PDC and Browsing with Cisco VPN

I have a multi-site w2k3 Domain, each site has a w2k3 DC.
The 4 sites are connected by Cisco 506e's using IPsec
VPN's. Everything works fine from inside the network and
AD and WINS all replicate. I can browse the remote sites
adn connect to resources.
I can remote VPN into all four sites from home using Cisco
VPN client and IAS authentication from the local w2k3 DC.
I can connect to local PC's fine but can only browse on
one site, the site with the PDC. If I move the PDC to
another site the browsing follows?
Cisco does not support site to site VPN traffic from a
remote access VPN (in and out IPsec traffic on the same
interface on the PIX, they say it is coming in v7 of the
firmware).
How can work around this? Basically the site I connect to
thinks the PDC is available, because it is to the local
machines just not to the remote access VPN.
Thanks

It is normal for a remote user to request a browse list from the PDC.
The PDC is the Domain Master Browser, and registers in WINS as such (ie it
registers the <domainname 1b> special Netbios name). When a remote client
wants a browse list, it queries WINS for this name, gets the PDC IP address
and gets the browse list.

Exactly where does this process fail? If machines in each site get a
full browse list, the browser service must be merging the browse lists
correctly. So the DMB should be able to deliver a full browse list to a
remote client.

What system the VPN is running on shouldn't have any effect on this.The
browser service just uses local broadcasts to build the segment browse
lists, then uses WINS and a Netbios port to merge them.

"Jim Bowie" <(E-Mail Removed)> wrote in message
news:3d6301c47f55$880d0980$(E-Mail Removed)...
> I have a multi-site w2k3 Domain, each site has a w2k3 DC.
> The 4 sites are connected by Cisco 506e's using IPsec
> VPN's. Everything works fine from inside the network and
> AD and WINS all replicate. I can browse the remote sites
> adn connect to resources.
> I can remote VPN into all four sites from home using Cisco
> VPN client and IAS authentication from the local w2k3 DC.
> I can connect to local PC's fine but can only browse on
> one site, the site with the PDC. If I move the PDC to
> another site the browsing follows?
> Cisco does not support site to site VPN traffic from a
> remote access VPN (in and out IPsec traffic on the same
> interface on the PIX, they say it is coming in v7 of the
> firmware).
> How can work around this? Basically the site I connect to
> thinks the PDC is available, because it is to the local
> machines just not to the remote access VPN.
> Thanks

Not exactly.. The remote user will query its local SMB or segment
master browser. The SMB queries the PDC of the domain for the
domain wide list as well as gathering the local list and passing back
to the DMB. The PDC by default will act as the SMB for it's given
endpoint. The DMB will query 1b entries in WINS in order to find
other DMBs and request a browse list.

"Bill Grant" <not.available@online> wrote in message news:
> It is normal for a remote user to request a browse list from the
PDC.
> The PDC is the Domain Master Browser, and registers in WINS as such
(ie it
> registers the <domainname 1b> special Netbios name). When a remote
client
> wants a browse list, it queries WINS for this name, gets the PDC IP
address
> and gets the browse list.
>
> Exactly where does this process fail? If machines in each site get
a
> full browse list, the browser service must be merging the browse lists
> correctly. So the DMB should be able to deliver a full browse list to
a
> remote client.
>
> What system the VPN is running on shouldn't have any effect on
this.The
> browser service just uses local broadcasts to build the segment browse
> lists, then uses WINS and a Netbios port to merge them.

Is it possible you've manually disabled the computer browser
service on all of your remote machines? This would prevent
one of them from acting as the SMB segment master browser.
An SMB is responsible for gathering the local browse list and
passing back to the PDC of the domain as well as passing the
merged list back to all clients who request it.

"Jim Bowie" <(E-Mail Removed)> wrote in message news:
> I have a multi-site w2k3 Domain, each site has a w2k3 DC.
> The 4 sites are connected by Cisco 506e's using IPsec
> VPN's. Everything works fine from inside the network and
> AD and WINS all replicate. I can browse the remote sites
> adn connect to resources.
> I can remote VPN into all four sites from home using Cisco
> VPN client and IAS authentication from the local w2k3 DC.
> I can connect to local PC's fine but can only browse on
> one site, the site with the PDC. If I move the PDC to
> another site the browsing follows?
> Cisco does not support site to site VPN traffic from a
> remote access VPN (in and out IPsec traffic on the same
> interface on the PIX, they say it is coming in v7 of the
> firmware).
> How can work around this? Basically the site I connect to
> thinks the PDC is available, because it is to the local
> machines just not to the remote access VPN.
> Thanks

When I connect via VPN to the site with the PDC I can
browse fine.
If I VPN to one of the other sites I cannot. THe lan to
lan connection cannot route my 'remote access' VPN
connection data because it hits the same physical
interface on the PIX. It cannot recieve IPsec traffic
from a remote user and resend it back to another site.
So, from inside the network all PC's can connect to the
PDC over the lan to lan VPN and the browse table is
complete with all four sites included.
Remote users can only pass data to and from the single
site they connect to. If that site has the PDC all is
well otherwise no browsing, confusing!
Should or can I make browsing work with no PDC for remote
users is the question?
Thanks for the help.
>-----Original Message-----
> It is normal for a remote user to request a browse
list from the PDC.
>The PDC is the Domain Master Browser, and registers in
WINS as such (ie it
>registers the <domainname 1b> special Netbios name).
When a remote client
>wants a browse list, it queries WINS for this name, gets
the PDC IP address
>and gets the browse list.
>
> Exactly where does this process fail? If machines in
each site get a
>full browse list, the browser service must be merging the
browse lists
>correctly. So the DMB should be able to deliver a full
browse list to a
>remote client.
>
> What system the VPN is running on shouldn't have any
effect on this.The
>browser service just uses local broadcasts to build the
segment browse
>lists, then uses WINS and a Netbios port to merge them.
>
>"Jim Bowie" <(E-Mail Removed)> wrote
in message
>news:3d6301c47f55$880d0980$(E-Mail Removed)...
>> I have a multi-site w2k3 Domain, each site has a w2k3
DC.
>> The 4 sites are connected by Cisco 506e's using IPsec
>> VPN's. Everything works fine from inside the network and
>> AD and WINS all replicate. I can browse the remote sites
>> adn connect to resources.
>> I can remote VPN into all four sites from home using
Cisco
>> VPN client and IAS authentication from the local w2k3
DC.
>> I can connect to local PC's fine but can only browse on
>> one site, the site with the PDC. If I move the PDC to
>> another site the browsing follows?
>> Cisco does not support site to site VPN traffic from a
>> remote access VPN (in and out IPsec traffic on the same
>> interface on the PIX, they say it is coming in v7 of the
>> firmware).
>> How can work around this? Basically the site I connect
to
>> thinks the PDC is available, because it is to the local
>> machines just not to the remote access VPN.
>> Thanks
>
>
>.
>

Yikes, can you answer this simple question, exactly who
does a remote user have to communicate with directly to
get a browse list? If the answer is the PDC then I am
hosed unless there is a work around.

>-----Original Message-----
>
>Not exactly.. The remote user will query its local SMB or
segment
>master browser. The SMB queries the PDC of the domain for
the
>domain wide list as well as gathering the local list and
passing back
>to the DMB. The PDC by default will act as the SMB for
it's given
>endpoint. The DMB will query 1b entries in WINS in order
to find
>other DMBs and request a browse list.
>
>"Bill Grant" <not.available@online> wrote in message news:
>> It is normal for a remote user to request a
browse list from the
>PDC.
>> The PDC is the Domain Master Browser, and registers in
WINS as such
>(ie it
>> registers the <domainname 1b> special Netbios name).
When a remote
>client
>> wants a browse list, it queries WINS for this name,
gets the PDC IP
>address
>> and gets the browse list.
>>
>> Exactly where does this process fail? If machines
in each site get
>a
>> full browse list, the browser service must be merging
the browse lists
>> correctly. So the DMB should be able to deliver a full
browse list to
>a
>> remote client.
>>
>> What system the VPN is running on shouldn't have
any effect on
>this.The
>> browser service just uses local broadcasts to build the
segment browse
>> lists, then uses WINS and a Netbios port to merge them.
>
>
>.
>

Haqve you actually monitored the traffic to ensure that this happens? In
my experience, a dialup type VPN remote host will try to find a master
browser by doing a name server request for <domainname 1b> . I have never
been able to make it do anything else.

"Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
>
> Not exactly.. The remote user will query its local SMB or segment
> master browser. The SMB queries the PDC of the domain for the
> domain wide list as well as gathering the local list and passing back
> to the DMB. The PDC by default will act as the SMB for it's given
> endpoint. The DMB will query 1b entries in WINS in order to find
> other DMBs and request a browse list.
>
> "Bill Grant" <not.available@online> wrote in message news:
> > It is normal for a remote user to request a browse list from the
> PDC.
> > The PDC is the Domain Master Browser, and registers in WINS as such
> (ie it
> > registers the <domainname 1b> special Netbios name). When a remote
> client
> > wants a browse list, it queries WINS for this name, gets the PDC IP
> address
> > and gets the browse list.
> >
> > Exactly where does this process fail? If machines in each site get
> a
> > full browse list, the browser service must be merging the browse lists
> > correctly. So the DMB should be able to deliver a full browse list to
> a
> > remote client.
> >
> > What system the VPN is running on shouldn't have any effect on
> this.The
> > browser service just uses local broadcasts to build the segment browse
> > lists, then uses WINS and a Netbios port to merge them.
>
>

That must be a peculiarity of the Cisco VPN client. You should be able
to route traffic between a remote client and any host in any site. You
certainly can with the Windows VPN client to a RRAS server.

Without a PDC, browsing is limited to the local segment. (Only a PDC has
the ability to merge browse lists.) And as I stated earlier, this is no use
to a remote client. The remote client only has a point to point connection
to the LAN, so it cannot broadcast. It has to be able to query WINS to get
the browse master's IP address, then contact the browse master directly.

"Jim Bowie" <(E-Mail Removed)> wrote in message
news:442901c47ff7$b0c95250$(E-Mail Removed)...
> When I connect via VPN to the site with the PDC I can
> browse fine.
> If I VPN to one of the other sites I cannot. THe lan to
> lan connection cannot route my 'remote access' VPN
> connection data because it hits the same physical
> interface on the PIX. It cannot recieve IPsec traffic
> from a remote user and resend it back to another site.
> So, from inside the network all PC's can connect to the
> PDC over the lan to lan VPN and the browse table is
> complete with all four sites included.
> Remote users can only pass data to and from the single
> site they connect to. If that site has the PDC all is
> well otherwise no browsing, confusing!
> Should or can I make browsing work with no PDC for remote
> users is the question?
> Thanks for the help.
> >-----Original Message-----
> > It is normal for a remote user to request a browse
> list from the PDC.
> >The PDC is the Domain Master Browser, and registers in
> WINS as such (ie it
> >registers the <domainname 1b> special Netbios name).
> When a remote client
> >wants a browse list, it queries WINS for this name, gets
> the PDC IP address
> >and gets the browse list.
> >
> > Exactly where does this process fail? If machines in
> each site get a
> >full browse list, the browser service must be merging the
> browse lists
> >correctly. So the DMB should be able to deliver a full
> browse list to a
> >remote client.
> >
> > What system the VPN is running on shouldn't have any
> effect on this.The
> >browser service just uses local broadcasts to build the
> segment browse
> >lists, then uses WINS and a Netbios port to merge them.
> >
> >"Jim Bowie" <(E-Mail Removed)> wrote
> in message
> >news:3d6301c47f55$880d0980$(E-Mail Removed)...
> >> I have a multi-site w2k3 Domain, each site has a w2k3
> DC.
> >> The 4 sites are connected by Cisco 506e's using IPsec
> >> VPN's. Everything works fine from inside the network and
> >> AD and WINS all replicate. I can browse the remote sites
> >> adn connect to resources.
> >> I can remote VPN into all four sites from home using
> Cisco
> >> VPN client and IAS authentication from the local w2k3
> DC.
> >> I can connect to local PC's fine but can only browse on
> >> one site, the site with the PDC. If I move the PDC to
> >> another site the browsing follows?
> >> Cisco does not support site to site VPN traffic from a
> >> remote access VPN (in and out IPsec traffic on the same
> >> interface on the PIX, they say it is coming in v7 of the
> >> firmware).
> >> How can work around this? Basically the site I connect
> to
> >> thinks the PDC is available, because it is to the local
> >> machines just not to the remote access VPN.
> >> Thanks
> >
> >
> >.
> >

Remote clients do not query the 1b name in order
to get the browse list they will query the SMB
or segment master browser. Now are you
saying this behavior is different when connected
through a VPN?

<snip>
Segment master browser (SegMB): This can be any Windows NT Server,
Workstation, or domain controller. It can also be a Windows 95 or
Windows for Workgroups 3.11 computer. It is responsible for maintaining
a browse list of the computers on its local segment, forwarding that
list to the domain master browser, and requesting the domain browse list
from the domain master browser. The SegMB will merge the domain list
with its local list, and make that list available to any local client
that requests it.
<snip>
Domain Browsing with TCP/IP and LMHOSTS Files
http://support.microsoft.com/default...NoWebContent=1

Sure the clients will query the 1b name but not to
get the browse list. When monitoring the traffic
you shouldn't see the host name announcement
packets going to the remote subnet.



"Bill Grant" <not.available@online> wrote in message news:
> Haqve you actually monitored the traffic to ensure that this
happens? In
> my experience, a dialup type VPN remote host will try to find a master
> browser by doing a name server request for <domainname 1b> . I have
never
> been able to make it do anything else.

Yes and no. <g> At least one of your machines in the
remote subnet will have to communicate with the PDC
in order to act as the segment master browser. The rest
of them do not.
"Jim Bowie" <(E-Mail Removed)> wrote in message news:
> Yikes, can you answer this simple question, exactly who
> does a remote user have to communicate with directly to
> get a browse list? If the answer is the PDC then I am
> hosed unless there is a work around.
>