Sign in with
Sign up | Sign in
Your question

Cross-site browsing issue

Last response: in Windows 2000/NT
Share
Anonymous
July 7, 2005 10:45:39 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We have an old two-site (US and UK) NT domain setup. The sites are
joined by a Lan-to-Lan VPN. There are two NT domains, each based
primarily in one site, but with a BDC in the "other" site.

Browsing works as expected, you can see all machines in each domain,
irrespective of site.

Now we merge with a Swedish company using AD and I decide to use
their AD for the whole organisation. I build a VPN to join the
Sweden Lan to the other two, and set up an AD DC in the UK. I set
up full two-way trust relationships. I move a couple of machines
in the UK into the AD domain. All works fine.

All except browsing that is. From a machine in the UK I can see
all machines in the old NT domains but in the AD domain I can only
see the machines in the UK, none of those in Sweden. The reverse
if I RDC to a machine in Sweden and browse from there. There
are no obvious errors in the Event Logs of any of the DCs.

Shouldn't cross-site browsing "just work"?

--
Jim Hatfield
Anonymous
July 7, 2005 10:45:40 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

It's almost always a WINS Server issue:

1) Lack of a WINS server

2) All machines NEED to be "WINS clients"
(this includes especially all servers, DCs and even the
` WINS server itself.)

3) Failure to replicate the WINS database --
with more than one WINS server they must be replicated

The first is likely at the remote site (new Swedish company).

The second is common when only a subset of servers are "missing";

the latter is quite common when two companies are involved if
each has it's own WINS server (set) and they have not been manually
configured to replicate.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> --
> Jim Hatfield
Anonymous
July 11, 2005 5:41:32 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Thu, 7 Jul 2005 13:07:26 -0500, "Herb Martin" <news@LearnQuick.com>
wrote:

>It's almost always a WINS Server issue:
>
> 1) Lack of a WINS server
>
> 2) All machines NEED to be "WINS clients"
> (this includes especially all servers, DCs and even the
> ` WINS server itself.)
>
> 3) Failure to replicate the WINS database --
> with more than one WINS server they must be replicated
>
>The first is likely at the remote site (new Swedish company).
>
>The second is common when only a subset of servers are "missing";

I thought WINS wasn't required with AD....

However both DCs are WINS servers, both point their WINS client
to themselves, and they are now configured to replicate. Sadly
it makes not a blind bit of difference. The DCs (and a client
machine) can browse everything in the old NT4 domains but only
local machines in the AD domain.

I see one difference. The AD domain name is "internal.local". On
the new DC in the UK if I do a "net view /domain:internal", I see
the list of local machines, same as if I just do a "net view". On
the old DC in Sweden, doing a "net view /domain:internal" gets me
an error 6118 "The list of servers for this workgroup is not
currently available". So *something* is not right there...

If only Windows browsing wasn't so obscure and difficult to debug...


--
Jim Hatfield
Related resources
Can't find your answer ? Ask !
Anonymous
July 11, 2005 6:44:49 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Jim Hatfield" <jim.hatfield@insignia.com> wrote in message
news:evp4d1hq6roh11dj00362lguoa6d026fjq@4ax.com...
> On Thu, 7 Jul 2005 13:07:26 -0500, "Herb Martin" <news@LearnQuick.com>
> wrote:
>
> >It's almost always a WINS Server issue:
> >
> > 1) Lack of a WINS server
> >
> > 2) All machines NEED to be "WINS clients"
> > (this includes especially all servers, DCs and even the
> > ` WINS server itself.)
> >
> > 3) Failure to replicate the WINS database --
> > with more than one WINS server they must be replicated
> >
> >The first is likely at the remote site (new Swedish company).
> >
> >The second is common when only a subset of servers are "missing";
>
> I thought WINS wasn't required with AD....

It's a VERY common misconception -- due to a LOT of bad information
out there.

If you needed WINS under NT-4 it is a VERY safe bet you need it under
AD.

> However both DCs are WINS servers, both point their WINS client
> to themselves, and they are now configured to replicate. Sadly
> it makes not a blind bit of difference. The DCs (and a client
> machine) can browse everything in the old NT4 domains but only
> local machines in the AD domain.

All machines, not just clients OR DCs, have to be WINS clients for
browsing to work fully.

Check the WINS database (MMC) and use BrowStat.exe to troubleshoot
that your browsers are available...

> I see one difference. The AD domain name is "internal.local". On
> the new DC in the UK if I do a "net view /domain:internal", I see
> the list of local machines, same as if I just do a "net view". On
> the old DC in Sweden, doing a "net view /domain:internal" gets me
> an error 6118 "The list of servers for this workgroup is not
> currently available". So *something* is not right there...
>
> If only Windows browsing wasn't so obscure and difficult to debug...

It's actually fairly easy but TERRIBLY explained and poorly understood
by most people.

I only know about 5-10 rules but those solve almost every browsing
problem.

Also make sure you have a browsing problem which is almost entirely
divorced from either of "connectivity" (ping by number) and some what
separate from Name resolution "name to IP."

Oddly enough, it requires WINS to browse across subnets and across
domains, yet DNS may be the name resolution used to resolve the name
to an IP.

The reason: Master Browsers and the Domain Master Browser of each
domain use WINS as a "locator service" or "rendezvous service."

And remember ANY Windows machine MAY become Master Browser
of it's subnet (depending on "rank".)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Anonymous
July 11, 2005 9:08:29 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Mon, 11 Jul 2005 13:41:32 +0100, Jim Hatfield
<jim.hatfield@insignia.com> wrote:

>I see one difference. The AD domain name is "internal.local". On
>the new DC in the UK if I do a "net view /domain:internal", I see
>the list of local machines, same as if I just do a "net view". On
>the old DC in Sweden, doing a "net view /domain:internal" gets me
>an error 6118 "The list of servers for this workgroup is not
>currently available". So *something* is not right there...

The more I look, the more problems creep out of the woodwork.

- if I run Domain Monitor on the NT4 PDCs, the status of the
AD domain is listed as "domain controller not found". I have
lmhosts entries to help netbios resolution but it doesn't
seem to help.

- the instructions for ADMT says to add each domain's Domain Admins
global group to the other's Administrator's local group. However
if I go into User Manager on the NT4 domains, open up Administrators
and then select the AD domain from the dropdown, the list of
names goes grey and is replaced by the message "Unable to browse
the selected domain because the following error occurred: there
are currently no logon servers available to service the logon
request.

- there are lots of errors from NETLOGON in the event log of the
NT4 PDCs like: No Windows NT Domain Controller is available
for domain INTERNAL. This event is expected and can be ignored
when booting with the "No Net" hardware profile.

- just doing a "net view" on the original AD DC now gets me an
System Error 6881.

jim
--
Jim Hatfield
Anonymous
July 11, 2005 9:08:30 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> >I see one difference. The AD domain name is "internal.local". On
> >the new DC in the UK if I do a "net view /domain:internal", I see
> >the list of local machines, same as if I just do a "net view". On
> >the old DC in Sweden, doing a "net view /domain:internal" gets me
> >an error 6118 "The list of servers for this workgroup is not
> >currently available". So *something* is not right there...
>
> The more I look, the more problems creep out of the woodwork.
>
> - if I run Domain Monitor on the NT4 PDCs, the status of the
> AD domain is listed as "domain controller not found". I have
> lmhosts entries to help netbios resolution but it doesn't
> seem to help.

The PDC Emulator must be online for cross-domain browsing to
work. Only the Domain Master Browsers (PDC) exchange full
domain lists .

On the AD side, run DCDiag on every DC (good to do anyway.)
Fix or report problems. (See below, I will add my DNS checklist
but much of that is focused on straightening out DCs.)

> - the instructions for ADMT says to add each domain's Domain Admins
> global group to the other's Administrator's local group. However
> if I go into User Manager on the NT4 domains, open up Administrators
> and then select the AD domain from the dropdown, the list of
> names goes grey and is replaced by the message "Unable to browse
> the selected domain because the following error occurred: there
> are currently no logon servers available to service the logon
> request.

External Trusts SEEM to be working but they are also depending on
NetBIOS (and maybe WINS) so this is not too suprising.

> - there are lots of errors from NETLOGON in the event log of the
> NT4 PDCs like: No Windows NT Domain Controller is available
> for domain INTERNAL. This event is expected and can be ignored
> when booting with the "No Net" hardware profile.

Consistent with not finding the PDC EMulator or maybe ANY DC,
of the AD domain. This also seems to point at WINS.

> - just doing a "net view" on the original AD DC now gets me an
> System Error 6881.



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Jim Hatfield" <jim.hatfield@insignia.com> wrote in message
news:lr55d1p2dv5nm0gim2a3lv2bg6b2410ilb@4ax.com...
> On Mon, 11 Jul 2005 13:41:32 +0100, Jim Hatfield
> <jim.hatfield@insignia.com> wrote:
>
>
> jim
> --
> Jim Hatfield
Anonymous
July 13, 2005 5:32:26 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Thu, 07 Jul 2005 18:45:39 +0100, Jim Hatfield
<jim.hatfield@insignia.com> wrote:

>All except browsing that is. From a machine in the UK I can see
>all machines in the old NT domains but in the AD domain I can only
>see the machines in the UK, none of those in Sweden. The reverse
>if I RDC to a machine in Sweden and browse from there. There
>are no obvious errors in the Event Logs of any of the DCs.

I think I might have found something. In the WINS database I
see the Domain Master Browser for the domain is set to
192.168.0.210 - but that is not the address bound to the network
card. It is a second address which seems to have something
to do with RRAS.

Is there a way I can force the Domain Master Browser entry to
a particular address on a multi-homed machine?

--
Jim Hatfield
Anonymous
July 13, 2005 8:59:00 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Wed, 13 Jul 2005 13:32:26 +0100, Jim Hatfield
<jim.hatfield@insignia.com> wrote:

>I think I might have found something. In the WINS database I
>see the Domain Master Browser for the domain is set to
>192.168.0.210 - but that is not the address bound to the network
>card. It is a second address which seems to have something
>to do with RRAS.

Further to this, if I reboot the machine, everything suddenly
works fine. Both machines can browse all machines in both
sites, and the "nbtstat -n" shows up no errors at all. Interestingly,
"nbtstat -n" on the machine which has the RRAS server ONLY shows
the Ethernet card address.

Then as soon as someone makes a PPTP connection it all goes
pear-shaped again. Cross-site browsing fails and nbtstat -n
returns the name of the machine in the conflict state.

So it is becoming increasingly likely that RRAS is the issue.


--
Jim Hatfield
Anonymous
July 13, 2005 8:59:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> So it is becoming increasingly likely that RRAS is the issue.

I would carefully check the subnetting.

It appeared you have two network interfaces, with NetBIOS enabled,
on the same SUBNET (or broadcast domain.)

I cannot be sure since you didn't show the subnet masks.

You might post your IPConfig /all from the affected (DC) machine.



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Jim Hatfield" <jim.hatfield@insignia.com> wrote in message
news:2dead15tdmbfc73ndgqejeupnb74colqh6@4ax.com...
> On Wed, 13 Jul 2005 13:32:26 +0100, Jim Hatfield
> <jim.hatfield@insignia.com> wrote:
>
> >I think I might have found something. In the WINS database I
> >see the Domain Master Browser for the domain is set to
> >192.168.0.210 - but that is not the address bound to the network
> >card. It is a second address which seems to have something
> >to do with RRAS.
>
> Further to this, if I reboot the machine, everything suddenly
> works fine. Both machines can browse all machines in both
> sites, and the "nbtstat -n" shows up no errors at all. Interestingly,
> "nbtstat -n" on the machine which has the RRAS server ONLY shows
> the Ethernet card address.
>
> Then as soon as someone makes a PPTP connection it all goes
> pear-shaped again. Cross-site browsing fails and nbtstat -n
> returns the name of the machine in the conflict state.
>
> So it is becoming increasingly likely that RRAS is the issue.
>
>
> --
> Jim Hatfield
Anonymous
July 14, 2005 10:10:03 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Wed, 13 Jul 2005 14:03:39 -0500, "Herb Martin" <news@LearnQuick.com>
wrote:

>> So it is becoming increasingly likely that RRAS is the issue.
>
>I would carefully check the subnetting.
>
>It appeared you have two network interfaces, with NetBIOS enabled,
>on the same SUBNET (or broadcast domain.)

I believe not because the subnet mask of the RAS adaptor is
255.255.255.255.

>I cannot be sure since you didn't show the subnet masks.
>
>You might post your IPConfig /all from the affected (DC) machine.

Sure:

>C:\Documents and Settings\Administrator>ipconfig /all
>
>Windows 2000 IP Configuration
>
> Host Name . . . . . . . . . . . . : server3
> Primary DNS Suffix . . . . . . . : INTERNAL.local
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : Yes
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : INTERNAL.local
>
>Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Adapter (PI
>LA8470B)
> Physical Address. . . . . . . . . : 00-02-B3-02-89-F7
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.0.101
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.0.1
> DNS Servers . . . . . . . . . . . : 192.168.0.101
> 192.168.0.1
> Primary WINS Server . . . . . . . : 192.168.0.101
>
>PPP adapter RAS Server (Dial In) Interface:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> Physical Address. . . . . . . . . : 00-53-45-00-00-00
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.0.210
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . : 127.0.0.1

It's interesting that between the time the machine is rebooted
and the time that someone makes an incoming PPTP connection,
all is OK. As soon as the PPTP connection is made, the machine
can no longer browse.
--
Jim Hatfield
Anonymous
July 15, 2005 1:44:13 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Jim Hatfield" <jim.hatfield@insignia.com> wrote in message
news:qv6dd1dpd70hde7uj8ikd0e2jd4gskgkju@4ax.com...
> On Wed, 13 Jul 2005 14:03:39 -0500, "Herb Martin" <news@LearnQuick.com>
> wrote:
>
> >> So it is becoming increasingly likely that RRAS is the issue.
> >
> >I would carefully check the subnetting.
> >
> >It appeared you have two network interfaces, with NetBIOS enabled,
> >on the same SUBNET (or broadcast domain.)
>
> I believe not because the subnet mask of the RAS adaptor is
> 255.255.255.255.

Alone that proves nothing -- it might even be wrong depending
on where it appears.

> >I cannot be sure since you didn't show the subnet masks.
> >
> >You might post your IPConfig /all from the affected (DC) machine.
>
> Sure:
>
> >C:\Documents and Settings\Administrator>ipconfig /all
> >
> >Windows 2000 IP Configuration
> >
> > Host Name . . . . . . . . . . . . : server3
> > Primary DNS Suffix . . . . . . . : INTERNAL.local
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : Yes
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : INTERNAL.local
> >
> >Ethernet adapter Local Area Connection:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Intel(R) PRO/100+ Server
Adapter (PI
> >LA8470B)
> > Physical Address. . . . . . . . . : 00-02-B3-02-89-F7
> > DHCP Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 192.168.0.101
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.0.1

Right here may be part of the problem -- certainly if you
have a routing issue.

Why is the main NIC set to itself as a Default Gateway?

Such settings will prevent the machine (and the routers
on the machine in RRAS) from routing to any NIC (or
RRAS interface) NOT directly connected.

> > DNS Servers . . . . . . . . . . . : 192.168.0.101
> > 192.168.0.1
> > Primary WINS Server . . . . . . . : 192.168.0.101
> >
> >PPP adapter RAS Server (Dial In) Interface:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> > Physical Address. . . . . . . . . : 00-53-45-00-00-00
> > DHCP Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 192.168.0.210
> > Subnet Mask . . . . . . . . . . . : 255.255.255.255

This looks wrong too, but I cannot remember if there is a cosmetic
bug that shows this in dynamic interfaces.

Were this really being used you could not reach any other stations
on that interface. But I believe this is a cosmetic interface but that
I have seen below.

> > Default Gateway . . . . . . . . . :
> > DNS Servers . . . . . . . . . . . : 127.0.0.1

Why is there no DNS server set on the main NIC?

And it really should be the IP since it will give this value to
the RRAS clients (and 127.0.0.1 will NOT make sense for them
-- that would refer to themselves.)

> It's interesting that between the time the machine is rebooted
> and the time that someone makes an incoming PPTP connection,
> all is OK. As soon as the PPTP connection is made, the machine
> can no longer browse.

Do you have WINS servers or not? If so, this machine should be
a WINS client.

What happens when you do "Net View /domain:D OMAIN_NAME"
(before and after the connection.)
Anonymous
July 15, 2005 9:53:39 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Thu, 14 Jul 2005 21:44:13 -0500, "Herb Martin" <news@LearnQuick.com>
wrote:

>> >Ethernet adapter Local Area Connection:
>> >
>> > Connection-specific DNS Suffix . :
>> > Description . . . . . . . . . . . : Intel(R) PRO/100+ Server
>Adapter (PI
>> >LA8470B)
>> > Physical Address. . . . . . . . . : 00-02-B3-02-89-F7
>> > DHCP Enabled. . . . . . . . . . . : No
>> > IP Address. . . . . . . . . . . . : 192.168.0.101
>> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
>> > Default Gateway . . . . . . . . . : 192.168.0.1
>
>
>Why is the main NIC set to itself as a Default Gateway?

It is not. The main NIC is 192.168.0.101 and the gateway
is 192.168.0.1, a multihomed Linux box.


>> > Default Gateway . . . . . . . . . :
>> > DNS Servers . . . . . . . . . . . : 127.0.0.1
>
>Why is there no DNS server set on the main NIC?

This isn't the main NIC, it's something to do with RRAS.

>Do you have WINS servers or not? If so, this machine should be
>a WINS client.

The machine is itself a WINS server.

>What happens when you do "Net View /domain:D OMAIN_NAME"
>(before and after the connection.)

After, ie now, I get a long pause then:

>C:\Documents and Settings\Administrator>net view /domain:INTERNAL
>System error 6118 has occurred.
>
>The list of servers for this workgroup is not currently available

To do the "before" I will have to wait for a quiet period when
nobody is using the PPTP server, and reboot the machine. I'm
slightly nervous about this because it's in Sweden and I'm not :-)

Jim
--
Jim Hatfield
Anonymous
July 19, 2005 7:04:09 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Sat, 16 Jul 2005 01:28:59 -0500, "Herb Martin" <news@LearnQuick.com>
wrote:

>> The machine is itself a WINS server.
>
>Then it should be a WINS client (usually of itself.)

Yep, it is a client of itself. Same with the new DC which I
installed here in the UK.

>> >What happens when you do "Net View /domain:D OMAIN_NAME"
>> >(before and after the connection.)
>>
>> After, ie now, I get a long pause then:
>>
>> >C:\Documents and Settings\Administrator>net view /domain:INTERNAL
>> >System error 6118 has occurred.
>
>Check any firewalls, including the SP2 type firewalls; this KB article
>offers
>specific ideas on this error (but it may not be your problem):

I have set up the three LAN's with Lan-to-Lan VPN connections and have
made sure that there are no packet filters blocking any inter-Lan
traffic.

>> To do the "before" I will have to wait for a quiet period when
>> nobody is using the PPTP server, and reboot the machine. I'm
>> slightly nervous about this because it's in Sweden and I'm not :-)

I think this is the only realistic option. If it proves my
suspicion that the RRAS service is causing the problem then I
will just have to find another machine to run it on.

I might play around with disabling the RRAS service for short
periods when nobody is connected to see if that does anything.

Jim
--
Jim Hatfield
!