Browsing "my network places" from trusted domain doesn't work 1

[bbiandov]

Hi,

Two domains, two-way trust. Anyone can login from any PC member of any domain. Only problem is that when user of domain A logs into a PC which is member of domain B, then "my network places" can only browse domain B objects.

Sure, you can use UNC to access resources of domain A and dmain A also shows up in my network places but if you open it you get an error.

So in summary, it appears that "my network places" can only see objects of the domain that the PC is a member of, not the other domain.

Any remedies?
Thanks
B

 

[ShackDaddy]

Make them all use a common WINS server or set of servers that are replicating. WINS is not bound to any particular domain, so there's no reason why they can't be integrated. WINS has a lot to do with creating the browsing environment.

ShackDaddy
Shackelford Consulting

 

[bbiandov]

Hi

Thanks for your feedback but I am looking for a more precise info. The answer is not WINS as non-WINS nets browse just fine across routers as long as the PC which is doing the browsing is member of the domain that needs to be seen under 'my network places'.

There is something peculiar about PC being able to see domain that the PC is not a member of, although that domain is two-way trusted to the domain of which the PC is a member of

Thanks
~B

 

[ShackDaddy]

All trusts do is facilitate authentication, not browsing environments.

Read the "Computer Browser" section of this document on the Computer Browser service. Look at the roles that the systems play in the browsing environment. They are mainly domain-specific. This is a helpful document:

http://www.microsoft.com/technet/pr...r2003/technologies/management/svrxpser_7.mspx

That being said, one thing you might try if your domains exist on different subnets is to have a workstation in each subnet that is a member of the domain that is not native to that subnet. So if you have two offices connected by a VPN, make sure that in each site, you have a workstation that's a member of the domain that's at the other end of the VPN. That workstation will work as a Master Browser for that subnet and will gather information about local resources and will supply it to the Domain Master Browser, which is usually the DC of the domain.

The reason why I recommended WINS is because that specifically brings information about NetBIOS resources in both domains into one place.

ShackDaddy
Shackelford Consulting

 

[bbiandov]

Thanks, I didnt explain why WINS would not work but thanks for the other suggestion on the master browser.

On the WINS issue -- basically I am almost certain that dupes will occur, meaning that there are duplicate netBIOS names and the only reason it works now is due to the different DNS zones. For example exch03.corp1.com is different than exch03.corp2.com but in WINS this will present a problem

Now that I am thinking abou it - I'm screwed either way. Even if exch03 shows up correclty clicking it will resolve to the wrong server since the PC will add the DNS sufix for the domain it is a member of, no matter that we clicked on the object which shows up under the other domain. Whatta mess.

~B

 

[ShackDaddy]

Great diagram.

So I would recommend my recommendation (ha ha) about keeping a foreign workstation in each subnet even more strongly.

It's like keeping a spy out there to report resources on those subnets for you.

Don't you agree?

ShackDaddy
Shackelford Consulting

 

[ShackDaddy]

BTW, you are right about the dupe name issue being a problem. I'm trying to think of a good solution outside of renaming servers, but I can't think of one yet. Sounds like it's going to have to be FQDN city over there.

ShackDaddy
Shackelford Consulting

 

[bbiandov]

Yep, I agree. But that brings up yet another question - can NetBIOS be converted so that it uses FQDN rather than just the host names. In other words - can 'my network places' show FQDNs? I have personally never seen anything like that?

Alternatively I would like to see from MS a way to change the default DNS suffix based on context. So it would work like that - you click on the domain that you want to browse and boom, the suffix is now changed to that domain so consequently any further clicks that will drill deeper into the domain name will be added and voila, proper FQDN will be constructed. Dream on...

That suffix is really bad idea - I mean it's bad it being staticly configured based on the domain membership of the PC. What if the entire Internet converts to active directory one day. You can't expect to have all unique host names LOL

 

[ShackDaddy]

Could you set a suffix search order in each domain that includes the other domain but prioritizes the local domain? Won't that solve all but a handful of your issues? I guess one thing I don't know is how large each of your domains is.

I worked for a company once that had about 200 users and 45 servers and we were bought by a larger company that had around 4000 users and who-knows-how-many servers. There were some duplicate names out there, but they'd created a fairly unique internal naming scheme, so there were no conflicts when it came to critical resources.

Also, in W2K and more recent OSs, you can use FQDNs in UNC paths, so we just learned to always use those, especially since we werent' the only aquisition of the larger company and there were always new resources groups being added. As long as everyone had their own unique DNS namespace, we didn't really have any issues accessing resources.

ShackDaddy
Shackelford Consulting