PDC and Browsing with Cisco VPN

Discussion in 'Server Networking' started by Jim Bowie, Aug 11, 2004.

  1. Jim Bowie

    Jim Bowie Guest

    I have a multi-site w2k3 Domain, each site has a w2k3 DC.
    The 4 sites are connected by Cisco 506e's using IPsec
    VPN's. Everything works fine from inside the network and
    AD and WINS all replicate. I can browse the remote sites
    adn connect to resources.
    I can remote VPN into all four sites from home using Cisco
    VPN client and IAS authentication from the local w2k3 DC.
    I can connect to local PC's fine but can only browse on
    one site, the site with the PDC. If I move the PDC to
    another site the browsing follows?
    Cisco does not support site to site VPN traffic from a
    remote access VPN (in and out IPsec traffic on the same
    interface on the PIX, they say it is coming in v7 of the
    firmware).
    How can work around this? Basically the site I connect to
    thinks the PDC is available, because it is to the local
    machines just not to the remote access VPN.
    Thanks
     
    Jim Bowie, Aug 11, 2004
    #1
    1. Advertisements

  2. Jim Bowie

    Bill Grant Guest

    It is normal for a remote user to request a browse list from the PDC.
    The PDC is the Domain Master Browser, and registers in WINS as such (ie it
    registers the <domainname 1b> special Netbios name). When a remote client
    wants a browse list, it queries WINS for this name, gets the PDC IP address
    and gets the browse list.

    Exactly where does this process fail? If machines in each site get a
    full browse list, the browser service must be merging the browse lists
    correctly. So the DMB should be able to deliver a full browse list to a
    remote client.

    What system the VPN is running on shouldn't have any effect on this.The
    browser service just uses local broadcasts to build the segment browse
    lists, then uses WINS and a Netbios port to merge them.
     
    Bill Grant, Aug 11, 2004
    #2
    1. Advertisements

  3. Not exactly.. The remote user will query its local SMB or segment
    master browser. The SMB queries the PDC of the domain for the
    domain wide list as well as gathering the local list and passing back
    to the DMB. The PDC by default will act as the SMB for it's given
    endpoint. The DMB will query 1b entries in WINS in order to find
    other DMBs and request a browse list.
     
    Michael Giorgio - MS MVP, Aug 11, 2004
    #3
  4. Is it possible you've manually disabled the computer browser
    service on all of your remote machines? This would prevent
    one of them from acting as the SMB segment master browser.
    An SMB is responsible for gathering the local browse list and
    passing back to the PDC of the domain as well as passing the
    merged list back to all clients who request it.
     
    Michael Giorgio - MS MVP, Aug 11, 2004
    #4
  5. Jim Bowie

    Jim Bowie Guest

    When I connect via VPN to the site with the PDC I can
    browse fine.
    If I VPN to one of the other sites I cannot. THe lan to
    lan connection cannot route my 'remote access' VPN
    connection data because it hits the same physical
    interface on the PIX. It cannot recieve IPsec traffic
    from a remote user and resend it back to another site.
    So, from inside the network all PC's can connect to the
    PDC over the lan to lan VPN and the browse table is
    complete with all four sites included.
    Remote users can only pass data to and from the single
    site they connect to. If that site has the PDC all is
    well otherwise no browsing, confusing!
    Should or can I make browsing work with no PDC for remote
    users is the question?
    Thanks for the help.
     
    Jim Bowie, Aug 12, 2004
    #5
  6. Jim Bowie

    Jim Bowie Guest

    Yikes, can you answer this simple question, exactly who
    does a remote user have to communicate with directly to
    get a browse list? If the answer is the PDC then I am
    hosed unless there is a work around.
     
    Jim Bowie, Aug 12, 2004
    #6
  7. Jim Bowie

    Bill Grant Guest

    Haqve you actually monitored the traffic to ensure that this happens? In
    my experience, a dialup type VPN remote host will try to find a master
    browser by doing a name server request for <domainname 1b> . I have never
    been able to make it do anything else.
     
    Bill Grant, Aug 12, 2004
    #7
  8. Jim Bowie

    Bill Grant Guest

    That must be a peculiarity of the Cisco VPN client. You should be able
    to route traffic between a remote client and any host in any site. You
    certainly can with the Windows VPN client to a RRAS server.

    Without a PDC, browsing is limited to the local segment. (Only a PDC has
    the ability to merge browse lists.) And as I stated earlier, this is no use
    to a remote client. The remote client only has a point to point connection
    to the LAN, so it cannot broadcast. It has to be able to query WINS to get
    the browse master's IP address, then contact the browse master directly.
     
    Bill Grant, Aug 12, 2004
    #8
  9. Remote clients do not query the 1b name in order
    to get the browse list they will query the SMB
    or segment master browser. Now are you
    saying this behavior is different when connected
    through a VPN?

    <snip>
    Segment master browser (SegMB): This can be any Windows NT Server,
    Workstation, or domain controller. It can also be a Windows 95 or
    Windows for Workgroups 3.11 computer. It is responsible for maintaining
    a browse list of the computers on its local segment, forwarding that
    list to the domain master browser, and requesting the domain browse list
    from the domain master browser. The SegMB will merge the domain list
    with its local list, and make that list available to any local client
    that requests it.
    <snip>
    Domain Browsing with TCP/IP and LMHOSTS Files
    http://support.microsoft.com/defaul...port/kb/articles/Q150/8/00.ASP&NoWebContent=1

    Sure the clients will query the 1b name but not to
    get the browse list. When monitoring the traffic
    you shouldn't see the host name announcement
    packets going to the remote subnet.
     
    Michael Giorgio - MS MVP, Aug 12, 2004
    #9
  10. Yes and no. <g> At least one of your machines in the
    remote subnet will have to communicate with the PDC
    in order to act as the segment master browser. The rest
    of them do not.
     
    Michael Giorgio - MS MVP, Aug 12, 2004
    #10
  11. Okay now I understand what's going on here.. Without
    the presence of a PDC (DMB) to merge the list, browsing
    will not occur. Workgroups cannot span subnets without
    at least one DMB or domain master browser.
     
    Michael Giorgio - MS MVP, Aug 12, 2004
    #11
  12. Okay now I understand my confusion. <g> At least one
    of the remote machines must be able to contact the PDC in
    order to act as the SMB for it's given endpoint but the clients
    will not they will contact their local SMB in order to get the
    browse list. My apologies as it seems we were both right. <g>
     
    Michael Giorgio - MS MVP, Aug 12, 2004
    #12
  13. Jim Bowie

    Jim Bowie Guest

    Can you please correct me if I understand this
    incorredctly...
    When I VPN in to a network and I am the first or only VPN,
    my machine will contact the PDC in order to become a SMB
    for my (remote) subnet? If it cannot contact the PDC it
    will simply fail to be able to browse.
    Is there a way to work around this by having my VPN IP
    pool in the same subnet as the host site?
    Thanks in advance.
     
    Jim Bowie, Aug 13, 2004
    #13
  14. Jim Bowie

    Bill Grant Guest

    Putting the remote in the same subnet as the site to which it connects
    doesn't really solve anything. The real problem is that the remote client
    cannot use broadcasts. Browsing essentially relies on broadcasts to build
    the browse list.

    Browsing from a remote client is possible, but not easy. It is only
    possible if a domain exists. (And the remote client itself will not appear
    in the browse list, because it is not really on a LAN segment).
     
    Bill Grant, Aug 13, 2004
    #14
  15. Now you've completely lost me. The VPN server
    will block broadcast packets? Broadcasts do not
    traverse routers but that doesn't prevent cross subnet
    browsing e.g., WINS, lmhosts.
     
    Michael Giorgio - MS MVP, Aug 13, 2004
    #15
  16. Jim Bowie

    Jim Bowie Guest

    I have lost the plot!
    When I VPN into the site that has the PDC I can browse so
    whatever is needed can traverse my IPsec VPN.
    Windows 2003 allows me to move the PDC from site to site.
    I can browse any site if I connect to it directly and the
    PDC is resident at that site.
     
    Jim Bowie, Aug 13, 2004
    #16
  17. Jim,
    Sorry for the confusion. Yes but can the remote
    site see the PDC? At least one machine in the
    remote site must act as the SMB and contact the
    DMB.
     
    Michael Giorgio - MS MVP, Aug 16, 2004
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.