|
it
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Browsing not working accross VLANsdesperate. Here is the set-up: . two VLANs with a router between them, no filtering, no ACLs . one domain with two clustered PDCs (Win2003), running WINS . VLAN A contains servers, VLAN B a couple of test workstations What works: . I can see all the registrations on the WINS servers, all servers and workstations which have WINS IP addresses defined are there . from workstations in VLAN B I can map drives on the servers in VLAN A What does not work: . from the workstation on VLAN B I cannot run 'browstat gm' (getting "Unable to get Master: access denied", and "Master name cannot be determined from GetAdapterStatus") and browstat sts ("Unable to query browser statistics: 2184") . from any of the servers in VLAN A I cannot see the workstations in VLAN B. I am testing an application which requires the workstations to show up in the windows browser in order to deploy clients. I would really appreciate tips on how to further troubleshoot this issue. Thanks. Regards Marcin marcin <u52472@uwe> wrote:
Show quoteHide quote > I have been trying to solve this problem for a few days and am getting You have a WINS server in each location, yes? Is the WINS partnership > desperate. Here is the set-up: > two VLANs with a router between them, no filtering, no ACLs > one domain with two clustered PDCs (Win2003), running WINS > VLAN A contains servers, VLAN B a couple of test workstations > > What works: > I can see all the registrations on the WINS servers, all servers and > workstations which have WINS IP addresses defined are there > from workstations in VLAN B I can map drives on the servers in VLAN A > > What does not work: > from the workstation on VLAN B I cannot run 'browstat gm' (getting > "Unable to get Master: access denied", and "Master name cannot be > determined from GetAdapterStatus") and browstat sts ("Unable to query > browser statistics: 2184") > from any of the servers in VLAN A I cannot see the workstations in > VLAN B. > > I am testing an application which requires the workstations to show > up in the windows browser in order to deploy clients. I would really > appreciate tips on how to further troubleshoot this issue. Thanks. > > Regards > Marcin working? Thank you very much for your reply. I have two WINS servers on VLAN A. That
partnership is working. I have no WINS server on VLAN B. According to MS WINS Best Practises, one WINS server is sufficient for a small routed network... The reason I introduced WINS was that we don't have DCs on all VLANs and I have to make browsing work between VLANs. Lanwench [MVP - Exchange] wrote: Show quoteHide quote >> I have been trying to solve this problem for a few days and am getting >> desperate. Here is the set-up: >[quoted text clipped - 21 lines] >> Regards >> Marcin > >You have a WINS server in each location, yes? Is the WINS partnership >working? marcin <u52472@uwe> wrote:
> Thank you very much for your reply. I have two WINS servers on VLAN It's been a while since I had to to anything like this, but I think you do > A. That partnership is working. I have no WINS server on VLAN B. > According to MS WINS Best Practises, one WINS server is sufficient > for a small routed network... The reason I introduced WINS was that > we don't have DCs on all VLANs and I have to make browsing work > between VLANs. want a WINS server on VLAN_B. Could be I'm wrong. What traffic is permitted between VLAN segments? Show quoteHide quote > > Lanwench [MVP - Exchange] wrote: >>> I have been trying to solve this problem for a few days and am >>> getting desperate. Here is the set-up: >> [quoted text clipped - 21 lines] >>> Regards >>> Marcin >> >> You have a WINS server in each location, yes? Is the WINS partnership >> working? "Lanwench [MVP - Exchange]"
<lanwe***@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message news:%23mmpY8U6JHA.5828@TK2MSFTNGP04.phx.gbl... He can actually do it either way, but if only using one, and all machines on > marcin <u52472@uwe> wrote: >> Thank you very much for your reply. I have two WINS servers on VLAN >> A. That partnership is working. I have no WINS server on VLAN B. >> According to MS WINS Best Practises, one WINS server is sufficient >> for a small routed network... The reason I introduced WINS was that >> we don't have DCs on all VLANs and I have to make browsing work >> between VLANs. > > It's been a while since I had to to anything like this, but I think you do > want a WINS server on VLAN_B. Could be I'm wrong. What traffic is > permitted between VLAN segments? both sides of the fence are using the one WINS box, the fence will experience extra weight with the resolutions requests. But of course, all traffic (no barb wires) needs to allowed across the fence. Show quoteHide quote :-) "marcin" <u52472@uwe> wrote in message news:975ac64a2946c@uwe... Are all machines in both VLANs using this WINS server in their IP > Thank you very much for your reply. I have two WINS servers on VLAN A. > That > partnership is working. I have no WINS server on VLAN B. According to MS > WINS > Best Practises, one WINS server is sufficient for a small routed > network... > The reason I introduced WINS was that we don't have DCs on all VLANs and I > have to make browsing work between VLANs. > properties? Are there any firewall rules blocking NetBIOS or any other type of traffic in the VLAN config? -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. "Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker http://twitter.com/acefekay
Show quote
Hide quote
"Ace Fekay [Microsoft Certified Trainer]" <ace***@mvps.RemoveThisPart.org> Ace put his finger on the essential bit. It is not how many WINS servers wrote in message news:#$tG#AU6JHA.2656@TK2MSFTNGP05.phx.gbl... > "marcin" <u52472@uwe> wrote in message news:975ac64a2946c@uwe... >> Thank you very much for your reply. I have two WINS servers on VLAN A. >> That >> partnership is working. I have no WINS server on VLAN B. According to MS >> WINS >> Best Practises, one WINS server is sufficient for a small routed >> network... >> The reason I introduced WINS was that we don't have DCs on all VLANs and >> I >> have to make browsing work between VLANs. >> > > Are all machines in both VLANs using this WINS server in their IP > properties? > > Are there any firewall rules blocking NetBIOS or any other type of traffic > in the VLAN config? > > -- > Ace > you have, but how everything is set up. What really matters is that you have a WINS database which contains all the possible master browsers. In a small network one WINS server is sufficient, but all machines must register with this WINS server. If you have a multiple WINS servers, they must all replicate to give you a database containing all the possible browse masters. The master browsers use WINS to get the IP addresses of other master browsers so that they can communicate directly with them. Once you segment your network you can't rely on broadcasts any more for communication between master browsers. You don't need a DC in each segment/VLAN. You don't even need a server. A workstation can act as a segment master browser. You do need at least one DC in the network. Only a DC can merge the lists from the segment master browsers into a network-wide browse list. There are no ACLs on the router. In our test environment we have two DCs and
WINS are installed on both of them, all that on VLAN A. The number of users is small, so one server can certainly handle the traffic. Are there any specific packets I should be looking for in network traffic captures on both VLANs in order to determine what is failing? Thank you very much for your help. Bill Grant wrote: Show quoteHide quote >>> Thank you very much for your reply. I have two WINS servers on VLAN A. >>> That >[quoted text clipped - 11 lines] >> Are there any firewall rules blocking NetBIOS or any other type of traffic >> in the VLAN config? > > Ace put his finger on the essential bit. It is not how many WINS servers >you have, but how everything is set up. What really matters is that you have >a WINS database which contains all the possible master browsers. > > In a small network one WINS server is sufficient, but all machines must >register with this WINS server. If you have a multiple WINS servers, they >must all replicate to give you a database containing all the possible browse >masters. > > The master browsers use WINS to get the IP addresses of other master >browsers so that they can communicate directly with them. Once you segment >your network you can't rely on broadcasts any more for communication between >master browsers. > > You don't need a DC in each segment/VLAN. You don't even need a server. >A workstation can act as a segment master browser. You do need at least one >DC in the network. Only a DC can merge the lists from the segment master >browsers into a network-wide browse list. -- Message posted via WinServerKB.com http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-networking/200906/1 "marcin via WinServerKB.com" <u52472@uwe> wrote in message news:9764a44de8ebc@uwe...> There are no ACLs on the router. In our test environment we have two DCs WINS uses port TCP 42. Is that being blocked?> and > WINS are installed on both of them, all that on VLAN A. The number of > users > is small, so one server can certainly handle the traffic. Are there any > specific packets I should be looking for in network traffic captures on > both > VLANs in order to determine what is failing? Thank you very much for your > help. Ace The workstations I want to see in the browser on VLAN A all have both WINS
servers entered in the Advanced configuration. There is no filtering on the router, which connects the two VLANs. Ace Fekay [Microsoft Certified Trainer] wrote: >> Thank you very much for your reply. I have two WINS servers on VLAN A. >> That >[quoted text clipped - 4 lines] >> The reason I introduced WINS was that we don't have DCs on all VLANs and I >> have to make browsing work between VLANs. > >Are all machines in both VLANs using this WINS server in their IP >properties? > >Are there any firewall rules blocking NetBIOS or any other type of traffic >in the VLAN config? > -- Message posted via WinServerKB.com http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-networking/200906/1 "marcin via WinServerKB.com" <u52472@uwe> wrote in message news:9764c0427d93a@uwe...> The workstations I want to see in the browser on VLAN A all have both WINS Sometimes certain ports are blocked by default in some routers.> servers entered in the Advanced configuration. There is no filtering on > the > router, which connects the two VLANs. Ace Hey Folks,..
If it were me, I would just use a single WINS and forget it. Yes, the queries would go over the router but I doubt those really amount to much load. But then,...I am me,...and I and using two,..hmm,...I'll have to think about that one for a while. Two WINS are fine but it is not always so great either. Putting both in a Clients TCP/IP Settings doesn't always mean the client will actually use both,...the "failover" to the second WINS is probably no more consistant or reliable than it is with having two DNS entries. Then with two WINS you would probably want a Push/Pull Partnership setup with them and I have seen that not always work so smoothly either. Then you don't really need the redundancy with WINS like you do DNS because it just isn't that critical,... nor does it even really provided redundancy quite like DNS with AD replication does anyway,..I've probably seen as much inconsistancy and conflicts between two WINS databases as I have agreement. And lastly a single WINS will easly and fairly quickly rebuild it self if lost,....I have deleted corrupt databases and they rebuilt themselves quite quickly. -- Show quoteHide quotePhillip Windell The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "Ace Fekay [Microsoft Certified Trainer]" <ace***@mvps.RemoveThisPart.org> wrote in message news:uQCKjpd6JHA.1424@TK2MSFTNGP02.phx.gbl... > "marcin via WinServerKB.com" <u52472@uwe> wrote in message > news:9764c0427d93a@uwe... >> The workstations I want to see in the browser on VLAN A all have both >> WINS >> servers entered in the Advanced configuration. There is no filtering on >> the >> router, which connects the two VLANs. > > Sometimes certain ports are blocked by default in some routers. > > Ace > > >
Show quote
Hide quote
"Phillip Windell" <philwind***@hotmail.com> wrote in message All your points sound good to me.news:ORldeAe6JHA.5780@TK2MSFTNGP04.phx.gbl... > Hey Folks,.. > > If it were me, I would just use a single WINS and forget it. Yes, the > queries would go over the router but I doubt those really amount to much > load. But then,...I am me,...and I and using two,..hmm,...I'll have to > think about that one for a while. > > Two WINS are fine but it is not always so great either. Putting both in a > Clients TCP/IP Settings doesn't always mean the client will actually use > both,...the "failover" to the second WINS is probably no more consistant > or reliable than it is with having two DNS entries. Then with two WINS > you would probably want a Push/Pull Partnership setup with them and I have > seen that not always work so smoothly either. Then you don't really need > the redundancy with WINS like you do DNS because it just isn't that > critical,... nor does it even really provided redundancy quite like DNS > with AD replication does anyway,..I've probably seen as much inconsistancy > and conflicts between two WINS databases as I have agreement. And lastly > a single WINS will easly and fairly quickly rebuild it self if lost,....I > have deleted corrupt databases and they rebuilt themselves quite quickly. > > > -- > Phillip Windell I'm just wondering with the poster's VLAN routing between switch ports if there is anything being blocked. Ace "Ace Fekay [Microsoft Certified Trainer]" <ace***@mvps.RemoveThisPart.org> Could be. A lot of messes are created with ACLs in the name of "security". wrote in message news:ORBi8se6JHA.1568@TK2MSFTNGP06.phx.gbl... > I'm just wondering with the poster's VLAN routing between switch ports if > there is anything being blocked. I suppose the router would log that if it was. -- Phillip Windell The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "Phillip Windell" <philwind***@hotmail.com> wrote in message Good point, depending on the switch vendor the VLANs are created on if news:Oq2BqDf6JHA.1716@TK2MSFTNGP03.phx.gbl... > > "Ace Fekay [Microsoft Certified Trainer]" <ace***@mvps.RemoveThisPart.org> > wrote in message news:ORBi8se6JHA.1568@TK2MSFTNGP06.phx.gbl... > >> I'm just wondering with the poster's VLAN routing between switch ports if >> there is anything being blocked. > > Could be. A lot of messes are created with ACLs in the name of > "security". I suppose the router would log that if it was. syslogging is available or enabled on it. Let's hope to hear back from the poster to see how far he has taken it on his end to troubleshoot it. Ace We use Cisco switches and routers around here. I checked the config on the
router connecting VLANs A and B, and there are no ACLs between them. Any pointers as far as what kind of packets I should be looking for in network packet captures? I am going to collect traffic on both VLANs to see if that will help me getting to the bottom of this problem. Regards Marcin Ace Fekay [Microsoft Certified Trainer] wrote: >>> I'm just wondering with the poster's VLAN routing between switch ports if >>> there is anything being blocked. >> >> Could be. A lot of messes are created with ACLs in the name of >> "security". I suppose the router would log that if it was. > >Good point, depending on the switch vendor the VLANs are created on if >syslogging is available or enabled on it. Let's hope to hear back from the >poster to see how far he has taken it on his end to troubleshoot it. > >Ace -- Message posted via WinServerKB.com http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-networking/200906/1 "marcin via WinServerKB.com" <u52472@uwe> wrote in message news:9773fd06212c3@uwe...>Any Nothing from me. I can't remember the last time I ever opened a "packet > pointers as far as what kind of packets I should be looking for in network > packet captures? I am going to collect traffic on both VLANs to see if > that > will help me getting to the bottom of this problem. sniffer". I can almost always solve problems without ever staring myself blind at packet captures. It's probably been 3 or 4 years since I ever used a "packet sniffer" for any "real" reason. There is just too many other "higher level" ways of solving problems to mess with that as far as I am concerned. -- Phillip Windell The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "marcin via WinServerKB.com" <u52472@uwe> wrote in message news:9773fd06212c3@uwe...> We use Cisco switches and routers around here. I checked the config on the WINS uses port 42 traffic. NetBIOS uses 139. NetBIOS broadcasts are stopped > router connecting VLANs A and B, and there are no ACLs between them. Any > pointers as far as what kind of packets I should be looking for in network > packet captures? I am going to collect traffic on both VLANs to see if > that > will help me getting to the bottom of this problem. > > Regards > Marcin on a router by default, which is fine, but when one machine queries WINS, it uses TCP 42. Ace
Show quote
Hide quote
"Ace Fekay [Microsoft Certified Trainer]" <ace***@mvps.RemoveThisPart.org> And the best way to debug browser problems is still the NT utility wrote in message news:u6xrKeu6JHA.5756@TK2MSFTNGP02.phx.gbl... > "marcin via WinServerKB.com" <u52472@uwe> wrote in message > news:9773fd06212c3@uwe... >> We use Cisco switches and routers around here. I checked the config on >> the >> router connecting VLANs A and B, and there are no ACLs between them. Any >> pointers as far as what kind of packets I should be looking for in >> network >> packet captures? I am going to collect traffic on both VLANs to see if >> that >> will help me getting to the bottom of this problem. >> >> Regards >> Marcin > > WINS uses port 42 traffic. NetBIOS uses 139. NetBIOS broadcasts are > stopped on a router by default, which is fine, but when one machine > queries WINS, it uses TCP 42. > > Ace > > > browstat. "Bill Grant" <not.available@online> wrote in message I agree. Great tool.news:eTAqV5v6JHA.4864@TK2MSFTNGP03.phx.gbl... > And the best way to debug browser problems is still the NT utility > browstat. > Ace I use browstat for troubleshooting. I posted the error messages from that
tool in my original message. Hopefully, I will have some packet captures to look at later today. Ace Fekay [Microsoft Certified Trainer] wrote: Show quoteHide quote >> And the best way to debug browser problems is still the NT utility >> browstat. > >I agree. Great tool. > >Ace -- Message posted via WinServerKB.com http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-networking/200906/1 "marcin via WinServerKB.com" <u52472@uwe> wrote in message news:977d081d6521b@uwe...>I use browstat for troubleshooting. I posted the error messages from that Sorry about that. Re-reading the original post, I see you are getting an > tool in my original message. Hopefully, I will have some packet captures > to > look at later today. access denial message from VlanB to VlanA trying to find the master browser. The master browser is normally the PDC Emulator in the domain. I assume that DC with that role is on VlanA. You're router is allowing all traffic. Good. The domain master browser, as I mentioned, is the PDC Emulator. HOwever if the infrastructure is segmented, each segment will elect a master browser. The winner is determined by the operating system type and version. Obviously a 2003 server will win over a 2000 server, and a 2003 DC will win over a 2003 member server. The domain master will collect info from each master browser from each subnet to assemble a browse list that any machine requesting it, will show you a compiled list in Network Neighborhood. If the machines in VlanB are workstations, and are constantly restarted or not on, they will be constantly vying for browse master of the segment, and will give you unexpected results. I had a customer awhile back with a similar issue with a segmented LAN with 100 workstations, no servers. They were shutdown each night, sometimes restarted during the day, etc, so it was constantly changing the network neighborhood list of machines. I suggested to throw any old server over there to see what happens, not even a WINS server, just any, and it worked for them. Workstations are not the best for a segment's master browser. Going through the original post, you didn't mention if a DC or some other type of server is on the other VLAN. Is there one, or are they all workstations? I assume NetBIOS is not disabled on any machine? Have any lmhosts files been changed with any additions on any machine? And I assume there are not firewall running on the workstations on VlanB if there are no servers? I hope that helps to get a better handle of what's going on or what may be contributing to what's going on. Looking forward to what you find in the captures. Ace  
Other interesting topics
Server 2505 error
Multiple NICs in same segment server 2008 Taking ownership of files on remote computer Group Policy logon script not applied if connected by WiFi Multi-WAN loadbalancing & RRAS. Routing and Remote Access NAT - I need to modify TTL Remote AD offline and lack of access to local file server VPN/RRAS, Workgroup mode Reseting LAN interface count Windows 2000 server shared drive problem |
|||||||||||||||||||||||
