Browsing over VPN/Multiple domians

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We have two domains connecting via site to site VPN on
windows 2003. There is a multihomed DC with DNS, WINS,
RRAS and NAT/Firewall in each site. Since they are
multihomed computers (we know this is the issue but we
believe it should work if we configure it correctly), we
did 1) we made the internal NIC on the top bindings; 2)
disabled the external NIC for DNS register; 3) disabled
NetBIOS over TCP/IP on all NICs including except the
internal NIC; 4) the RRAS server is configured as a WINS
client and the IP properties of the RRAS server is
configured to "use the following adapter to obtain DHCP,
DNS, WINS addresses for dialup clients", set the adapter
to the internal NIC. We created two-way trusts and every
thing works fine except browsing in My Network Places. We
can ping each by name and ip, and we can map and access
remote domain server.

Problem: Under Network Neighborhood/My Network Places,
you can see all domains. However, if you double-click
other's domain, you get the "server list not available or
you might not have permission to use this network resource"

From each WINS Manager, you can see the local and remote
domain (1b) and server name (remote domain and server IPs
are assigned by local WINS, for example local server is
192.168.1.1 and remote server is 192.168. 2.1, the WINS on
192.168.1.1 lists local server as 192.168.1.1 and remote
server as 192.168.1.54). What could be the issue?
 
Is 192.168.1.54 a RRAS interface? As well as disabling Netbt on the
external NIC, you may need to disable it on the RRAS interface (to prevent
theRRAS IP from registering with WINS). The other alternative is to use "off
subnet" IP addresses for the RRAS interfaces.

See KB 830063.
 
Hi Bill,

I read your post on the subject browsing over VPN. That is
good one. I believe the issue is NetBIOS over TCPIP on RAS
Interface. What I am doing is following your ideas to
disable all NetBIOS over TCPIP on all NICs except Internal
NIC. But even I have disabled NetBIOS over TCPIP on the
both RAS interfaces, the ipconfig and net config show that
doesn't take it and NetBIOS over TCPIP on RAS is still
enabled (see the below for the details). I also tried the
resolution on Q830063, and still no work. I will try one
more time and post back with the result. Thanks.

ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dell300
Primary Dns Suffix . . . . . . . : gbc.net
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : gbc.net

Ethernet adapter 10.0.100.1:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NetServer
10/100TX PCI LAN Adapter
Physical Address. . . . . . . . . : 00-D0-B7-06-E6-1F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.100.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.0.0.2
DNS Servers . . . . . . . . . . . : 172.16.100.1
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter 172.16.100.1:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 S
Desktop Adapter
Physical Address. . . . . . . . . : 00-02-B3-2A-A4-46
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.100.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 172.16.100.1
172.16.10.1
Primary WINS Server . . . . . . . : 172.16.100.1
Secondary WINS Server . . . . . . : 172.16.10.1

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP)
Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.100.15
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

PPP adapter {ED2D6C0D-CA4D-4664-9C4D-6630D88F86AE}:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP)
Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.10.14
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 172.16.100.1
172.16.10.1


browstat status

Status for domain GBC on transport \Device\NetBT_Tcpip_
{760E6F09-CAA1-4E0A-B29D-
CA4DDCFDF879}
Browsing is active on domain.
Master browser name is: DELL300
Master browser is running build 3790
1 backup servers retrieved from master DELL300
\\DELL300
There are 2 servers in domain GBC on transport
\Device\NetBT_Tcpip_{760E6F09
-CAA1-4E0A-B29D-CA4DDCFDF879}
There are 2 domains in domain GBC on transport
\Device\NetBT_Tcpip_{760E6F09
-CAA1-4E0A-B29D-CA4DDCFDF879}

Status for domain GBC on transport \Device\NetBT_Tcpip_
{890ED16A-FB6C-4B44-B5EE-
50E58B0E5756}
Browsing is active on domain.
Master name cannot be determined from
GetAdapterStatus. Using \\DELL300
Master browser is running build 3790
1 backup servers retrieved from master DELL300
\\DELL300
There are 2 servers in domain GBC on transport
\Device\NetBT_Tcpip_{890ED16A
-FB6C-4B44-B5EE-50E58B0E5756}
There are 2 domains in domain GBC on transport
\Device\NetBT_Tcpip_{890ED16A
-FB6C-4B44-B5EE-50E58B0E5756}


Status for domain GBC on transport \Device\NetBT_Tcpip_
{ED2D6C0D-CA4D-4664-9C4D-
6630D88F86AE}
Browsing is NOT active on domain. Status : 6118
Master name cannot be determined from GetAdapterStatus.

net config server
Server Name \\DELL300
Server Comment

Software version Microsoft Windows
Server 2003
Server is active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{760E6F09-CAA1-4E0A-B29D-CA4DDCFDF879}
(0002b32aa446)
NetBT_Tcpip_{890ED16A-FB6C-4B44-B5EE-50E58B0E5756}
(005345000000)
NetBT_Tcpip_{ED2D6C0D-CA4D-4664-9C4D-6630D88F86AE}
(005345000000)
 
Did you stop and restart RRAS after you made the registry changes to
disable Netbt on the RRAS interfaces? If you are running WINS, also check
that there are no "stale" entries showing the old situation.
 
Bill, thank you for the reply.

1. Q830063: If I try Q830063, both WINS are disabled and
it didn't disable NetBIOS on RRAS interface. So that
doesn't work. I did triy to restart the RRAS or reboot
both servers, and got the same result.

2. Q292822: if I try Q292822, it is the same result of the
manual disabling NetBIOS over TCPIP - VPN client NetBIOS
is disabled in one site but not other site.

3. Status of NetBIOS over TCPIP on both VPN clients:
remember, this is two domains connecting via site-to-site
VPN with persistent connection. To find out why VPN client
NetBIOS is disabled in one site but not other site, I
change them to demand dial. If I call domainB from
domainA, then NetBIOS will be disabled on domainA as
domainB VPN client and NetBIOS will not be disabled on
domainB as domainA VPN client; if I call domainA from
domainB, the NetBIOS will be disabled on domainB only.
4. Status of PPP adapter RAS server (dial in) interface:
no matter which site call in, PPP adapter RAS server (dial
in) interface on both sites never show NetBIOS over TCPIP
disabled.
5. WINS records: Both WINS list both DMS (1b) with their
Internal NIC IPs, in our case, domainA172.16.10.1 and
domainB172.16.100.1. Both WINS also list calling RRAS'
interface as MB, in our case, it is 172.16.10.87 if
domainA 172.16.10.1 RRAS makes the call.

I also created another test lab to test it and got the
same result. Can we make it work?
 
The really important thing, as far as browsing is concerned, is that the
browser service only finds one browser for each segment, and this browse
list includes all the machines on that segment. If you have to use a domain
controller as a router or remote access server, you must ensure that only
one interface (the LAN NIC) is building a browse list for the segment. As
the KB 292822 points out, you can do this by disabling Netbios over TCP/IP
on all of the other interfaces (including the RRAS interface which remote
users connect to).

KB 830063 uses a different approach. Because disabling Netbt on the RRAS
interface causes browsing problems for some clients, it recommends putting
the RRAS addresses in a different subnet from the LAN machines. So although
Netbt is enabled on the interface, it will not try to build a browse list
for the LAN (because it is in a different IP subnet). The DC becomes the
domain master browser and builds the browse list on its LAN interface.

If you have two domains in two sites (with the DC acting as the VPN
router), each DC should build a domain browse list for its domain. If the
domain controllers can access each other, a combined network-wide browse
list should be built by one DC and relayed to the other. This depends on
WINS having the necessary unique addresses for the browse masters, so that
the browser service can find them across the WAN. If there are multiple
entries for the DMB (ie the <domainname 1b> entries) in WINS with
different IP adresses, this will fail. It will also fail if there is no
entry for the DMB in WINS.
 
Bill, Thank you for the valuable information. I will try
it again this weekend and will post back with a new
subject.
 
I'n having the same problem, the calling part it's OK, but in the
answering node the netbios over TCP is still active, you can see that
with nbtstat -n...
I switched the role, with the same result.
any ideas?
 
Back
Top