Windows Domain browsing across VLANs??

[MusicManJoe]

Hello,

Thanks for taking the time to read this! Recently we moved from a Cisco 2948L3 to a Cisco 3750G.

Everything is good at a gigabit, but I can't connect to remote Windows shares across the VLANs.

Within VLANs all is well, but when I try to click on a windows box, that resides in another VLAN, in the My Network Neighborhood desktop icon, the request times out, telling me "\\computername is not accessible. You might not have permission to use this network resource. Contact the administrator..."

But when I move to a machine in the SAME VLAN as \\computername and log in as the same user who was just denied, I get right in, so I don't think it's a permissions thing!

Thanks, Joe

 

[RookThis]

try adding this line:

ip forward-protocol udp netbios-ss

 

[ADB100]

It sounds like one of 2 things - either name resolution or IP routing. Try the following to determine which:

Open a command prompt on you PC and ping the IP address of one of the PC's you are trying to access. i.e. ping 10.1.1.1

Open a command prompt on your PC and ping the hostname of one of the PC's you are trying to access. i.e. ping userpc-1

Do either fail? If they both work it may be a routing issue with your DC's - re-try both commands from a DC

HTH

Andy

 

[MusicManJoe]

Sorry, I should have included this information in the initial post, I can ping, by name, a machine I can't browse to...

adding "ip forward-protocol udp netbios-ss" did not help...

Thanks All, any further tips will be greatly appriciated...

Joe

 

[ADB100]

Adding 'ip forward-protocol udp netbios-ss' is likely to lead to NetBIOS Master Browser issues anyway so I would avoid doing that.

Can you connect to a server/pc using the command \\servername\?

Andy

 

[MusicManJoe]

I can not connect with c:\net use z: \\servername\sharename...

I think a few machines escaped my grasp with the computer browser service running, could that be it?

THanks All! Joe

 

[ADB100]

For browsing to work you must have a Master Browser per IP Subnet/Network. In a Microsoft environment this is negotiated per subnet/network and one PC will become the Master Browser with another elected a Backup Browse Master - both these will hold the Browse list for the Subnet/Network. There are tools in the Resource Kit to see who is the master browser but you can check by using the command line tool 'nbtstat -n'. The one that has the line '..__MSBROWSE__..' is the Master Browser.

BUT Even if there are Master Browser issues doing a 'start', 'run' '\\server1' should connect you directly to the machine bypassing the browser stuff.

Is it an authentication issue - i.e. can you Domain Controllers reach all the IP networks using names (i.e. ping host names from the DC?).

Andy

 

[RookThis]

Andy,

Can you please elaborate more on the master browser setup. Each subnet requires one for devices on that subnet to be able to access it? How will ip forward-protocol udp netbios-ss impact this? The reason I'm asking is because this is a command that I see enabled on the router, and was concerned about what you wrote.

Thanks!

 

[ADB100]

By default when you enable IP helpers 9 UDP protocols are forwarded, if the desired behaviour is just to get DHCP/BOOTP working then you should disable the other protocol with the global config commands:

no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs

With Windows Networking using NetBIOS over TCP/IP (NetBT) each IP network or subnet requires a Windows Networking host to hold the list of servers (the Browse List). Machines on the network/subnet contact the Master Browser for the list when you open network neighborhood or type net view from a command prompt. The Master Browser and a backup browser are elected per network/subnet (based on system type and version), they can also be manually forced to operate as on or off by a registry tweak.

http://support.microsoft.com/?kbid=102878

If you don't disable the forwarding of the NetBIOS-NS broadcasts some of the Browser traffic can 'leak' between networks/subnets and cause Master Browser elections or allow a subnet to operate without a Master Browser.

It sounds more like a DC issue or Domain configuration issue. Have you configured the various subnets within Active Directory Sites & Services?

Andy

 

[wabob]

I know I am coming in to this late, but I have not read any proof that there is an ip helper-address in place on the VLAN outside of the server's VLAN.

MusicManJoe, can you do a show run and verify this?


Experience is a tough teacher.
The test comes first, the lesson comes later...

 

[MusicManJoe]

Thanks All!

I do have an IP Helper statement in the definition of every VLAN which requires it. We use Small Business Server here, and of course that machine hosts AD and is also our DHCP server. So every VLAN which has windows hosts, also has hosts using DHCP, so the correct IP Helpers Statements are already in place. All 9 UDP protocols are being forwarded, that is, I'm not blocking any of them...

ADB100, you mention needing to setup subnets in the AD Sites & Services, could you elaborate, please?

Thanks, Joe

 

[ADB100]

Open Active Directory Sites & Services, from here you should be able to define your various subnets and attach them to the different sites you have to your AD. It is possible you only have the Default-First-Site and all your PC's, Servers etc exist in this default container.

I would suggest you block the forwarding of all UDP broadcasts except DHCP.

It is a bit tricky trying to diagnose this any further to be honest..... I have a similar test setup and I know it works.

What is slightly confusing is you say you can't connect directly by doing a Start, Run, \\servername, since this bypasses the Browser stuff and should connect directly to the server in question.

Andy