Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Small Business Server / SBS 2000 / March 2004

Tip: Looking for answers? Try searching our database.

Browsing Network Neighbourhood over VPN - FIXED!!

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Richard Prossor - 30 Mar 2004 09:49 GMT
Part of KB292822 is now wrong. Refer to KB830063.

KB292822 requires you to set up a registry key DisableNetBIOSoverTcpip.
However, this together with the application of Service Pack 3 and above
prevents browsing by network neighbourhood.

KB830063 advises you to delete this registry key. Browsing is then restored.

Hope this helps

Regards

Richard
Reply to this Message
Jeff Middleton [SBS-MVP] - 30 Mar 2004 14:36 GMT
I believe that kb830063 is simply wrong for an SBS, quite possibly just
wrong.

You should NEVER have Nbt enabled on RRAS adapters on an SBS. More
specifically, you CANNOT multihome Netbios on a DC...peroid. It is contrary
to the design of Microsoft Networking requirements for Netbiod...period.
There's no hotfix about this, this is MS Networking law.

You must always disable Netbios on all secondary adapters on a DC running
RRAS because otherwise, the DC attempts to become Segment Master Browser on
more than one network segment, listening and reporting to itself only what
it hears on one segment or the other, but not both. That's what leads to
browser failures. The exception to this behavior is that if the RRAS adapter
is not routing, rather is a PPP connection for a single client being given
Ips on the same subnet as the LAN, then the DC involved will treat both the
LAN and the PPP link as a single segment.

The correct solution to the problem described is to enable WINS on the DC
(in this case the SBS) and provide the WINS server settings in the RRAS DHCP
configuration, as well as DNS. In this way, RRAS clients will be able to
resolve network (LAN) browsing correctly. XP/W2K clients will pull from DNS,
legacy clients will query WINS, the DC will ignore Master Browser role for
the RRAS link on a different subnet or will include PPP clients accordingly.

...related to this....

Richard, I scrolled down in the NG to read several of the last posts you
made related to VPN connections and IP assignments. I can see that you have
been working on this for some time and with some frustrations. I realize
that you are not likely to want to "break" the solution you have working
just because I have stated above that it is wrong.

When configuring remote clients to connect via RRAS (either dialup or VPN),
you can assign static IPs. It's possible to assign them either in the same
subnet or on a different subnet. But here is where the discussion above goes
to a new level of complexity.

What I recommend as your best practice is to follow the directions I gave at
the top, and then continue with the following.

I recommend that when you want to configure static IPs for RRAS connected
clients, you should use a different subnet. Do this by creating an
additional DHCP Scope for the new subnet. Then configure all or part of that
range to the RRAS assigned by DHCP. Enable RRAS for routing. Finally, assign
static IPs for the user accounts you intend to have connect via RRAS in the
(AD Users and Computers) user account properties for Dialup Networking in
the section for "assign a static IP". Finally, in the DHCP scope for the LAN
that supports all the rest of your workstations, add the setting to "default
gateway" and point that at the LAN IP of the SBS (assuming that your SBS is
running ISA and is supporting web traffic on a second NIC). You will need to
decide if you want ISA to filter this subnet, or not. If you add this new
subnet to the LAT, it will be treated as a trusted subnet, but the other
option is to setup filters to pass only the traffic you want from RRAS
connections.

If you use a router on the LAN to reach the web, the alternative is to set a
static route on the router to point at the SBS as gateway for the subnet you
just created, or create a static route on each workstation/server in the LAN
pointing at the SBS LAN IP as the gateway for the subnet you are giving to
the RRAS clients.

With the above configuration, your users always get a static IP, and their
connection is routed into the LAN. With the SBS as either the default route
gateway out of the LAN, or as the gateway for all workstations looking for
the new subnet these RRAS users will appear on, you will have IP routing
work correctly for all users. The above information at that very top will
provide correct browsing support, and using WINS and DNS will enable all
subnets to see each other in Network Neighborhood as expected. This is how
MS Networking is designed to work with a scenario of a physically or
logically multihomed DC running name resolution for MS Networking. This
solution works in all cases.

In addition, you have an added benefit now. By putting the RRAS connections
on a different subnet, you now have the option to configure specific rules
in ISA to filter the RRAS connections. You can configure this so that you
only allow the protocols you want for specific connections, or you can leave
it wide open.

Further benefits.....if you have users who have laptops they use in the
office or out, they can now have a particular IP they are on when in the
LAN, and a different one when they are on RRAS. This can allow for
additional configuration options, but more importantly, it assures that the
configuration can match the needs of the condition they connect by. For home
based computers, the use of the static IP allows for mapping printers to be
reached via TS or RDP connections using the static IP as the port.

> Part of KB292822 is now wrong. Refer to KB830063.
>
[quoted text clipped - 9 lines]
>
> Richard
Reply to this Message
Richard Prossor - 31 Mar 2004 12:18 GMT
Jeff

Thanks for your reply. Yes this is causing me some frustration - not least
because it was all working fine up to the end of November last year. I would
appreciate your help on notes I have put against relevant sections below so
that I can get the whole thing working as designed.

As background, my SBS server started life a number of years ago and has been
upgraded through 4.5 and then to 2k. It has 2 NICs, and is now connected via
ADSL  (Speedtouch 510) using smallbizserver.net guidance. The original
domain name is PROSSORNT and my external domain is PROSSOR.COM. For some
reason when the upgrade to SBS2k was done the engineer doing the install
created the active directory domain as PROSSORSNT.PROSSORS.COM.  From all
posts I believe I am stuck with this. However it does have some bearing
because all my users log on to PROSSORNT and the system is running in mixed
mode.

see notes below .......

> I believe that kb830063 is simply wrong for an SBS, quite possibly just
> wrong.
[quoted text clipped - 3 lines]
> to the design of Microsoft Networking requirements for Netbiod...period.
> There's no hotfix about this, this is MS Networking law.

I have re added the DisableNetbiosOverTcpip key in registry. Subsequently I
have deleted WINS active registrations on the server.

> You must always disable Netbios on all secondary adapters on a DC running
> RRAS because otherwise, the DC attempts to become Segment Master Browser on
[quoted text clipped - 7 lines]
> The correct solution to the problem described is to enable WINS on the DC
> (in this case the SBS) and provide the WINS server settings in the RRAS DHCP

WINS is running on the SBS server. RRAS properties IP tab has the Adapter
setting pointing to the Internal NIC.

> configuration, as well as DNS. In this way, RRAS clients will be able to
> resolve network (LAN) browsing correctly. XP/W2K clients will pull from DNS,
> legacy clients will query WINS, the DC will ignore Master Browser role for
> the RRAS link on a different subnet or will include PPP clients accordingly.

this does not happen. I can connect to all resources using \\servername but
cannot browse from VPN.  I can ping by name or by IP.

> ...related to this....
>
[quoted text clipped - 14 lines]
> I recommend that when you want to configure static IPs for RRAS connected
> clients, you should use a different subnet. Do this by creating an

In RRAS properties IP tab, I selected a range of static IP's to be assigned
172.16.0.1 to 172.16.0.50. The whole range is already included in the LAT.

(BTW I could not connect to resources on the internal LAN even with
\\servername from VPN where the internal resource had a non-dhcp assigned IP
even though the name was resolved - ping would resolve the name to IP but
then would not be able to communicate.  I could only connect if the VPN
addresses were in the same scope as the internal ones (i.e not static pool).
I have now resolved this by entering reservations in my internal scope and
assigning all addresses by DHCP)

> additional DHCP Scope for the new subnet. Then configure all or part of that
> range to the RRAS assigned by DHCP. Enable RRAS for routing. Finally, assign

RRAS properties General tab - Router ticked and LAN and demand dial routing
selected, Remote access server ticked.

> static IPs for the user accounts you intend to have connect via RRAS in the
> (AD Users and Computers) user account properties for Dialup Networking in

This is greyed out. I understand the option is only available if running in
native rather than mixed mode.

> the section for "assign a static IP". Finally, in the DHCP scope for the LAN
> that supports all the rest of your workstations, add the setting to "default
> gateway" and point that at the LAN IP of the SBS (assuming that your SBS is

Please clarify what you mean by this. I don't understand.

> running ISA and is supporting web traffic on a second NIC). You will need to
> decide if you want ISA to filter this subnet, or not. If you add this new
> subnet to the LAT, it will be treated as a trusted subnet, but the other
> option is to setup filters to pass only the traffic you want from RRAS
> connections.

I am using a LAT range for RRAS static pool

> If you use a router on the LAN to reach the web, the alternative is to set a
> static route on the router to point at the SBS as gateway for the subnet you

Can you clarify this. My ADSL has an IP of 80.176.221.153 and my external
network card is 80.176.221.154. the properties of the external NIC have the
router as the gateway. To set up a static route in the router I need a
destination, source, gateway and interface. What should these be? (Is this
where my problem really lies?)

> just created, or create a static route on each workstation/server in the LAN
> pointing at the SBS LAN IP as the gateway for the subnet you are giving to
[quoted text clipped - 39 lines]
> >
> > Richard
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.