers and all of thme have the" IsDomainMaster" set to FALSE in registry.
Shouldn't there be one server with it set to AUTO or TRUE?
Also tried the" browstat status" command and it returned answer that serverXX is the master browser (even though it is set to IsDomainMaster=FALSE).
Any ideas on how to proceed further on this problem would be great, since I am really running out of ideas.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you check the office side of the VPN tunnel to verify the connection? (not worth much, but it would give you the IP address)
The default and recommended setting (by M$) is to public, so unless you pre-configured the link, or the user is literate, you won't be able to ping without resetting the network type.
Perhaps a call to the user to address the network designation might get you the last part of the puzzle. Keep us posted.
The default and recommended setting (by M$) is to public, so unless you pre-configured the link, or the user is literate, you won't be able to ping without resetting the network type.
Perhaps a call to the user to address the network designation might get you the last part of the puzzle. Keep us posted.
the problem through a VPN tunnel is the netbios broadcasts will not reach the computers. netbios is not routable, unless you use WINS as a cruch to help populate a database that the clients communicate with to get netbios resolution. IT'S MUCH LIKE DNS.
Clients, on the local network will send out a DNS broadcast to populate the DNS database. Then, outside clients will access the DNS database to get DNS resolution for clients that that DNS server is auhtoritative for.
Netbios and WINS works the same way.
Now, you can cheat. Like DNS, that has a HOST file, that you can configure, WINS has an LMHOST file you can configure. So, instead of accessing a WINS database, you can access a LMHOST file. But, you have to enable LMHOST lookup on the TCP/IP properties>>advanced>>WINS
Important things to remember:
-The browser service works off Netbios.
-Netbios broadcasts are not routeable and therefore will not work over a VPN, over a VLAN, through any IPsec tunnel. etc... The broadcasts are held to the broadcast domain.
-When pinging, know how you are pinging. Ping is a multi-protocol diagnostic tool. You can do an ARP ping, DNS ping, MTU ping, or a netbios ping>
Examples:
ping 123.124.125.126 (will translate a routeable IP to a MAC address using ARP and routers)
ping www.google.com (Since this is less than 15 charactors and also has periods in it, it will query a DNS server for IP resolution, then get the MAC address through an ARP lookup)
ping servername (( This is a netbios ping. There are less than 15 charactors in the name and there are no periods in it. The redirector service will direct this query to the Netbios Name server).
And the MTU ping works like this:
http://help.expedient.com/broadband/mtu_ping_test.shtml
For a VLAN configuration: you can elect to use Netbios helper and allow netbios broadcasts through the router that the router has within its VLAN Trunking protocol (VTP). However, most ISP's forbid, or block, netbios on ports and that will most likely mess up your VPN connection.
Clients, on the local network will send out a DNS broadcast to populate the DNS database. Then, outside clients will access the DNS database to get DNS resolution for clients that that DNS server is auhtoritative for.
Netbios and WINS works the same way.
Now, you can cheat. Like DNS, that has a HOST file, that you can configure, WINS has an LMHOST file you can configure. So, instead of accessing a WINS database, you can access a LMHOST file. But, you have to enable LMHOST lookup on the TCP/IP properties>>advanced>>WINS
Important things to remember:
-The browser service works off Netbios.
-Netbios broadcasts are not routeable and therefore will not work over a VPN, over a VLAN, through any IPsec tunnel. etc... The broadcasts are held to the broadcast domain.
-When pinging, know how you are pinging. Ping is a multi-protocol diagnostic tool. You can do an ARP ping, DNS ping, MTU ping, or a netbios ping>
Examples:
ping 123.124.125.126 (will translate a routeable IP to a MAC address using ARP and routers)
ping www.google.com (Since this is less than 15 charactors and also has periods in it, it will query a DNS server for IP resolution, then get the MAC address through an ARP lookup)
ping servername (( This is a netbios ping. There are less than 15 charactors in the name and there are no periods in it. The redirector service will direct this query to the Netbios Name server).
And the MTU ping works like this:
http://help.expedient.com/broadband/mtu_ping_test.shtml
For a VLAN configuration: you can elect to use Netbios helper and allow netbios broadcasts through the router that the router has within its VLAN Trunking protocol (VTP). However, most ISP's forbid, or block, netbios on ports and that will most likely mess up your VPN connection.
A minor correction, ping is an ICMP echo request, and does not rely on netbios. You can use ping to see if specific ports are functioning (like port 25 for smtp) but the underlying protocol is ICMP.
And what can you diagnose with ping 9660kel?
Thanks
Thanks
Connectivity
What protocols can you diagnose and what tests can you run with ping?
Ping is useful for simple connectivity tests for almost any network protocol, it also forms the basis for "tracert" in windows, trace route uses ping coupled with time to live to reconstruct the network path to a destination.
A persistent ping can help isolate traffic bottlenecks, intermittent connection problems, and flaky cables.
A ping with <hostname> can test your name resolution locally and to the internet. The host checks its cashe for the address, and if it isn't found, queries the local network for a name resolution server, (DNS) and if found, queries for the address associated with the host or domain. (only computers with netbios enabled will check for a netbios name server, and even then, only after DNS query has failed, unless the ordering has been changed from default.)
A malformed ping packet can be used for a denial of service attack, known as "ping of death".
Another handy command is "netstat", used to list the open connections on a host. Very helpful to find spyware, failing network cards that have become chatty, and find background processes with their corresponding ports.
On a side note regarding protocols blocked by ISP's, you can change the port number used on the network for a given protocol, and thus bypass the blocked port. (this would be done with a combination of RRAS or SAMBA, router config, and DHCP scope options, remember to use a public port number)
A persistent ping can help isolate traffic bottlenecks, intermittent connection problems, and flaky cables.
A ping with <hostname> can test your name resolution locally and to the internet. The host checks its cashe for the address, and if it isn't found, queries the local network for a name resolution server, (DNS) and if found, queries for the address associated with the host or domain. (only computers with netbios enabled will check for a netbios name server, and even then, only after DNS query has failed, unless the ordering has been changed from default.)
A malformed ping packet can be used for a denial of service attack, known as "ping of death".
Another handy command is "netstat", used to list the open connections on a host. Very helpful to find spyware, failing network cards that have become chatty, and find background processes with their corresponding ports.
On a side note regarding protocols blocked by ISP's, you can change the port number used on the network for a given protocol, and thus bypass the blocked port. (this would be done with a combination of RRAS or SAMBA, router config, and DHCP scope options, remember to use a public port number)
The network redirector will query either Netbios or DNS when a ping is made to resolve the DNS or Netbios name. If you use Ping (any name without periods and less than 15 charactors) then you will query the netbios name server. If you ping (computername.domain.name)
So, less than 15 charactors and without periods >>>Netbios Name Server
more than 15 and/or has periods>> DNS server
In many cases, I have seen people with the inability to ping the computername, but able to ping Computername.domain.name, OR ping by IP address. What that means, (AS IN THIS CASE) is you don't have proper Netbios resolution. I reviewed the comments from the author and he said he could ping by IP but not by hostname. Since this is a VPN connection and Netbios is a non-routable broadcast protocol, held to the broadcast domain, it's safe to conclude this PC going through the VPN doesn't have the ability to communicate with a Netbios Name server to resolve the IP address.
Netbios is used for the RPC locator, Browser services (meaning file and print sharing GUI), and Netlogon service (depending on how you joined the domain). If you can't see computers within my network places, while you can ping computers through the VPN, it's safe to conclude this computer can't resolve the netbios query.
To do so, you have to enable Netbios over TCP/IP (because TCP/IP is a connection based protocol and routeable over a router). Then, you may still have to set up a LMHOST record, or create a WINS server. This will depend upon how many computers are remoting in through the VPN connections. If you have a bunch, then WINS is probably the best way to go. If you have a few, then you can configure an LMHOST record to include the PDCe, and all VPN hosts. That LMHOST record will have to be created on all VPN clients and the PDCe (which by default is the Netbios Name Server or "Domain Master Browser)....
This author corrected most of his errors by preventing client computers from competing with the PDCe for the role of domain master browser. NOW all this author needs to do is get Netbios resolution through the VPN connection.....I can provide over 100 examples of people I have helped on EE to do just that.
Here's a few:
https://www.experts-exchange.com/questions/23706144/User-unable-to-hit-certain-shares-on-server-unless-fully-qualifying-the-UNC-of-share-but-able-to-hit-others-by-Netbios-name-only-in-UNC-path.html
https://www.experts-exchange.com/questions/23507742/Lots-of-Event-1053-Errors.html
So, less than 15 charactors and without periods >>>Netbios Name Server
more than 15 and/or has periods>> DNS server
In many cases, I have seen people with the inability to ping the computername, but able to ping Computername.domain.name, OR ping by IP address. What that means, (AS IN THIS CASE) is you don't have proper Netbios resolution. I reviewed the comments from the author and he said he could ping by IP but not by hostname. Since this is a VPN connection and Netbios is a non-routable broadcast protocol, held to the broadcast domain, it's safe to conclude this PC going through the VPN doesn't have the ability to communicate with a Netbios Name server to resolve the IP address.
Netbios is used for the RPC locator, Browser services (meaning file and print sharing GUI), and Netlogon service (depending on how you joined the domain). If you can't see computers within my network places, while you can ping computers through the VPN, it's safe to conclude this computer can't resolve the netbios query.
To do so, you have to enable Netbios over TCP/IP (because TCP/IP is a connection based protocol and routeable over a router). Then, you may still have to set up a LMHOST record, or create a WINS server. This will depend upon how many computers are remoting in through the VPN connections. If you have a bunch, then WINS is probably the best way to go. If you have a few, then you can configure an LMHOST record to include the PDCe, and all VPN hosts. That LMHOST record will have to be created on all VPN clients and the PDCe (which by default is the Netbios Name Server or "Domain Master Browser)....
This author corrected most of his errors by preventing client computers from competing with the PDCe for the role of domain master browser. NOW all this author needs to do is get Netbios resolution through the VPN connection.....I can provide over 100 examples of people I have helped on EE to do just that.
Here's a few:
https://www.experts-exchange.com/questions/23706144/User-unable-to-hit-certain-shares-on-server-unless-fully-qualifying-the-UNC-of-share-but-able-to-hit-others-by-Netbios-name-only-in-UNC-path.html
https://www.experts-exchange.com/questions/23507742/Lots-of-Event-1053-Errors.html
Mostly, I agree with you, and I wouldn't discount the importance of netbios in windows.
The only issue I can see getting in the way of that is the network designation in win7. If the network is set to public, no amount of wins servers will help you get file shares, print shares, or really anything from a remote host.
The key element in my mind is the one way nature of the problem, the remote host can connect to resources, but won't answer a ping.
I could be wrong, but that is what it looks like to me.
The only issue I can see getting in the way of that is the network designation in win7. If the network is set to public, no amount of wins servers will help you get file shares, print shares, or really anything from a remote host.
The key element in my mind is the one way nature of the problem, the remote host can connect to resources, but won't answer a ping.
I could be wrong, but that is what it looks like to me.
If it can't ping, but can connect via host, then this is pretty easy too. It means that there is a security policy that blocks ICMP echo reply (Ping), through the VPN tunnel. This would be a firewall policy or a router policy to block ICMP echo.
ASKER
I'm having the next chance to check on this issue tomorrow.
Will reply on results after that.
Will reply on results after that.
ASKER
Ok, the problem seems to be solved.
Obviously there was something screwed up with the F-Secure client.
I completely uninstalled all the F-Secure software, rebooted the PC and then pushed the installation package back again.
After that all the above problems disappeared.
Thank you all, for participating with your ideas.
Obviously there was something screwed up with the F-Secure client.
I completely uninstalled all the F-Secure software, rebooted the PC and then pushed the installation package back again.
After that all the above problems disappeared.
Thank you all, for participating with your ideas.
ASKER
As mentioned in earlier post, the final solution was the reinstallation of F-Secure Client.
ASKER
I stopped and disabled the Computer Browser service from The W7 machine and after this the errors disappeared from server log.
I also set just a minute ago one server to "Is DomainMaster" to TRUE and "MaintainServerList" to Yes.
The suggestion about network might also be correct, since the workstation was sent to end user, who might have chosen the network as "public".
Right now the situation is that from user's point of view, everything seems to be working smoothly.
From my point of view, I cannot even ping the computer via VPN connection, but I am suspecting that there is something screwed with F-Secure client's firewall settings.