RE: Firewall blocking broadcasts in between NT Servers

["Marriott, Charles" <CMarriot () microage com>]

The IIS server is looking for a registered master browser and domain
controller in it's WINS server database and not finding it.

Is the IIS server a WINS client and able to register it's services with
a WINS server properly?

Is the PDC registering all it's services in the same WINS database?

It sounds like you have more than 1 WINS server. Make sure that each
WINS server is only a client of itself.

If you want to use lmhosts there are some other entries required for
domain controller and domain master browser identification.

-----Original Message-----
From: borkin () netquest com [mailto:borkin () netquest com]
Sent: Monday, July 13, 1998 7:04 AM
To: firewall-wizards () nfr net
Subject: Firewall blocking broadcasts in between NT Servers


Hello,

  I am on a mailing list for people studying for their MSCE's and this
problem came across.. no one seems to be able to come up with a solution
so I thought I would post it here.. b/c Wayne is not on this list I
would appreciate it if you could  CC: it to him at
http://wayne.vanvelthoven () nrc ca as well as posting it to the list...
any help would be greatly appreciated... Below, I have both his original
e-mail (last Thursday) and an update from Monday morning....

TIA,

Mike Borkin

original message follows----------------------------------


Hi all,
I have an NT4 server running IIS, which is a member (non-DC) server in a
domain and has now been moved behind a firewall. The PDC and the only
BDC are still in front of the firewall; as are the WINS servers.

I've punched holes through the firewall for TCP:80, TCP:139, UDP:137 and
UDP:138, but domain synchronization and authentication no longer work.
The server can see the PDC and BDC when they're called by name, but it
can't find them when it's looking for the domain. This error message is
filling the log:

        5719
        No Windows NT Domain Controller is available for domain ABC.
        (This event is expected and can be ignored when booting with the
'No Net' Hardware Profile.)
        The following error occurred:
        There are currently no logon servers available to service the
logon request.

I enabled an LMHOSTS file on this server to tell it where the DCs are,
but it didn't help (tried with and without WINS).

When I run Usrmgr on the server, it comes up with its local accounts, as
expected.  When I tell it to change domain to ABC, it fails because no
DCs can be found.  When I tell it to change domain to the PDC, \\ABC-PDC
it gives me a message saying that ABC-PDC is a controller for domain
ABC; focus will be set to ABC.  That works.  So, it sees the domain when

it looks for the DCs but it doesn't see the DCs when it looks for the
domain.

The firewall logs (supposedly) all traffic that passes (or attempts to
pass) through.  It shows nothing being blocked either to or from
thisserver.  Help?!  What am I missing?  Thanks in advance

Wayne van Velthoven, MCP
National Research Council Canada
wayne.vanvelthoven () nrc ca <mailto:wayne.vanvelthoven () nrc ca>

2nd Message---------

Subject:
        RE: Firewall problem
   Date:
        Mon, 13 Jul 1998 09:40:03 -0400
   From:
        "vanVelthoven, Wayne" <Wayne.vanVelthoven () nrc ca>
     To:
        "'borkin () netquest com'" <borkin () netquest com>




Hi,

No, I haven't gotten it solved, yet.  One person on list suggested using
an LMHOSTS file, but I had already tried that without success.  He was
right in that the firewall would be blocking the broadcasts, but I
thought using WINS and/or LMHOSTS was the right way to deal with that.
Neither has worked.

I found a Knowledge Base article (Q179442) that has another port (135)
listed with the others that I already opened (137, 138 and 139).  So I
added 135, but again, no luck.  The article also says "All ports above
1024 for RPC Communication".  I haven't done that yet - I thought that
applied to the other end.  Also, the firewall hasn't logged any
(attempted) activity in that range.

Here's how the lmhosts file from that server looks:
100.10.10.10     ABC-PDC      #PRE #DOM:ABC
100.10.10.11     ABC-BDC1     #PRE #DOM:ABC

Any insight would be appreciated.  Thanks in advance.

Wayne van Velthoven, MCP
National Research Council Canada