Incomplete Browse List After Active Directory 2003 Upgrade

I upgraded our Active Directory Domain to 2003 from 2000. The upgrade itself
went without any problems. The only residual item is the Browse List - which
was working well under the 2000 Domain. NetBIOS is and has always been
running on all machines. The Server Service is running on all machines as
well. Now after the Domain 2003 upgrade the Browse List for the domain is
incomplete. There should be approximately 125 objects in the browse list,
including about 15 servers and the rest XP workstations. I am now seeing only
about 35 objects post-upgrade. These objects include a smattering of
workstations and servers from 3 out of 5 VLAN's (that is, 2 VLAN's are now
completely missing). We are operating in a single site.

I promoted 2 new Server 2003 machines as Domain Controllers. I have 3
existing Win2k DC's which I am going to demote and then remove. One of the
two new DC's (WV1-SDC01) has received all of the FSMO roles, including the
PDC Emulator; this machine is also running WINS and DHCP. The W2k machine
that was running WINS and DHCP had the "IsDomainMaster" registry entry for
Browser Parameter set to TRUE, which I subsequently set to FALSE. Conversely,
on the new W2k3 machine, I set IsDomainMaster to TRUE (was FALSE initially).

The new DHCP server on WV1-SDC01 is configured to point clients to the new
WINS server on the same machine. I have verified that clients from all VLAN's
are getting their IP's from the new W2k3 DHCP server and are registering in
WINS on the W2k3 server. I did not "move" either of the DHCP or WINS
databases. Initially, I replicated the old WINS server with the new one on
WV1-SDC01 to make sure that records for the machines existed in WINS. I then
turned down the old DHCP server, authorized the new DHCP server on WV1-SDC01
and then rebooted all the clients.

I configured an account for DNS Updating in DHCP. Initially this account was
only in the DnsUpdateProxy group, and I was receiving 566 (dnsNode Object
Access) errors in the Security log. These ceased after I added the account to
the DNS Admins group.

Another very strange thing I noticed is that the Backup Browser as reported
by both "BrowStat Status" and the old "BrowMon" is constantly changing. If I
run "Browstat Status" on WV1-SDC01, WV1-SDC02 (the other new 2003 DC) and
BrowMon on one of the old DC's (named BOS1), I generally get different
results for the Backup Browsers than the BrowStat. If I run "BrowStat Status"
several times in a row on WV1-SDC01, I get a different result set about every
15 seconds. It's like a "Browsers Gone Wild" video. Here's a sample output.

Status for domain XXXXX on transport
\Device\NetBT_Tcpip_{95A70459-0194-4351-9061-C44696FAC49B}
Browsing is active on domain.
Master browser name is: WV1-SDC01
Master browser is running build 3790
3 backup servers retrieved from master WV1-SDC01
\\WV-TEMPDC01
\\WV1-SDC01
\\AHA202-DC02
There are 36 servers in domain IN-THREE on transport
\Device\NetBT_Tcpip_{95A70459-0194-4351-9061-C44696FAC49B}
There are 3 domains in domain IN-THREE on transport
\Device\NetBT_Tcpip_{95A70459-0194-4351-9061-C44696FAC49B}

Note: On the 3 domains: one is 2 public DNS servers, the other is a
"workgroup" machine, a new install.

Has anyone seen this kind of activity? Any help would be greatly appreciated.

In news:56198965-AE49-40D7-8554-(E-Mail Removed),
tsalciccia <(E-Mail Removed)> stated, which I commented
on below:
> I upgraded our Active Directory Domain to 2003 from 2000. The upgrade
> itself went without any problems. The only residual item is the
> Browse List - which was working well under the 2000 Domain. NetBIOS
> is and has always been running on all machines. The Server Service is
> running on all machines as well. Now after the Domain 2003 upgrade
> the Browse List for the domain is incomplete. There should be
> approximately 125 objects in the browse list, including about 15
> servers and the rest XP workstations. I am now seeing only about 35
> objects post-upgrade. These objects include a smattering of
> workstations and servers from 3 out of 5 VLAN's (that is, 2 VLAN's
> are now completely missing). We are operating in a single site.
>
> I promoted 2 new Server 2003 machines as Domain Controllers. I have 3
> existing Win2k DC's which I am going to demote and then remove. One
> of the two new DC's (WV1-SDC01) has received all of the FSMO roles,
> including the PDC Emulator; this machine is also running WINS and
> DHCP. The W2k machine that was running WINS and DHCP had the
> "IsDomainMaster" registry entry for Browser Parameter set to TRUE,
> which I subsequently set to FALSE. Conversely, on the new W2k3
> machine, I set IsDomainMaster to TRUE (was FALSE initially).
>
> The new DHCP server on WV1-SDC01 is configured to point clients to
> the new WINS server on the same machine. I have verified that clients
> from all VLAN's are getting their IP's from the new W2k3 DHCP server
> and are registering in WINS on the W2k3 server. I did not "move"
> either of the DHCP or WINS databases. Initially, I replicated the old
> WINS server with the new one on WV1-SDC01 to make sure that records
> for the machines existed in WINS. I then turned down the old DHCP
> server, authorized the new DHCP server on WV1-SDC01 and then rebooted
> all the clients.
>
> I configured an account for DNS Updating in DHCP. Initially this
> account was only in the DnsUpdateProxy group, and I was receiving 566
> (dnsNode Object Access) errors in the Security log. These ceased
> after I added the account to the DNS Admins group.
>
> Another very strange thing I noticed is that the Backup Browser as
> reported by both "BrowStat Status" and the old "BrowMon" is
> constantly changing. If I run "Browstat Status" on WV1-SDC01,
> WV1-SDC02 (the other new 2003 DC) and BrowMon on one of the old DC's
> (named BOS1), I generally get different results for the Backup
> Browsers than the BrowStat. If I run "BrowStat Status" several times
> in a row on WV1-SDC01, I get a different result set about every 15
> seconds. It's like a "Browsers Gone Wild" video. Here's a sample
> output.
>
> Status for domain XXXXX on transport
> \Device\NetBT_Tcpip_{95A70459-0194-4351-9061-C44696FAC49B}
> Browsing is active on domain.
> Master browser name is: WV1-SDC01
> Master browser is running build 3790
> 3 backup servers retrieved from master WV1-SDC01
> \\WV-TEMPDC01
> \\WV1-SDC01
> \\AHA202-DC02
> There are 36 servers in domain IN-THREE on transport
> \Device\NetBT_Tcpip_{95A70459-0194-4351-9061-C44696FAC49B}
> There are 3 domains in domain IN-THREE on transport
> \Device\NetBT_Tcpip_{95A70459-0194-4351-9061-C44696FAC49B}
>
> Note: On the 3 domains: one is 2 public DNS servers, the other is a
> "workgroup" machine, a new install.
>
> Has anyone seen this kind of activity? Any help would be greatly
> appreciated.

Interesting issue. Curious, are the WINS server only pointing to themselves
for WINS? This is actually a requirement in order that it owns it's own
record. This may also be a firewall issue, but that's a guess at this point,
since you state it worked prior to this.

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

The WINS server (WV1-SDC01) is pointing to itself. I noticed in 2003 that you
cannot add Primary and Secondary WINS servers to itself (which is also
recommended in W2k). There is no internal firewall; traffic is unrestricted
between VLAN's. I am going to demote 2 of the old W2k Servers today and see
if that brings any stability to the system.

"Ace Fekay [MVP]" wrote:

> In news:56198965-AE49-40D7-8554-(E-Mail Removed),
> tsalciccia <(E-Mail Removed)> stated, which I commented
> on below:
> > I upgraded our Active Directory Domain to 2003 from 2000. The upgrade
> > itself went without any problems. The only residual item is the
> > Browse List - which was working well under the 2000 Domain. NetBIOS
> > is and has always been running on all machines. The Server Service is
> > running on all machines as well. Now after the Domain 2003 upgrade
> > the Browse List for the domain is incomplete. There should be
> > approximately 125 objects in the browse list, including about 15
> > servers and the rest XP workstations. I am now seeing only about 35
> > objects post-upgrade. These objects include a smattering of
> > workstations and servers from 3 out of 5 VLAN's (that is, 2 VLAN's
> > are now completely missing). We are operating in a single site.
> >
> > I promoted 2 new Server 2003 machines as Domain Controllers. I have 3
> > existing Win2k DC's which I am going to demote and then remove. One
> > of the two new DC's (WV1-SDC01) has received all of the FSMO roles,
> > including the PDC Emulator; this machine is also running WINS and
> > DHCP. The W2k machine that was running WINS and DHCP had the
> > "IsDomainMaster" registry entry for Browser Parameter set to TRUE,
> > which I subsequently set to FALSE. Conversely, on the new W2k3
> > machine, I set IsDomainMaster to TRUE (was FALSE initially).
> >
> > The new DHCP server on WV1-SDC01 is configured to point clients to
> > the new WINS server on the same machine. I have verified that clients
> > from all VLAN's are getting their IP's from the new W2k3 DHCP server
> > and are registering in WINS on the W2k3 server. I did not "move"
> > either of the DHCP or WINS databases. Initially, I replicated the old
> > WINS server with the new one on WV1-SDC01 to make sure that records
> > for the machines existed in WINS. I then turned down the old DHCP
> > server, authorized the new DHCP server on WV1-SDC01 and then rebooted
> > all the clients.
> >
> > I configured an account for DNS Updating in DHCP. Initially this
> > account was only in the DnsUpdateProxy group, and I was receiving 566
> > (dnsNode Object Access) errors in the Security log. These ceased
> > after I added the account to the DNS Admins group.
> >
> > Another very strange thing I noticed is that the Backup Browser as
> > reported by both "BrowStat Status" and the old "BrowMon" is
> > constantly changing. If I run "Browstat Status" on WV1-SDC01,
> > WV1-SDC02 (the other new 2003 DC) and BrowMon on one of the old DC's
> > (named BOS1), I generally get different results for the Backup
> > Browsers than the BrowStat. If I run "BrowStat Status" several times
> > in a row on WV1-SDC01, I get a different result set about every 15
> > seconds. It's like a "Browsers Gone Wild" video. Here's a sample
> > output.
> >
> > Status for domain XXXXX on transport
> > \Device\NetBT_Tcpip_{95A70459-0194-4351-9061-C44696FAC49B}
> > Browsing is active on domain.
> > Master browser name is: WV1-SDC01
> > Master browser is running build 3790
> > 3 backup servers retrieved from master WV1-SDC01
> > \\WV-TEMPDC01
> > \\WV1-SDC01
> > \\AHA202-DC02
> > There are 36 servers in domain IN-THREE on transport
> > \Device\NetBT_Tcpip_{95A70459-0194-4351-9061-C44696FAC49B}
> > There are 3 domains in domain IN-THREE on transport
> > \Device\NetBT_Tcpip_{95A70459-0194-4351-9061-C44696FAC49B}
> >
> > Note: On the 3 domains: one is 2 public DNS servers, the other is a
> > "workgroup" machine, a new install.
> >
> > Has anyone seen this kind of activity? Any help would be greatly
> > appreciated.
>
> Interesting issue. Curious, are the WINS server only pointing to themselves
> for WINS? This is actually a requirement in order that it owns it's own
> record. This may also be a firewall issue, but that's a guess at this point,
> since you state it worked prior to this.
>
> --
> Ace
> Innovative IT Concepts, Inc (IITCI)
> Willow Grove, PA
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, I suggest to use OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. This is a direct link to the Microsoft Public
> Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
> to easily find, track threads, cross-post, sort by date, poster's name,
> watched threads or subject.
> It's easy:
>
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> Infinite Diversities in Infinite Combinations
> Assimilation Imminent. Resistance is Futile
> "Very funny Scotty. Now, beam down my clothes."
>
> The only constant in life is change...
>
>
>

In news:C99E52E9-90A7-48C0-BC38-(E-Mail Removed),
tsalciccia <(E-Mail Removed)> stated, which I commented
on below:
> The WINS server (WV1-SDC01) is pointing to itself. I noticed in 2003
> that you cannot add Primary and Secondary WINS servers to itself
> (which is also recommended in W2k). There is no internal firewall;
> traffic is unrestricted between VLAN's. I am going to demote 2 of the
> old W2k Servers today and see if that brings any stability to the
> system.

But whether you can do it or not, the only WINS entry in the IP properties
of a WINS server must ONLY be itself. This is true for NT4- Win2003 WINS
servers.

Maybe something in the VLAN that the firewall or the switch that 2003
doesn't like?

Ace

In news:AD057C36-B861-4927-81FC-(E-Mail Removed),
tsalciccia <(E-Mail Removed)> stated, which I commented
on below:
> The only WINS entry is itself. I've got this mostly resolved, but
> still have one outstanding question. First, the resolution:
>
> I did a Browstat Status on a machine in the missing VLAN. I shut down
> the segment master (a W2k Server) and did a Browstat Elect. A W2k3
> server was elected. The missing VLAN re-appeared in the Browse List.
> Also, as you suspected, there was some gook in my network
> configuration. I have 2 Cisco C4507's connected by a 10Gb link. There
> was a bit of a problem between the 2 switches - although I was able
> to communicate with the machines on that floor.
>
> HOWEVER, I am still concerned about constant flipping of the Backup
> Browsers. The Browstat Status results below were taken at 10 second
> intervals. Note that the Backup Browsers are constantly re-shuffling.
> I don't know if Elections are logged any more like they used to be.
> I'm not seeing any election notifications anywhere.
>
> Should I be concerned about this flipping?

<snipped>

I would be concerned. For some reason, the master is dropping out, and
that's what causes the election. What errors are in the Event viewers? Is
there good connectivity?

Ace