I heard through the grapevine that WINS was going to be phased out / not supported officially from Microsoft any more [ and yet they have it in Windows server 2008 ]. I can't find any information about this on the web. Does anyone know of this rumor and/or have an official release from Mircosoft (URL?)? ( This question relates to Policy - large corporate networks)

last Saturday we promoted a new virtual 2008R2 server as dc and transferred all FSMO roles to it. Today we spend all day chasing down a problem with the domain browser function.

First some background:

• We have a WAN with about 30 sites/subnets. Most sites have a DC running either 2000 or 2003. On the main site we had two 2000 (ntads01, ntads02) and one 2003 (ntads03) DCs before installing the 2008R2 (ntads04).
• A 2003 Server was never owner of the FSMO roles. The Roles were transferred from ntads01 to ntads04 directly.
• The IP of the old primary DC (ntads01) was changed and ntads04 got assigned to it. All DCs are still up and running.
• WINS was installed on all three DCs on the main site. The two 2000 DCs were listed as WINS servers in DHCP.

Problem information

Problem this morning was, that net send between xp machines quit working. We started to investigate.

In the event-log on ntads04 we have the messages, that the DCs on the other site get detected as master browsers and the local master browser is shutdown or an election is forced. (Message is in German sorry). The event-log xml is as follows.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="bowser" /> 
    <EventID Qualifiers="49152">8003</EventID> 
    <Level>2</Level> 
    <Task>0</Task> 
    <Keywords>0x80000000000000</Keywords> 
    <TimeCreated SystemTime="2011-12-06T16:46:16.873033800Z" /> 
    <EventRecordID>19226</EventRecordID> 
    <Channel>System</Channel> 
    <Computer>ntads04.domain.local</Computer> 
    <Security /> 
  </System>
  <EventData>
    <Data>\Device\LanmanDatagramReceiver</Data> 
    <Data>NTFIL_BIET03</Data> 
    <Data>NetBT_Tcpip_{53FF57AE-2EC4-44D7-B96F-0A9F89AD9909}</Data> 
    <Binary>000000000300320000000000431F00C00000000000000000B1010000000000000000000000000000</Binary> 
  </EventData>
</Event>

This morning we had some 8021 browser events on ntads01, ntads02 and ntads03 stating that the server list could not be retrieved from ntads04. After browser eventid 8032 they disappeared even so I restarted the computer browser service on ntads01 and ntads03.

WINS on the for DCs on the main site does have a different number of entries per server. On ntads04 we have WINS eventids (all translated):

• 4342 WINS could not read Cachesizeparamter "minimum". Standard is used
• 4325 WINS could not get the Initial-Challenge-Retry-Intervall from registry
• 4326 WINS could not get the maximal Count of Challenge-Retries from the registry

Steps taken so far:

• Activated Computer Browser on ntads04 (solved only some sites in network neighborhood)
• Disabled WINS on ntads01 and ntads02, re-installed on ntads04 and after first sync cleared database on ntads03 which seemed to solve some replication problems
• Analyzed old event-logs of ntads01. It had the MRxSmb 8003 once a day per site, we now have it every 12 minutes.

• Ran Wireshark on ntads04 (lots of browser elections and no domain master announcement)

  .... .... .... .... .... .... .... ...1 = Workstation: This is a Workstation
  .... .... .... .... .... .... .... ..1. = Server: This is a Server
  .... .... .... .... .... .... .... .0.. = SQL: This is NOT an SQL server
  .... .... .... .... .... .... .... 1... = Domain Controller: This is a Domain Controller
  .... .... .... .... .... .... ...0 .... = Backup Controller: This is NOT a Backup Controller
  .... .... .... .... .... .... ..1. .... = Time Source: This is a Time Source
  .... .... .... .... .... .... .0.. .... = Apple: This is NOT an Apple host
  .... .... .... .... .... .... 0... .... = Novell: This is NOT a Novell server
  .... .... .... .... .... ...0 .... .... = Member: This is NOT a Domain Member server
  .... .... .... .... .... ..0. .... .... = Print: This is NOT a Print Queue server
  .... .... .... .... .... .0.. .... .... = Dialin: This is NOT a Dialin server
  .... .... .... .... .... 0... .... .... = Xenix: This is NOT a Xenix server
  .... .... .... .... ...1 .... .... .... = NT Workstation: This is an NT Workstation
  .... .... .... .... ..0. .... .... .... = WfW: This is NOT a WfW host
  .... .... .... .... 0... .... .... .... = NT Server: This is NOT an NT Server
  .... .... .... ...0 .... .... .... .... = Potential Browser: This is NOT a Potential Browser
  .... .... .... ..0. .... .... .... .... = Backup Browser: This is NOT a Backup Browser
  .... .... .... .1.. .... .... .... .... = Master Browser: This is a Master Browser
  .... .... .... 0... .... .... .... .... = Domain Master Browser: This is NOT a Domain Master Browser
  .... .... ...0 .... .... .... .... .... = OSF: This is NOT an OSF host
  .... .... ..0. .... .... .... .... .... = VMS: This is NOT a VMS host
  .... .... .0.. .... .... .... .... .... = Windows 95+: This is NOT a Windows 95 or above host
  .... .... 1... .... .... .... .... .... = DFS: This is a DFS server
  .0.. .... .... .... .... .... .... .... = Local: This is NOT a local list only request
  0... .... .... .... .... .... .... .... = Domain Enum: This is NOT a Domain Enum request
  

• Set the IsDomainMaster key on ntads04 and restarted computer browser (no change)

• checked with browstat who is master browser (seems to be ok, nothing strange seen), but not sure about browstat sta:

  C:\temp>browstat sta
  
  Status for domain DOMAIN on transport \Device\NetBT_Tcpip_{08C65950-9A5B-4E16-8CD8-F2890F7E81C7}
      Browsing is active on domain.
      Master browser name is: NTADS04
          Master browser is running build 7601
      3 backup servers retrieved from master NTADS04
          \\NTADS03
          \\NTADS01
          \\NTADS04
      Unable to retrieve server list from NTADS04: 64
  

Questions open

• Why is the interval of the master browser events so much higher than before? Can we get rid of this event completely? And is it true that ntads04 does not promote itself as Domain Master Browser? (See Edit 2)
• Why did net send stop working? (See Edit 1)
• Is WINS all right? I.e. is it normal that of two wins server one has about 200 extra entries (total 4000) even after a couple of hours? (They have the same intervals setup)

Thanks for helping, I hope all the relevant information is included.

Edit 1:

The net send problem is solved. During the update gpos were cleaned up, which involved deleting all service configurations from the domain default gpo. This in turn made the Messenger service revert to its default (deactivated). Made a new gpo which made it autostart again. fixed

Edit 2:

The problem with the interval of the master browser events is fixed to. We got rid of them alltogether. Problem was the DHCP helper of the cisco routers. The did not only forward dhcp and bootp but also a lot of other protocolls in the default config. See http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1108053 for details.

We've been having some weird issues while migrating domains from one forest to another. We tried turning off the domain controllers for the old domain, and all of a sudden, a share which we used to have access to, on yet another domain, on it's own forest disappeared.

I'm having problems understanding how Windows clients resolve shares. i.e. when I type in \XXXXXX\yyy\zzzz, what exactly does Windows do in order to figure out what server to connect to? Note that we used to have a DFS share on the old domain as well so that plays a part.

Are there any tools that help you track down what Windows is doing? i.e. something that log something like this if I gave it the path \XXXXXX\yyy\zzzz Checking for name in local NETBIOS. Did not find name in netbios. Checking DFS cache... Found in DFS cache, using \computer.domain.com\share for \XXXXX\yyy\zzzz

Here is the whole story. We are migrating from one domain D1.xxxx.com to D2.yyyy.com in a different forest. We have a cross domain trust in place and everything has been moved except DFS. We've decided to stop using DFS in domain 2 because of all the headaches we've had. Instead we'll have a host in D2 called D1 which will serve the whole DFS. We've set it up and copied all the files. We then turn off all domain controllers for D1 and remove the trust. Now, I would expect machines on the D2 domain to go to the share called root on D1.yyyy.com when I type \D1\root\things. For some reason that doesn't seem to happen, and I can't figure out why. I tries using dfsutil /pkflush on a client machine and still no deal.

What I would like to do now is see exactly what my client machine is doing when attempting to connect to \D1\root\things. Seeing what happens on the network doesn't help. I know (or am fairly sure) it's still trying to go to the old DFS share.

I'm looking to set our WINS servers via GPO, is that possible? We have 2 SSID which our clients can connect to (one which connects to a DHCP we control, the other to a different DHCP we don't - each with their own WINS).

We do a lot of mapping via DFS so that's why we need our wins servers.

Help?

I seem to recall over the years moves to try to stop the requirement of having a WINS nameservice as part of a Windows environment.

My question is whether sites are still utilizing WINS or have switched over to something else and no longer need WINS. If so, anybody want to share their experiences?

Thanks.