locked
Unable to browse domain from My Network Places against W2K2008 Server

    Question

  • Hi guys,

    I am trying to trace this problem whole day and I think I would need your help. I have simple domain called DEV. I set up Windows Server 2008 Core as DC and I am using Windows XP SP3 as the only domain client now. When I try to browse network from WXP machine I get error message:

    ---------------------------
    Entire Network
    ---------------------------
    Dev is not accessible. You might not have permission to use this network resource. 
    Contact the administrator of this server to find out if you have access permissions.
    Incorrect function.
    
    ---------------------------
    OK   
    ---------------------------
    

    Fundamental info about DC set up. DC is not multihomed, it does not have WINS service installed on it. The only enabled roles on DC are DNS, DHCP and AD (File Server role is *not* enabled).

    I debugged potential Browser service issues. I am not able to browse network in Explorer but I am able to access DC using UNC path (\\DC-DEV-01 works fine in Explorer) so name resolution seems OK and permissions to get to DC from WXP also. When I ran BROWSTAT.EXE VIEW command from WXP I got following message:

    browstat.exe VIEW \Device\NetBT_Tcpip_{F53A0041-4A20-408D-BB5A-FCFE6FCF5185} \\DEV-DC-01 /DOMAIN DEV
    Remoting NetServerEnum to \\DEV-DC-01 on transport \Device\NetBT_Tcpip_{F53A0041-4A20-408D-BB5A-FCFE6FCF5185} 
    with flags 80000000
    Unable to remote API to \\DEV-DC-01 on transport \Device\NetBT_Tcpip_{F53A0041-4A20-408D-BB5A-FCFE6FCF5185}: 
    Incorrect function.
     (0 milliseconds)
    

    When I ran NetMon I see the following trace (I shortened lines a bit so it is more readable):

    16  10.1.2.101  DEV-DC-01 	TCP	TCP:Flags=......S., SrcPort=1844, DstPort=NETBIOS Session Service(139), ...
    17  DEV-DC-01   10.1.2.101	TCP	TCP:Flags=...A..S., SrcPort=NETBIOS Session Service(139), DstPort=1844, ...
    18  10.1.2.101  DEV-DC-01 	NbtSS	NbtSS:SESSION REQUEST, Length =68
    19  DEV-DC-01   10.1.2.101	NbtSS	NbtSS:POSITIVE SESSION RESPONSE, Length =0
    20  10.1.2.101  DEV-DC-01 	SMB	SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, ...
    21  DEV-DC-01   10.1.2.101	SMB	SMB:R; Negotiate, Dialect is NT LM 0.12 (#5), SpnegoNegTokenInit
    22  10.1.2.101  DEV-DC-01 	SMB	SMB:C; Session Setup Andx, NTLM NEGOTIATE MESSAGE
    23  DEV-DC-01   10.1.2.101	SMB	SMB:R; Session Setup Andx, NTLM CHALLENGE MESSAGE - NT Status: ...
    24  10.1.2.101  DEV-DC-01 	SMB	SMB:C; Session Setup Andx, NTLM AUTHENTICATE MESSAGE, Workstation: DEV-DEVWRK-01
    25  DEV-DC-01   10.1.2.101	SMB	SMB:R; Session Setup Andx, SpnegoNegTokenResp
    26  10.1.2.101  DEV-DC-01 	SMB	SMB:C; Tree Connect Andx, Path = \\DEV-DC-01\IPC$, Service = ?????
    27  DEV-DC-01   10.1.2.101	SMB	SMB:R; Tree Connect Andx, Service = IPC
    28  10.1.2.101  DEV-DC-01 	RAP	RAP:NetServerEnum2 Request, InfoLevel = 1,  Domain in dev
    29  DEV-DC-01   10.1.2.101	SMB	SMB:R; Transact - NT Status:System - Error,Code = (28) STATUS_INVALID_SYSTEM_SERVICE
    30  10.1.2.101  DEV-DC-01 	SMB	SMB:C; Logoff Andx
    31  DEV-DC-01   10.1.2.101	SMB	SMB:R; Logoff Andx
    32  10.1.2.101  DEV-DC-01 	SMB	SMB:C; Tree Disconnect
    33  DEV-DC-01   10.1.2.101	SMB	SMB:R; Tree Disconnect
    34  10.1.2.101  DEV-DC-01 	TCP	TCP:Flags=...A...F, SrcPort=1844, DstPort=NETBIOS Session Service(139), ...
    35  DEV-DC-01   10.1.2.101	TCP	TCP:Flags=...A...F, SrcPort=NETBIOS Session Service(139), DstPort=1844, ...
    36  10.1.2.101  DEV-DC-01 	TCP	TCP:Flags=...A...., SrcPort=1844, DstPort=NETBIOS Session Service(139), ...
    

    What I see here is an error on packet 29 as response from the NetServerEnum2 function sent over RAP.

    The question is this - What are necessary prerequisites that I must enable on Windows Server 2008 Core machine to get RAP protocol working? I have not found anywhere what should I enable on the Windows 2008 Server Core to make RAP protocol work.

    I also like to mention that I ran these commands on Windows Server 2008 Core DC:

    Cscript %windir%\system32\SCRegEdit.wsf /ar 0
    Cscript %windir%\system32\SCRegEdit.wsf /cs 0
    

    and I have also turned off Firewall on Windows Server 2008 Core DC while doing these experiments:

    netsh advfirewall>show curr
    
    Domain Profile Settings:
    ----------------------------------------------------------------------
    State                                 OFF
    Firewall Policy                       BlockInbound,AllowOutbound
    LocalFirewallRules                    N/A (GPO-store only)
    LocalConSecRules                      N/A (GPO-store only)
    InboundUserNotification               Disable
    RemoteManagement                      Disable
    UnicastResponseToMulticast            Enable
    
    Logging:
    LogAllowedConnections                 Disable
    LogDroppedConnections                 Enable
    FileName                              %systemroot%\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize                           4096
    
    Ok.
    

    Could you point me to the direction what is required to get network browsing from WXP machine against Windows Server 2008 Core?

    Thank you, Petr

    • Edited by Lazo Saturday, July 25, 2009 6:29 PM
    Saturday, July 25, 2009 6:02 PM

All replies

  •   Check that Netbios over TCP/IP is enabled on the server's NIC and that the computer browser service is running.
      This is what drives network browsing. It is an NT legacy app and has nothing to do with AD or DNS. It relies on Netbios names.

    Bill
    • Marked as answer by Miles Zhang Thursday, July 30, 2009 1:19 AM
    • Unmarked as answer by Lazo Friday, July 31, 2009 3:25 PM
    • Proposed as answer by Ramin V Tuesday, April 06, 2010 8:18 AM
    Saturday, July 25, 2009 11:55 PM
  • Hi Bill,

    thank you for your help and tip. This is actually something I forgot to mention so here are some points that are not clear to me.

    1) Yes, Computer Browser Service runs on DC. When I use BROWSTAT.EXE I can even see proper registered names for domain, master browser and name of DC itself

    2) Tip with Netbios over TCP\IP is good one; I have tried to set it up but this may be something where you can help me actually. It is trivial do set up NetBios over TCP\IP in normal server SKU but I am strungling to do it on Core. So, I have set up another Windows 2008 Server just for as reference so I can compare what is different.

    If I run this on full sku W2k8 server:

    netsh ras ip show config
    

    I got following:

     Negotiation mode:          deny
     Access mode:               all
     Address request mode:      deny
     Broadcast name resolution: enabled
     Assignment method:         auto
     Pool:
             0.0.0.0 to 255.255.255.255
    

    Please do not get confused here, this output is not from my W2k8 DC server, it is comming from my reference server.

    Back on my DC that runs W2K8 Server *Core* I can not see RAS context under netsh so I can not execute the same command.

    So I reverted to tweaking registry keys. I set Netbios registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces to 1. When I run this command:

    wmic nicconfig get caption,index,TcpipNetbiosOptions
    

    I get

    Caption                                                   Index  TcpipNetbiosOptions
    [00000000] Microsoft Virtual Machine Bus Network Adapter  0      1
    [00000001] Microsoft ISATAP Adapter                       1
    

    Is this enough to set NetBios over TCP\IP or is there anything else?

    Basically, I have hard time to check that NetBios is really enabled and that setting registry key above is all that is needed. I also have suspicion that I would need to enable File Server on the DC to get RAP working; could you please confirm? RAP seems to provide File\Printer based API so it kind of looks like this NetBios is also dependent on the File Sharing (Server service).

    Thank you for you time and help.


    Petr
    Friday, July 31, 2009 3:39 PM
  • Hi Bill,

    thank you for your help and tip. This is actually something I forgot to mention so here are some points that are not clear to me.

    1) Yes, Computer Browser Service runs on DC. When I use BROWSTAT.EXE I can even see proper registered names for domain, master browser and name of DC itself

    2) Tip with Netbios over TCP\IP is good one; I have tried to set it up but this may be something where you can help me actually. It is trivial do set up NetBios over TCP\IP in normal server SKU but I am strungling to do it on Core. So, I have set up another Windows 2008 Server just for as reference so I can compare what is different.

    If I run this on full sku W2k8 server:

    netsh ras ip show config
    
    

    I got following:

     Negotiation mode:          deny
    
     Access mode:               all
    
     Address request mode:      deny
    
     Broadcast name resolution: enabled
    
     Assignment method:         auto
    
     Pool:
    
             0.0.0.0 to 255.255.255.255
    
    

    Please do not get confused here, this output is not from my W2k8 DC server, it is comming from my reference server.

    Back on my DC that runs W2K8 Server *Core* I can not see RAS context under netsh so I can not execute the same command.

    So I reverted to tweaking registry keys. I set Netbios registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces to 1. When I run this command:

    wmic nicconfig get caption,index,TcpipNetbiosOptions
    
    

    I get

    Caption                                                   Index  TcpipNetbiosOptions
    
    [00000000] Microsoft Virtual Machine Bus Network Adapter  0      1
    
    [00000001] Microsoft ISATAP Adapter                       1
    
    

    Is this enough to set NetBios over TCP\IP or is there anything else?

    Basically, I have hard time to check that NetBios is really enabled and that setting registry key above is all that is needed. I also have suspicion that I would need to enable File Server on the DC to get RAP working; could you please confirm? RAP seems to provide File\Printer based API so it kind of looks like this NetBios is also dependent on the File Sharing (Server service).

    Thank you for you time and help.


    Petr

    I have been having the same issue since we upgraded our domain controllers to 2008 Server, we still have two 2003 domain controlers in our production enviroment.  What I have found is that this is clearly a windows XP issue. I have tried several workstations with old and fresh windows XP installs and they experience the same thing, when trying to use My Network Places to explore the network. UNC paths to network shares work fine. The reason I know this is an XP issue is that I have several Windows 7 clients that do not exhibit the same behavior, they can see all the computers in the domain without any issue?? 

    Did you have any luck with getting the RAP working?


    David
    Thursday, December 31, 2009 12:41 PM